|
|
|
Digital highwaymen |
|
|
|
Crime
|
|
Written by Peter Warren
|
|
Thursday, 12 May 2005 |
It might sound glamorous and hi-tech, but most cybercrime draws on
age-old methods of entrapment. Peter Warren and Bobbie Johnson
investigate
Thursday May 12, 2005
The Guardian
Technology hit the headlines for the wrong reasons again last week, as
a gang of British software pirates who characterised themselves as
latter-day Robin Hoods found themselves in jail. The convictions
underlined the perception that cybercrime is on the up, a feeling
exacerbated by a recent attempted £220m hacking raid on the Sumitomo
Mitsui bank in London, which garnered Mission Impossible headlines. But
despite the Hollywood-style imagery generated by such crimes, and the
fact that these offences are on the increase, not all of it is as
hi-tech as it might appear.
When four of the pirates from the international group known as
DrinkorDie were jailed for a total of seven-and-a-half years, many
focused on the man who got the toughest sentence - a "City banker". In
fact, 29-year-old Alex Bell worked in the IT department of Morgan
Stanley when he was arrested, but it added a touch of glamour to what
was essentially a straightforward story of fraud.
DrinkorDie had been breaking software security and circulating
illegally copied programmes and games - so-called "warez" - since the
late 1990s. They did not profit directly from their crimes, but were
driven by the thrill of piracy and anti-corporate beliefs - leading to
inevitable claims that some of the members saw themselves as
technological Robin Hoods.
It took a five-year global investigation to bring the Britons to
justice and after a five-month trial, they received the toughest
sentences dished out as a result of Operation Blossom.
The National High Tech Crime Unit, Britain's cybercrime task force,
hailed the judgment as a landmark. "Internet piracy is a growing
problem, with organised crime moving into this space and defrauding
the individual, business and governments of millions of pounds," said
detective superintendent Mick Deats, deputy head of the unit.
Although DrinkorDie was one of the biggest piracy cases the country has
seen, the story was little different from the teenage hackers and
bedroom crackers of yesteryear. They claimed their motivation was the
thrill of cracking software.
Another recent case that attracted headlines was similarly
straightforward. Two months ago, news broke of a hack that had
attempted to relieve the computer systems of the Sumitomo Mitsui Bank
of £220m.
According to rumours inside the computer industry, it sounded like
something from a Hollywood movie: remote hackers had slipped through
the Sumitomo's hi-tech defences, placed key logging software on the
bank's workstations and tried to suck the cash away to bank accounts
all over the world.
The truth, according to reliable sources, was more simple: someone had
simply plugged hardware devices into the back of the PCs used by
Sumitomo's staff.
The devices, known as hardware keyloggers, cost about £20 and can be
bought from spy shops. They were connected to the USB ports used to
connect the computer keyboards to the PC, and this let the gang pick up
the all-important passwords and other information they needed.
The hardware keyloggers did not try to send out any data, which could
have been detected, but were taken away to be downloaded instead.
It is a far cry from the hi-tech Ocean's Eleven heists that come to
most people's minds, and is even some distance from the puritanical
outlaw cracking of DrinkorDie. But what happened at Sumitomo - and some
details are still unclear - is almost a blueprint for all computer
crime: go for the weakest link, keep it simple and exploit people.
"From what we see when we investigate computer crime incidents, around
85% involve an internal lapse of security," says Simon Janes,
international operations manager for computer forensics at Ibas, a
Norwegian company that specialises in data recovery.
Most cybercrime is along the lines of the Sumitomo case, rather than
DrinkorDie's hi-tech codebreaking. "In most cases, there is no super
clever hacker. The bread and butter computer crime always involves the
human factor," says Janes, a former sergeant from the computer crime
unit of the Metropolitan Police.
He is backed up by Richard Hollis, managing director of Orthus, a
company that specialises in protecting City firms. "It's the thing my
clients ***** about all the time - we spend all this time and money
protecting systems from outside attack ... and then some guy walks off
with valuable information on a memory stick.
"It's not rocket science. If you want something that is locked up, then
you have to find some way of getting access and that is normally
through someone who has the key," said Hollis. That analogy is now
prevalent through all computer crime.
In the past five years, criminals have woken up to the value of
technology and actively target computer systems. In the past two
months, there have been a wave of attacks against databases in the US
that has concentrated on stealing account information on millions of
individuals, with Lexis-Nexis and the Bank of America just two of a
growing list of high-profile victims.
But according to Bill Hillard, head of the intelligence division of the
US computer security organisation CyberTrust, the common perception
that these databases were cracked with technology is way off the mark.
"The weak link is always behind the keyboard. In the case of
Lexis-Nexis, the criminals rang up the helpdesk and got information on
how they did their job and who they were. Then they rang people in the
organisation and pretended to be from the help desk and told them there
was a problem with their accounts and asked them for their passwords
and user information."
The criminals have also realised they might have to use other more
compelling methods. According to the NHTCU, some people have even been
threatened with violence. Or they are snared in City bars, with
criminals employing spotters to identify lonely people and talk to them
to find out what they do.
In one case, criminals targeted a group of City secretaries and seduced
them. Pillow talk revealed they all used passwords based on favourite
tipples. Buying a round of drinks gave the gang access to the computers
of a number of City companies.
You can almost imagine the glee with which the treacherous lover said:
"And what are you having to drink?", and then noted gin and tonic down
next to the girl's name and the organisation she worked for. It led the
police to name the gang Whisky Soda.
For all those chuckling about such naivety, these are also the tactics
aimed at home users of computers, the other weak links behind the
keyboards. The technique used to obtain password and user information
from the staff at Lexis-Nexis was simply a variation on phishing emails
that claim to be from your bank and account for one in every 250
emails. The latest internet scourge - downloading spy programs known as
Trojans on to computers of home users and small businesses - only
happens because of poorly maintained computers and a lack of anti-virus
software and anti-spyware programs.
If pirates such as DrinkorDie are likened to digital highwaymen, then
criminals attacking the human weakness of systems are more akin to
street muggers. Yet we still fail to treat them with suspicion. "I
could ask someone in the street to give me their bank account details
and they would refuse," says Hillard. "Yet a lot of people at home have
online access to their bank accounts but take little action to protect
the information that gives them access to those accounts."
The cybercriminals behind these social engineering deceptions might
have more illicit methods and shadowy motives than their pirate
counterparts, but experts are quick to point out that stealing is
stealing.
"Organised criminals thought they could get around the law," says one
investigator for the Business Software Alliance, who wishes to remain
anonymous. "They've never really had a deterrent but now, hopefully,
they'll start to think. But there need to be more resources"
Indeed, while the DrinkorDie prosecutions have been a qualified success
for Britain's hi-tech police, bringing the Sumitomo hackers to justice
has been less successful.
The cybercriminal fraternity, operating over the internet and across
borders, often relies on the lack of international relations and weak
extradition treaties to protect high-level operatives. The increasing
interest in technological fraud from organised crime - with its tried
and tested experience of evading the ever-shortening arm of the law -
has allowed many to get off the hook.
"There is massive cooperation," says Felicity Bull of the NHTCU. "We
work all the time with law enforcement colleagues - practically every
day. Over time more countries have developed hi-tech crime units, and
have started coming to us for advice."
But bringing criminals to justice can be tough - especially in areas of
the world where cybercrime is low on the list of priorities. "We work
very hard," says Bull. "But ultimately the problem is that internet
crime is perceived as low risk and high reward."
Perhaps that is all the glamour the criminals need.
|
|