Even more alarming is the fact that websites that have been compromised to unknowingly harbor such programs are some of the most commonly-visited websites, attracting a huge number of unsuspecting visitors every day.
Early in October, Aladdin Knowledge Systems Inc., an Israel-based information security company, revealed that several criminal gangs had hacked into 200,000 servers and more than 80,000 legitimate websites to steal the administrative log-in credentials (a combination of username, password and the server address). This would allow the gangs to modifying those websites with malicious codes. And each time users visit those websites, this code would penetrate their computers to steal personal information and relay it back to the thieves or criminals over the Internet.
The websites that have been compromised are spread across virtually every segment, including governments and Fortune 500 companies, universities, news and other information websites, several unnamed weapons manufacturers, and obviously e-commerce sites. For instance, according to Ian Amit, Director, security research of Aladdin who made this stunning discovery, websites like USPS (the US postal service- but USPS denies that breach), BBC (British Broadcasting Corporation), University of Bradford and a travel agency, easytravelgroup.co.uk were compromised, although many such sites have subsequently been "cleaned."
Amit who stumbled upon this unbelievable discovery while researching on notorious hacking software (Neosploit) says, "We are uncovering what is likely one of the largest single organized e-crime operation, which is managed just like a business."
He says that the whole operation, part of a huge plot, is conducted from just one server, which is functioning based on the SaaS (software-as-a-service) model. Using various hacking tools, the server looks for websites and servers with loopholes to implant its malicious codes and steal or gather information like corporate financial data, credit card details, bank account details, passwords and the likes.
Access to that server is restricted to just a few IP addressed (barring Amit who managed to infiltrate it) which led him to believe that just a few gangs -- "possible three", he says -- are involved in that operation.
Amit was reluctant to reveal details like the effected websites and servers, as well as the details of the criminal gangs, and e-crime websites and servers he has chanced upon. "Governments and law enforcement officials around the world, as well as the FBI, are investigating the criminal servers and the effected websites. Revealing sensitive details could jeopardize those efforts," he says.
One of the most interesting things about this discovery, he adds, is how e-crime has developed. "The e-crime economy has evolved to an economy that is similar to standard economy," he says. "Although it is hard to measure the size and impact of such a business (it is rarely accounted for in normal economical measurements such as GDP, etc.) it drives a lot of revenue. The business force driving e-crime has generated enough momentum for it to spur a whole economy around it; from software suppliers, through distribution models involving legitimate sites, to the geographical control over the attacks."
Indeed, from its origins as niche criminal operations just three years back, peddling dubious medications and knock-off luxury goods through spam emails, e-crime has evolved to a highly profitable and sophisticated business these days. There are now numerous unscrupulous software vendors who provide packages and services to cyber crime operations for a growing number of criminal groups.
Moreover, while e-crime was once restricted to just some parts of the world, it now spans countries and continents and is agile
enough to move around the world successfully.
Even so, the moot question is how is e-crime thriving despite expanding policing efforts? After all, the global fight against e-crime has also grown in line with the growth of Internet. Yet, says Amit, "Using advance technologies like obfuscation and putting in more time and effort than the people who are fighting it, e-crime always manages to stay ahead of defenses."
A big reason is the obvious one, commercial activities like money transfers and commerce over Internet is growing by leaps and bounds. Criminals have realized that it is an easy platform to get money out of, say experts.
But the biggest reason may be you, if you are an unsuspecting home user. 'The fact is that home users that are increasingly using the Internet for commerce are not aware of the extent of dangers lurking on the Internet," says a security specialist at GOVCERT.NL, the Computer Emergency Response Team for the Dutch Government that is helping governments around the world and is working with Amit to crack organized e-crime.
"Few users take adequate precautions and consequently get their system infected with spyware that manages to steal credentials," he adds. "There's a whole economy thriving on snooping into home users computers, mostly through botnets. A bot herder might use the credit card numbers gathered from a botnet and sells the other information, like passwords or bank accounts to others."
Experts add that since Internet has no boundaries, e-criminals constantly change their tactics and methods. And they move out and set their base up in another country whenever the going gets tough in one country. The server that Amit discovered, for instance, was initially located in Argentina, but now it has moved to a location in USA targeting primarily US and Western European websites.
"E-crime is proving that given the right business model and a reasonable return in investments, technology and methods will be developed to support it," says Amit.
This why, feels the security specialist at GOVCERT.NL, more and better international cooperation, especially on the legal and policy side, is necessary to trace, pull in and try e-criminals.
"Every country has their own police forces, own laws and rules, and different priorities of tackling e-crime. If one law enforcement agency in one country wants to get some one busted in another country, there are several sensitive issues that get in the way. And often a pursuit ends up in a country where e-crime is way down as a priority or where there simply are no laws to deal with e-crime," he says. "The solution lies in more cooperation internationally, through agencies like Interpol as well as the Computer Emergency Response Team-community, which can be of great help."
The other solution is to create more awareness among home users. "They are in charge of their own computers. They should install security tools as anti virus, spam filters and spyware and the likes," he adds.
Nevertheless, according to Amit, besides revealing the existence of massive organized e-crime operations, the discovery of the server has also given Aladdin and the e-crime fighters an insight of how e-crime business models actually work.
"We are trying to understand and go behind the scenes of e-crime; learn the tools and methodology," says Amit. "This means that instead of waiting for new threats to emerge and then try to stop them, we can offer protection that is a step ahead of the criminals. Through an understanding of the business of e-crime, we can mitigate the threat and break the cat and mouse cycle of signatures and patches."
Indrajit Basu is the international correspondent for Government Technology's Digital Communities.
Photo by Salim Virji. Creative Commons Licence Attribution-Share Alike 2.0 Generic
