Anonymous and LulzSec get the headlines for their attacks on high-profile websites such as the CIA, but the real threat is the continuing and increasingly professional war on bank customers. Mandatory reporting of all cyber crime incidents would refocus attention, says a leading security technologist.
“It’s interesting for the media because everyone knows the CIA. It’s not interesting for the media if Mr X from down the street was compromised. No one knows about that person,” said Yuval Ben-Itzhak, chief technology officer of security software vendor AVG. “But suddenly if there are five thousand people in the city being compromised, well, that’s a story that will get the headlines. And I think it’s for the law makers to start to step forward and request reports for these cases.”
Currently only a tiny fraction of online crimes are reported. Queensland Police reckon it’d be less than 1%. “The last thing they want is the police taking their file servers away to perform a forensic analysis,” said Detective Superintendent Brian Hay last month. But it’s also because the bad guys steal relatively small amounts of money from thousands of punters at a time.
“The amount that they’re charging from your account is well-calculated to make sure it goes under the radar of the bank fraud alerting system,” Ben-Itzhak told Crikey from Prague. “The sophistication of attack and the innovation we’re seeing in cyber crime in the last few quarters definitely indicates the people behind it are professionals.”
A moment’s thought bears this out. These guys are running global networks that can automatically install malicious software on millions of people’s computers, and it works without disrupting whatever software those people are already running. That alone indicates serious clue.
And now that Apple’s OS X and iOS operating systems for Macs and iPhones/iPads respectively have reached 7% market share, the businesslike criminals have done their cost benefit analysis and are starting to expend the programming effort to target those platforms — facts borne out in the AVG Community Powered Threat Report — Q2 2011 released yesterday.
The malware itself is increasingly sophisticated. It used to be about logging your keystrokes so the crims could log into your bank account later. Now they do it all in real time.
“We’re seeing malware that can hijack your web browsing session [and] intercept the exact moment when you’re visiting your online banking,” Ben-Itzhak said. “Some versions of the software can even execute a money transfer transaction while you are interacting with your own accounts. So they don’t need to steal your username and password. You already have a valid and active session with your bank, and they can simulate clicking on the buttons.”
The funds are then fed back through a network of money mules. “They start to do some business with them, legit business, but then once they’ve got their trust they’re telling them, ‘We’re going to transfer you some money from one of our customers. Please record it in your files and then move it to another bank account somewhere else.’ So now this innocent person is working for a cyber crime organisation without even knowing.”
There’s nothing new here except that scale. Crikey reported much the same story two years ago. And except for the fact that it’s all going mobile, attacking your smartphone. But the entire problem is still seriously under-reported.
“Unlike car accidents — when you have to go to the police and report about it, so then you start to see the chart, everyone is presenting these numbers, and people worry and ask questions how to stop it — in cyber crime we’re not there yet. If you’re a victim [of] cyber crime, there’s no law that at least I’m aware of that requires you to go and report about that. We hear only of a few cases, and most of them go silent, so there’s a false belief everything is fine,” Ben-Itzhak said.
As much as the PC community is enjoying a Nelson Muntz-style ‘AH-ha’ at the expense of Mac users re a rise in malware directed at the platform right now, AVG’s analysis is a bit confused:
“For Mac users, it is a good time for a re-think. Their devices were “secure” as long as the market share was way below the Windows OS market share. However, with the exponential growth of iOS market share resulting from the popularity of the iPhone & iPad. They are appearing on the criminal’s radar and should expect to find that your devices are not as secure as they might think.”
Given the malware described, a sham anti-virus program, targets the user (by tricking them into consciously downloading the rogue software) and not the OS, this is hardly proof of innate insecurity. Furthermore, claims to superior security of the MacOS rest on more than just low market share. Malware that succeeded in subverting the OS would indeed damage the Mac reputation for security, but this rogue AV software was not it.
Great intro to the topic. Pls Crikey, let’s keep a keen eye on this one!
I was bemused by an ABC radio news item on cyber theft that one of the most common passwords, after ABC123 and similar puzzlers, was “Seinfeld”!
Why would that be? PCs barely existed when that show was in its heyday and certainly never featured in any story line that I recall.
@Anelie Crighton:Whether a particular platform is more or less innately secure is a different issue from whether it’s being actively targeted by criminals or not.
Personally I reckon that most of the “platform X is more secure than platform Y” arguments are pointless. Yes, some platforms have more flaws than others, or deep structural issues that can make them more vulnerable — yes, I’m looking at you, Windows — but that all becomes a moot point when the bad guys are using social engineering tricks to persuade the user to click the “OK” button to bypass security. Game over.
The human is the weakest link in the chain, and always will be. And that really doesn’t vary by platform.
@AR: Buggered if I know. Seinfeld was hugely popular, though, and maybe its an artefact of the specific password list that was being analysed.