Cyber crime changing and challenging business and law enforcement
How do you investigate and prosecute a crime, currently active for over two years, that has so far involved over thirty countries and more than a hundred different banks, where not all of the money taken was technically stolen from accounts?
This is cyber crime on a massive scale; a mega-heist that has used several different methods including hijacked CCTV systems, to execute grand scale bank theft, with staggering success. Kaspersky Labs, which identified the modus operandi of the so- called Carbanak Gang, say this is an ongoing situation and they estimate over $1bn has so far been siphoned out of these banks. You may well have read about this heist in the press already as it has been breathlessly reported globally. But I ask again, how do law enforcement agencies deal with something this intricate, convoluted and, let’s face it, successful? Cyber crime is different to traditional crime and it seems like the criminals are streets ahead and are at an advantage in many ways when it comes to investigation and prosecution.
Less of a risk than an old fashioned bank heist?
I was presenting to a room full of security professionals recently and I asked them how many years someone found guilty of walking into a bank and robbing it would expect to receive. Answers ranged from ten to twenty five years, depending on the level of violence involved. This is a considerable risk to accept for the robbers and the reward would need to be substantial. Attacking through cyberspace offers a credible and much lower risk alternative to the classic heist as the offence would probably attract a much lower sentence. Referring again to the delegates I was talking to: between three and ten years maximum, probably biased toward the lower end. The reward is potentially even greater, as the geographical restrictions of the big prize no longer apply: as with the mega cyber-heist, the reward was in fact found in many, many locations – all of which could be attacked from anywhere in the world. So a cyber-attack becomes an increasingly attractive and cost-effective option for many criminals.
Increased attack tools, a failure to report and inconsistent investigation and prosecution – perfect storm
The proliferation of attack tools available to buy on the internet continues and organised crime has embraced many of the methods used to generate money to fund large scale, targeted attacks, such as phishing emails to scam people out of money or access their accounts in order to drain them. Again, we see the chances of them being caught or receiving a heavy sentence are small; most people handle the matter through their banks, and Action Fraud. This reporting centre for fraud and cyber fraud, is constantly asking people to be vigilant and report incidents.
However, the figures that came out of the ‘Cyber Crime: A Review of the Evidence’ report commissioned by the Home Office reveal that as little as 2% of cyber crime is actually reported, with most of the financial crime being handled through banks.
So the attraction of this crime expands even further; not only are criminals less likely to receive a heavy sentence (possibly something like the Computer Misuse Act would see a sentence of perhaps 3 – 5 years), but in actual fact the victims may not even bother to report it. Add to that the possibility of a much bigger haul at the end of it, such as the $1bn+ mega-heist.
Criminal + victim + location = crime scene? Nope.
In the case of this heist, the criminals used several tools to ensure the maximum result. They hijacked the CCTV and used it to monitor staff for months; not only gathering login credentials but examining their behaviour with bank systems in order to mimic them during the execution of the plan.
The access to the banking systems was via a phishing attack in tandem with the CCTV attack, the harvested credentials being used to syphon targeted accounts, artificially inflate others and then remove the inflated amounts without the account owner’s money being touched. ATMs were also hacked in order to spit cash out at designated times, straight into the waiting arms of gang members. In some cases, this was created money; a series of 0’s added by the criminals which they then managed to turn into cold hard cash via the ATMs. This is part of the difficulty in dealing with cyber crime; how do we define all of this legally?
In the times of traditional heists, the criminal, the victims and the crime were all in the same place. We knew where the crime was committed, and so jurisdictionally it was simple, legally it was simple. This is something else entirely and the crimes were committed over at least 30 countries… In this case we have money that didn’t exist being taken from accounts that are basically untouched. We don’t have global cyber crime legislation or even a common set of guidelines.
Does the crime occur where the criminal is, where the victim is? What of the money that was conjured into existence only to be turned into cash and removed, from whom was this stolen?
Cyber security professionals, law enforcement professionals and policy and legislation setters need to be on the same page with this. It’s going to take a collaborative approach including knowledge and intelligence sharing. The criminals are way ahead of those seeking to bring them to justice and they are taking advantage of this ‘wild-west’ style cyberspace and lower penalties to absorb the risk and go for the big prizes. We need a holistic and integrated approach to managing all of our systems to make sure we are not inadvertently introducing insecure ‘back-doors’ onto our networks. We need to extend this approach across the whole of our supply chain.
In the UK we have seen some police forces introducing flagging of crimes that contain a ‘cyber’ element. This needs to be consistent across all forces and indeed globally we need a common definition and approach to dealing with this kind of crime or nations with a higher tolerance will soon become safe-havens for these criminals.
Mike Gillespie Advent IM
A member of the Security Institute