The Big Ring

Good piece today by my WSJ colleague Cassell Bryan-Low on the Douglas Havard case which I mentioned a week or so back: As Identity Theft Moves Online, Crime Rings Mimic Big Business (subscription only, I suspect):

Most identity theft still occurs offline, through stolen cards or rings of rogue waiters and shop clerks in cahoots with credit-card forgers. But as Carderplanet shows, the Web offers criminals more efficient tools to harvest personal data and to communicate easily with large groups on multiple continents. The big change behind the expansion of identity theft, law-enforcement agencies say, is the growth of online scams.

Police are finding well-run, hierarchical groups that are structured like businesses. With names such as Carderplanet, Darkprofits and Shadowcrew, these sites act as online bazaars for stolen personal information. The sites are often password-protected and ask new members to prove their criminal credentials by offering samples of stolen data.

Shadowcrew members stole more than $4 million between August 2002 and October 2004, according to an indictment of 19 of the site’s members returned last October by a federal grand jury in Newark, N.J. The organization comprised some 4,000 members who traded at least 1.5 million stolen credit-card numbers, the indictment says.

The organizations often are dominated by Eastern European and Russian members. With their abundance of technical skills and dearth of jobs, police say, those countries provide a rich breeding ground for identity thieves. One of Carderplanet’s founders was an accomplished Ukrainian hacker who went by the online alias “Script,” a law-enforcement official says. As with many of its peers, the Carderplanet site was mainly in Russian but had a dedicated forum for English speakers.

Well worth a read as it details how Havard’s UK operation worked.

Is The West Under Attack?

Trying to make some sense of the announcement (PDF) last week by Britain’s secretive National Infrastructure Security Coordination Centre (NISCC) that

Parts of the UK’s Critical National Infrastructure (CNI) are being targeted by an ongoing series of email-borne electronic attacks. While the majority of the observed attacks have been against central Government, other UK organisations, companies and individuals are also at risk.

The press release makes several points:

  • Not new, just newly publicised: These attacks have been underway “for a significant period of time” (grammar not being the NISCC’s strong point, apparently);
  • Not vanilla phishing: These attacks are separate from industrial espionage and phishing attacks: “the attackers are specifically targeting governmental and commercial organisations”;
  • The bad guys are in Asia: The attacks seem to be coming from “the Far East”;
  • After information: The goal seems to be “the covert gathering and transmitting of otherwise privileged information is a principal goal. The attacks normally focus on individuals who have jobs working with commercially or economically sensitive data.”
  • They’re not script kiddies: The attackers are sophisticated and focused, using email lists to target people with similar interests and are able to use newly available files as part of social engineering tricks to entice recipients to open the embedded trojans.

But we’re still a bit in the dark about much of this this. Who, for example, is behind it? Quite a few experts have been wheeled out to point out who the culprits may be:

“To have achieved what this gang are doing then it either has to be state-sponsored or the highest level or organised crime,” said Dr Andrew Blyth, head of Glamorgan University’s Computer Forensics Department, who has worked with the UK’s law enforcement agencies to develop technology to combat high-tech crime.

But not everyone thinks this is some massive government-level conspiracy:

Sophos security consultant Carole Theriault didn’t confirm the NISCC’s suspicion that the attack was an organized effort. “From the Trojans themselves there’s nothing to suggest that they’re any part of a real campaign,” she told Information Week. “It’s possible that what the NISCC is seeing is just a lot of Trojans that hit agencies in a lot of different ways.”

This is significant, since Theriault and Sophos were brought in to help NISCC analyse the attacks, so they have more knowledge than most, and would, one might expect, back in behind the NISCC view of things. Sophos acknowledges the problem has been getting worse — it says it “has seen a threefold increase in the number of keylogging Trojans alone in the last year” — but suggests that the malicious code is not so much espionage as pure financial theft: “Malicious code is increasingly being written not just to cause a nuisance, but to steal money – whether targeting individual users of online banking or massive global corporations and government institutions,” the press release quotes Theriault.

Interestingly my colleagues at the WSJ have done a thorough look at the report and its broader implications: In a piece that appears in Monday’s WSJ (not yet available online), Cassell Bryan-Low quotes authorities as saying

The problem appears to be more widespread than the U.K. government initially indicated. The attacks started at least two years ago and have targeted institutions in the U.S., Canada and Australia, among dozens of other countries, authorities say.

It also quotes an unidentified law enforcement official as pointing the finger that no other story seems to actually do:

U.S. institutions have suffered similar attacks for at least a couple of years, and investigators suspect that the hacking is coming mostly from computers in China, according to a law-enforcement official. Hundreds of U.S. institutions have been targeted, this official said. Many of the targets are involved in technology research and development but also include financial institutions, he said. Government agencies and suppliers, such as defense contractors, were also targeted, he added.

Of course, just because the computers are in China doesn’t mean that the Chinese government, or even groups in China, are behind the attack, since China’s vast network of unsecured computers is one of the biggest conduits for spam and other sleazeware. But it doesn’t take a genius to draw the conclusion that if the attacks are sourced from the ‘Far East’, then China stands out among the possible culprits. So why has the NISCC chosen to release this warning now. And what happens next?