ZIFFPAGE TITLEPrevention and DefenseBy Deborah Gage | Posted 2005-03-07 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Crime is now organized on the Internet. Operating in the anonymity of cyberspace, the Shadowcrew and Web mobs like it threaten the trust companies have spent years trying to build with customers, online.
Prevention and Defense
Shadowcrew may have been well organized, but it was neither the most skilled nor the most dangerous of the Web mobs.
John Pironti, a security analyst with Unisys, the $5.8 billion computer and services provider, calls the Shadowcrew "a mid-tier player ... whose bark is worse than its bite." Russian criminals, by comparison, managed to roam around for up to five years inside the computer systems of Citibank during the 1990s, Pironti says.
But the ease with which groups like Shadowcrew and Stealthdivision appear and disappear threatens businesses already scrambling to secure their networks from spyware and phishing attacks.
Countries in Eastern Europe, for example, offer an endless supply of technically skilled people who are unemployed and need money, which creates a big challenge for the Secret Service. Such countries may have underdeveloped legal structures or lack treaties with the U.S.
And, notes Jody Westby of PricewaterhouseCoopers, they have little interest in helping a country as rich as the U.S. stop cybercrime if their own people are underfed or underemployed.
The markets for the type of information collected by Shadowcrew have grown more sophisticated just in the last six months, notes John Watters, CEO of the security consultant iDefense. Prices are now differentiated based on the security of the country where the credit card was stolen, the issuer of the credit card and the owner of the bank account in question.
"They'll pay more for a product where they think they can get a higher margin," he says.
Meanwhile, the electronic infrastructure that could help catch Web mobsters does not yet exist. Technology experts such as Jevans of the Anti-Phishing Working Group call for better filtering and authentication schemes to identify the true senders of e-mails. They want a standardized way of reporting attacks to both companies and law enforcement. They want businesses to police their own domain names (or outsource the job), which would stop crooks from creating variants of those names to use as fake Web addresses to lure people into giving away their identities.
Jevans believes technology vendors are not providing the tools companies need to fight cybercrime. He notes there are 40 security toolbars for blocking pop-up ads and other problems with browsers. Yet there is no comprehensive model for understanding how security threats evolve, either technically or across geographies.
The lack of any sort of a technological silver bullet means companies are uncertain of where to spend money to protect themselves, according to Jon Oltsik, a senior analyst with the Enterprise Strategy Group, a technology market research firm. In January, Oltsik's firm published a survey of 251 information-technology professionals working in over 18 industries. Only 64% claimed their companies had invested highly in securing the perimeters of their networks, and 39% in internal network security. Yet, two-thirds were attacked by an automated worm at least once in the last year.
Sometimes, says Gartner's Pescatore, it's easier just to pay the cost of fraud. One of his clients, whom he describes as "a major bank," is reimbursing customers for thefts caused by phishing attacks at the rate of $1 million per month.
Security experts agree that groups like Shadowcrew will continue to spring up because there's money to be made and these groups make it so easy for people to profit.
"They don't have to be a specialist in all the different areas of fraud and other criminal conduct—hacking, what have you—in order to be successful," Christie says. "I'm a specialist at hacking. You're a specialist in fake ID. This other guy's a specialist in Internet fraud. Well, you know, we can get together and we can help each other in the areas where we don't have a particular specialty, so that all of us can commit all different types of criminal conduct. And we can learn from each other."
But so far, from what the Secret Service has discovered, no former members of the Shadowcrew have joined a new Web mob.