Inside Online Crime: Of Hackers, Identity Theft and Online Scams

In today’s technical environment, one of the common threats executives hear about are the organized criminals out to break into corporate systems for profit, not notoriety. Security experts have been sounding warnings over stealthy attacks perpetrated by sneaky crooks for several years now, to the point where some executives might think they’re being scared unnecessarily by overinflated stories.

But these bad guys are not bogeyman. They haven’t been dreamed up by the CSO to scare upper-level executives into fattening the security budget. A whole ecosystem of criminals does exist—most of them silently getting richer off the mistakes of enterprises and their customers. To fight them, we must first understand how they work.
 
Hierarchy of Online Crime Sophistication
For people who aren’t limited by little things like laws and regulation, the ways of making money online are limited only by criminal creativity. Drawing an analogy to real-world robbers, some run simple smash-and grabs-at the local 7-11, and others orchestrate intricate jewelry heists and steal away into the night.

“There’s definitely a hierarchy in the types of activities that happen in online crime.
I would put things like 419 scams [an advance-fee fraud, usually by Nigerian fraudsters] on the lower end of it; they are very easy to mount, and you don’t need much technical sophistication to make the attack work,” says Zulfikar Ramzan, senior principal researcher for Symantec. “But as you get into slightly higher levels, you might get phishing attacks, where [the criminals] have to put up a Web site and do a little bit more work to make money. And then, at an even higher level, you have to do more work on developing malicious software and trying to get those on people’s machines to steal their credentials that way. That requires even more technical sophistication.”

Then there are those even farther up the evolutionary crime chain. “Even the highest levels beyond that, you start to get to people who are doing very targeted attacks,” Ramzan says, explaining that they’ll often go after high net-worth individuals, key executives at companies, government officials and the like. This, he explains, is a force to be reckoned with, “They are really being very careful about what they are doing, and they’re very slick. They go in there, do their work and get back out. They’re very much under the radar.”

*Be sure to take a glance at Baseline’s slide show 10 Notorious Cyber Gangs.

The higher up the chain of sophistication, the more a business must worry about the bad guys, because they’re the ones who tend to do the most damage. After all, the smash-and-grab robber usually manages to get his paws on only $50 at a time. The jewelry thief steals millions in one go of it.

In this case, the jewels are data stores. They are lists of personally identifiable information to be used for identity-theft scams; they are login and password combos to perpetrate financial theft; and they’re corporate intellectual property to be sold on the black market. Rest assured: The best crooks have been hard at work figuring out more efficient ways to steal them.