Extortion, damage to reputation, fraud, service disruption and information theft are all growing categories of cybercrime that are costing companies more money each year - while at the same time eroding confidence in the online environment.
"Ten years ago, they were amateurs. Now they are professionals who stay on top of their game," says James Lewis, director of the technology and public policy program at the Centre for Strategic and International Studies in Washington, D.C.
"Cybercrime is a risk for companies and consumers, and we're having a hard time getting a handle on it."
Lewis is the author of a report on virtual crime that was commissioned by intrusion prevention software and security risk management firm McAfee, Inc. It was released early this month in Toronto. Lewis says 69 per cent of Internet activity now involves acts of criminal intent and that there are online communities that use chatrooms and websites to share tips and rent malicious software tools, known as malware, or hire skilled criminals. The low cost and low risk of cybercrime have made it attractive.
"There is a very active criminal culture located on the Internet with people exchanging sophisticated tools and information. It's no longer two kids in a garage in California. It's now professionals for profit," he says.
Information theft is the most damaging category of Internet crime, although viruses have been costly for businesses. The report cites an FBI estimate of $400 billion US as the cost of cybercrime in 2004.
Even though there has been only one virus alert so far this year, compared with 30 medium and high virus alerts at this time last year, businesses should still be on guard, Lewis says. Businesses are targeted by criminals looking to steal identities by extracting personal identification information or credit information from a company's database.
Cybercriminals will also try to extract a company's own financial information or steal valuable intellectual property.
"Damage to a company's reputation can cost thousands or millions of dollars in lost sales. The Internet's a real boon to industrial espionage," Lewis says. A company in Israel was recently discovered to have hired hackers to obtain a competitor's sales records and client information.
The goal of many cyber-criminals, however, is to infect thousands of computers with worms or viruses and turn them into what is known as a bot-network, which can use them to attack other devices in unison on command.
Some bot-net owners rent their networks for $200 to $300 an hour, Lewis says. The networks are then used to execute distributed denial of service attacks, as well as spam and phishing scams, which makes them the growing weapon of choice for fraud and extortion.
In a separate report, released July 11, McAfee says the number of bot-related cases increased to about 13,000 in the second quarter of 2005 from about 3,000 in the first quarter. Lewis says cyberthreats to businesses and consumers can be compared to physical crimes such as extortion rackets. "Today, organized criminals try to force e-businesses to pay a ransom to protect online shops from online denial of service attacks.”
Instead of robbing a bank and escaping in a getaway car, hackers break into a bank's computer system and transfer money over electronic payment systems.
Telephone scams where criminals call victims and ask for their credit card number, security details or passwords have been replaced by phishing - using spoof e-mails or fake websites to get victims to provide personal and credit information.
Such social engineering crimes are very effective since "five out of 10 people will give information that will give someone access to their computer," Lewis says.
Lewis calls phishing "the cybercrime du jour" because it is a low-cost, low-risk crime. He adds that it costs criminals virtually nothing to send out hundreds or thousands of e-mails, and even a low response rate can guarantee a profit.
"We've seen cases of companies hiring cybercriminals to disrupt competitors' (e-commerce) sites," Lewis says. "It's surprisingly easy to do."
Lewis adds it's tough to catch these criminals because they are good at what they do. "Hackers and crackers are a community as skilled in programming as anyone in the world."
He says there are several other reasons, too.
* They do not have to be physically present at the scene to commit the crime.
* They have an online community that comes together as needed on a specific project. "Moving a website from one location to another is comparatively easy to do."
* There is cross-border activity because bureaucracies, permissions and approvals between countries are not at the Internet speed they need to be.
* It is hard to collect evidence. "It could be stored on servers all over the world. Digital evidence is fragile and transitory and pre-digital techniques for evidence collection are often ineffective."
* The crime may be carried out automatically at high speed and involve a large number of victims at the same time.
* Corporate victims often do not report security breaches, preferring to absorb losses rather than admit they have been hacked.
Lewis expects the opportunities for cybercriminals will be narrowed by increased funding for law enforcement, including training in cyberforensics, improved vehicles for international co-operation to create national points of contact for cybercrime, and effective national laws modeled on the Council of Europe Cybercrime Treaty.
Jimmy Kuo, who is a member of the McAfee Anti-Virus Emergency Response Team (AVERT) finds hope in a new law in the United Kingdom that assigns a 10-year prison sentence for the possession of spyware or phishing software.
Kuo, who estimates that roughly 85 per cent of malware today is for profit, says three years ago AVERT detected 300 new malware programs each month. It now charts 2,000 new malware programs monthly.
Lewis and Kuo both say VoIP will eventually offer opportunities for cybercrime. One reason is that the new phone technology makes tracking callers more difficult because the phone can have a different area code from the one for its physical location.
"Computer criminals will look for ways to attack anything publicly accessible," Kuo says.
"Use a router to give your hardware an outer shell. At the PC level, use anti-virus, anti-spam, personal firewall software," he says. "Put monitors in your network to know exactly what information was stolen and which people to contact in the event customer data is compromised."
Lewis says to encrypt e-mail, especially if it contains proprietary information.
(Susan Maclean can be reached at s.maclean@businessedge.ca)
