Anonymous and LulzSec get the headlines for their attacks on high-profile websites such as the CIA, but the real threat is the continuing and increasingly professional war on bank customers. Mandatory reporting of all cyber crime incidents would refocus attention, says a leading security technologist.
“It’s interesting for the media because everyone knows the CIA. It’s not interesting for the media if Mr X from down the street was compromised. No one knows about that person,” said Yuval Ben-Itzhak, chief technology officer of security software vendor AVG. “But suddenly if there are five thousand people in the city being compromised, well, that’s a story that will get the headlines. And I think it’s for the law makers to start to step forward and request reports for these cases.”
Currently only a tiny fraction of online crimes are reported. Queensland Police reckon it’d be less than 1%. “The last thing they want is the police taking their file servers away to perform a forensic analysis,” said Detective Superintendent Brian Hay last month. But it’s also because the bad guys steal relatively small amounts of money from thousands of punters at a time.
“The amount that they’re charging from your account is well-calculated to make sure it goes under the radar of the bank fraud alerting system,” Ben-Itzhak told Crikey from Prague. “The sophistication of attack and the innovation we’re seeing in cyber crime in the last few quarters definitely indicates the people behind it are professionals.”
A moment’s thought bears this out. These guys are running global networks that can automatically install malicious software on millions of people’s computers, and it works without disrupting whatever software those people are already running. That alone indicates serious clue.
And now that Apple’s OS X and iOS operating systems for Macs and iPhones/iPads respectively have reached 7% market share, the businesslike criminals have done their cost benefit analysis and are starting to expend the programming effort to target those platforms — facts borne out in the AVG Community Powered Threat Report — Q2 2011 released yesterday.
The malware itself is increasingly sophisticated. It used to be about logging your keystrokes so the crims could log into your bank account later. Now they do it all in real time.
“We’re seeing malware that can hijack your web browsing session [and] intercept the exact moment when you’re visiting your online banking,” Ben-Itzhak said. “Some versions of the software can even execute a money transfer transaction while you are interacting with your own accounts. So they don’t need to steal your username and password. You already have a valid and active session with your bank, and they can simulate clicking on the buttons.”
The funds are then fed back through a network of money mules. “They start to do some business with them, legit business, but then once they’ve got their trust they’re telling them, ‘We’re going to transfer you some money from one of our customers. Please record it in your files and then move it to another bank account somewhere else.’ So now this innocent person is working for a cyber crime organisation without even knowing.”
There’s nothing new here except that scale. Crikey reported much the same story two years ago. And except for the fact that it’s all going mobile, attacking your smartphone. But the entire problem is still seriously under-reported.
“Unlike car accidents — when you have to go to the police and report about it, so then you start to see the chart, everyone is presenting these numbers, and people worry and ask questions how to stop it — in cyber crime we’re not there yet. If you’re a victim [of] cyber crime, there’s no law that at least I’m aware of that requires you to go and report about that. We hear only of a few cases, and most of them go silent, so there’s a false belief everything is fine,” Ben-Itzhak said.