You are currently viewing the printable version of this article, to return to the normal page, please click here.

Brazen gangsters show how cybercrime pays

- The Washington Times - Wednesday, October 24, 2012

A Russian cybergangster who openly tried to recruit a hacker army for an online crime spree against U.S. banks and their customers posted a Web video of himself showing off luxury cars, a newly built suburban home and other ill-gotten gains, all the while boasting that he is untouchable.

He also has claimed to have drained $5 million from U.S. banks through his online crime spree.

The bizarre video highlights the growing audacity and brazenness of Internet criminals based abroad but targeting bank customers and businesses in the United States.

The FBI is investigating about 230 cases of electronic fraud against U.S. banks involving the attempted theft of more than $255 million and the actual loss of about $85 million, spokeswoman Jenny Shearer said.

She declined to comment on the gangster's claims, but security specialists say top cybercriminals can reap up to $150,000 a month and face little risk of arrest.

"If you accurately target [bank] customers in the USA while being in Russia then you can fear nothing while living in your country," wrote the gangster, who uses the online alias "vorVzakone."

His nickname is a Russian slang word literally meaning "Thief-in-Law" but also implying untouchability and perhaps better translated as "Made Man" or "Mafia Don."

In a post last month on a Russian-language private Internet forum for cybercriminals, vorVzakone said he is trying to recruit 100 partners for an online crime wave he called Project Blitzkrieg.

Applicants who passed online interviews would get copies of a special crimeware package, he said. They also would get instructions on how to use the package to take over and drain accounts at 30 U.S. banks.

Crimeware packages are specially written malicious software programs that can infect computers through email or the Internet and allow hackers to steal personal identities, bank accounts and private data.

"Since 2008 by using this product not less than $5m was transferred just by one team," vorVzakone wrote, although some security analysts were skeptical about this figure.

Project Blitzkrieg was first highlighted this month by researchers at the security firm RSA, who dubbed the crimeware package "Gozi Prinimalka."

"This is the first time we've seen a cybergang reach out" to try to recruit cybercriminals online, said Mor Ahuvia, a cybercrime specialist at RSA. "That's what makes this special."

The aim is to set up "hacking cells" financed by individual investors who pay thousands of dollars for the crimeware they need, she said, calling the pitch a form of cybercrime "network marketing."

His efforts to recruit a cybergang highlight the extent to which criminal activities online have been commercialized with crimeware packages for sale to anyone who can use a computer.

"Everything is for sale" on the crime forums, said Derek Manky, a senior security strategist at computer security firm Fortinet Inc.

He said even money-laundering and encryption-cracking services are now available online, as well as the established trade in crimeware products such as Trojan Horse programs.

A Trojan Horse is a piece of software that downloads itself onto a computer from an email attachment or an infected Web page, allowing the hacker who planted it to surreptitiously take control of the infected computer.

The programs for sale on underground websites provide a graphical user interface, or on-screen control panel, just like an anti-virus or other legitimate software package, so anyone can use them, Mr. Manky said.

So sophisticated were the vendors of these crimeware programs that they engaged in turf wars with one another, he said. Some crimeware cleaned computers infected by competitors, he said.

In banking fraud, cybercriminals use the Trojan Horse infection to install a program known as a key-logger that steals IDs and password information for online bank accounts. They use that data to log onto a victim's bank account and steal money.

This crime, known as account takeover, can be especially devastating for small businesses. Personal account holders are protected from liability by federal regulation and good banking practice if they report fraud in a timely fashion.

But businesses are legally required to employ "commercially reasonable" security measures and can be liable for losses if the programs fail.

Estimates of the cost of online banking fraud vary, and many are produced by computer security companies or others seen as having a vested interest in exaggerating the problem.

A report by defense contractor Detica for the British government last year was the subject of widespread skepticism after it estimated that cybercrime cost Britain more than $40 billion a year, or nearly 2 percent of the country's entire economy.

In response, a group of cybersecurity academics from Cambridge University this year published what they said was a more rigorous and conservative estimate of some cybercrime costs.

The Cambridge group concluded that the direct costs of account-takeover crime through malware and email was about $690 million a year globally – and probably $26 million in Britain.

Banks worldwide spend about $1 billion a year on technical measures to defeat cybercrime, while law enforcement agencies spend about $400 million to track down and prosecute cybercriminals.

A survey by the American Bankers Association last year revealed that the costs of electronic bank fraud in 2010 for the first time exceeded the costs of check fraud and other illegal paper transactions.

More than 90 percent of U.S. banks experienced debit-card losses that year, totaling nearly $1 billion, the survey found.

The report said paper-based fraud amounted to less than $800 million in losses.

Although it did not break out the costs of online crime from other kinds of digital fraud, the survey did report that "the proportion of online banking customers affected by fraud remained low," less than one-tenth of 1 percent.

"It's important for consumers to be aware that these threats exist but also that there are ways they can protect themselves" said Douglas Johnson, vice president for risk management at the bankers association.

When the association began surveying account fraud in 1997, banks were stopping $2 of fraud for every dollar that was successfully stolen.

"In 2011, that figure was $10 for every dollar that went out the door," Mr. Johnson said.

© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.