Sunday, December 02, 2007

Are criminal to criminal (C2C) networks making cyber crime too easy?

With the FBI's announcement of Operation Bot Roast II detailing the arrests of several bot-herders infecting computer systems on an International basis, it's become apparent that a lot of crime is going on with the click of a mouse.

One of the more amazing revelations to come forward from Operation Bot Roast II was that a teenager was described in the media as a "cyber crime kingpin." Most of the people arrested were under 30. This led me to wonder if our young people are getting smarter, or cyber crime is getting a lot easier to commit?

I ran into an article from ZDNet entitled, "The new battleground in cyber crime." It covered a lot of things, I already knew, but perhaps it hits on the reason cyber crime is growing at an explosive rate.

From the article written by Yuval Ben-Itzhak (originally published on News.com):

In an age where "data equals money," fortune has replaced fame as hackers' key motivation. Criminals are willing to pay top dollar for personal, financial, and corporate data collected by Trojans and other "crimeware."

The evidence is out there. Price lists discovered on the black market reveal that criminals are willing to pay $5,000 for a financial report, $500 for a credit card with PIN, and $150 for a driver's license ID.

With do-it-yourself malicious software packages available for $200, cybercriminals need neither deep pockets nor programming skills to compromise a Web site or steal sensitive financial data from an infected PC. Indeed, Finjan's security research confirms that crimeware toolkits have become cybercriminals' favorite weapon. The new business model is criminal-2-criminal (C2C)--attackers selling malicious code and stolen data to other criminal elements that profit from it.
The criminal to criminal (C2C) business model was a new term for me, but after thinking about it -- it describes exactly what we keep hearing is going on out there.

Yuval made another statement in his article, which is something I've tried to point out numerous times:

The cybercrime equation is simple: the longer the crimeware remains undetected, the higher the profit for the attackers.

When I say I've tried to point this thought out before, it was in reference to all the data breaches we see in the news. Once a data breach becomes transparent, the information probably isn't of very much use in the C2C business model, anymore.

Maybe that is why after a data breach, we rarely see anyone get caught using the information?

If this is true, the more we can monitor the C2C business model in real time, the more effective we will be in attacking the criminals behind it?

While investing a lot of resources dealing with the data breaches is probably necessary, it does little to solve the overall problem. The statistics are that once a data breach becomes transparent the information rarely gets used, if at all.

With litigation arising from some of these data breaches, the cost of revealing one is becoming cumbersome, also. I wonder what would happen if we started spending more money up-front going after what is going on right now? We might spend a lot less money cleaning up the mess, after the fact.

Unfortunately, the monetary resources allocated by most organizations to fight cyber, financial and information crime are often considered a necessary evil. The result is that the people dedicated to protecting us from these types of crimes are often some pretty over-worked individuals.

Please note that this is true in both the private and public sectors.

Couple this with certain marketing practices that make committing some of these crimes fairly easy and it's no wonder, we are facing an ever growing problem.

Perhaps, we should start rethinking how we go after this problem?

Yuval's article (which I consider an interesting read) can be seen, here.

Some of the reference material, he used in writing his article came from the security research people at Finjan. The interesting information in this report is available on the Internet, and can be seen by linking, here.

No comments: