Digital highwaymen

It might sound glamorous and hi-tech, but most cybercrime draws on age-old methods of entrapment. Peter Warren and Bobbie Johnson investigate

Technology hit the headlines for the wrong reasons again last week, as a gang of British software pirates who characterised themselves as latter-day Robin Hoods found themselves in jail. The convictions underlined the perception that cybercrime is on the up, a feeling exacerbated by a recent attempted £220m hacking raid on the Sumitomo Mitsui bank in London, which garnered Mission Impossible headlines.

But despite the Hollywood-style imagery generated by such crimes, and the fact that these offences are on the increase, not all of it is as hi-tech as it might appear. When four of the pirates from the international group known as DrinkorDie were jailed for a total of seven-and-a-half years, many focused on the man who got the toughest sentence – a “City banker”. In fact, 29-year-old Alex Bell worked in the IT department of Morgan Stanley when he was arrested, but it added a touch of glamour to what was essentially a straightforward story of fraud.

DrinkorDie had been breaking software security and circulating illegally copied programmes and games – so-called “warez” – since the late 1990s. They did not profit directly from their crimes, but were driven by the thrill of piracy and anti-corporate beliefs – leading to inevitable claims that some of the members saw themselves as technological Robin Hoods.

Brought to book by Operation Blossom

It took a five-year global investigation to bring the Britons to justice and after a five-month trial, they received the toughest sentences dished out as a result of Operation Blossom.

The National High Tech Crime Unit, Britain’s cybercrime task force, hailed the judgment as a landmark. “Internet piracy is a growing prob­lem, with organised crime moving into this space and defrauding the individual, business and governments of millions of pounds,” said detective superintendent Mick Deats, deputy head of the unit.

Although DrinkorDie was one of the biggest piracy cases the country has seen, the story was little different from the teenage hackers and bedroom crackers of yesteryear. They claimed their motivation was the thrill of cracking software.

Another recent case that attracted headlines was similarly straightforward. Two months ago, news broke of a hack that had attempted to relieve the computer systems of the Sumitomo Mitsui Bank of £220m.

According to rumours inside the computer industry, it sounded like something from a Hollywood movie: remote hackers had slipped through the Sumitomo’s hi-tech defences, placed key logging software on the bank’s workstations and tried to suck the cash away to bank accounts all over the world.

The truth, according to reliable sources, was more simple: someone had simply plugged hardware devices into the back of the PCs used by Sumitomo’s staff.

The devices, known as hardware keyloggers, cost about £20 and can be bought from spy shops. They were connected to the USB ports used to connect the computer keyboards to the PC, and this let the gang pick up the all-important passwords and other information they needed.

Attacking the weakest link

The hardware keyloggers did not try to send out any data, which could have been detected, but were taken away to be downloaded instead.

It is a far cry from the hi-tech Ocean’s Eleven heists that come to most people’s minds, and is even some distance from the puritanical outlaw cracking of DrinkorDie. But what happened at Sumitomo – and some details are still unclear – is almost a blueprint for all computer crime: go for the weakest link, keep it simple and exploit people.

“From what we see when we investigate computer crime incidents, around 85% involve an internal lapse of security,” says Simon Janes, international operations manager for computer forensics at Ibas, a Norwegian company that specialises in data recovery.

Most cybercrime is along the lines of the Sumitomo case, rather than DrinkorDie’s hi-tech codebreaking. “In most cases, there is no super clever hacker. The bread and butter computer crime always involves the human factor,” says Janes, a former sergeant from the computer crime unit of the Metropolitan Police.

He is backed up by Richard Hollis, managing director of Orthus, a company that specialises in protecting City firms. “It’s the thing my clients talk about all the time – we spend all this time and money protecting systems from outside attack … and then some guy walks off with valu­able information on a memory stick.

“It’s not rocket science. If you want something that is locked up, then you have to find some way of getting access and that is normally through someone who has the key,” said Hollis. That analogy is now prevalent through all computer crime.

In the past five years, criminals have woken up to the value of technology and actively target computer systems. In the past two months, there have been a wave of attacks against databases in the US that has concentrated on stealing account information on millions of individuals, with Lexis-Nexis and the Bank of America just two of a growing list of high-profile victims.

But according to Bill Hillard, head of the intelligence division of the US computer security organisation CyberTrust, the common perception that these databases were cracked with technology is way off the mark.

“The weak link is always behind the keyboard. In the case of Lexis-Nexis, the criminals rang up the helpdesk and got information on how they did their job and who they were. Then they rang people in the organisation and pretended to be from the help desk and told them there was a problem with their accounts and asked them for their passwords and user information.”

The criminals have also realised they might have to use other more compelling methods. According to the NHTCU, some people have even been threatened with violence. Or they are snared in City bars, with criminals employing spotters to identify lonely people and talk to them to find out what they do.

In one case, criminals targeted a group of City secretaries and seduced them. Pillow talk revealed they all used passwords based on favourite tipples. Buying a round of drinks gave the gang access to the computers of a number of City companies.

You can almost imagine the glee with which the treacherous lover said: “And what are you having to drink?”, and then noted gin and tonic down next to the girl’s name and the organisation she worked for. It led the police to name the gang Whisky Soda.

For all those chuckling about such naivety, these are also the tactics aimed at home users of computers, the other weak links behind the keyboards. The technique used to obtain password and user information from the staff at Lexis-Nexis was simply a variation on phishing emails that claim to be from your bank and account for one in every 250 emails. The latest internet scourge – downloading spy programs known as Trojans on to computers of home users and small businesses – only happens because of poorly maintained computers and a lack of anti-virus software and anti-spyware programs.

If pirates such as DrinkorDie are likened to digital highwaymen, then criminals attacking the human weakness of systems are more akin to street muggers. Yet we still fail to treat them with suspicion. “I could ask someone in the street to give me their bank account details and they would refuse,” says Hillard. “Yet a lot of people at home have online access to their bank accounts but take little action to protect the information that gives them access to those accounts.”

The cybercriminals behind these social engineering deceptions might have more illicit methods and shadowy motives than their pirate counterparts, but experts are quick to point out that stealing is stealing.

“Organised criminals thought they could get around the law,” says one investigator for the Business Software Alliance, who wishes to remain anonymous. “They’ve never really had a deterrent but now, hopefully, they’ll start to think. But there need to be more resources”

Indeed, while the DrinkorDie prosecutions have been a qualified success for Britain’s hi-tech police, bringing the Sumitomo hackers to justice has been less successful.

The cybercriminal fraternity, oper­ating over the internet and across borders, often relies on the lack of international relations and weak extradition treaties to protect high-level operatives. The increasing interest in technological fraud from organised crime – with its tried and tested experience of evading the ever-shortening arm of the law – has allowed many to get off the hook.

“There is massive cooperation,” says Felicity Bull of the NHTCU. “We work all the time with law enforcement colleagues – practically every day. Over time more countries have developed hi-tech crime units, and have started coming to us for advice.”

But bringing criminals to justice can be tough – especially in areas of the world where cybercrime is low on the list of priorities. “We work very hard,” says Bull. “But ultimately the problem is that internet crime is perceived as low risk and high reward.”

Perhaps that is all the glamour the criminals need.