ssrn-id2211842
TRANSCRIPT
Electronic copy available at: http://ssrn.com/abstract=2211842
Crime in Cyberspace:
Offenders and the Role of Organized Crime Groups
Working Paper 15.05.2013
Roderic Broadhurst,
Peter Grabosky,
Mamoun Alazab,
Brigitte Bouhours,
Steve Chon &
Chen Da
Australian National University Cybercrime Observatory
Electronic copy available at: http://ssrn.com/abstract=2211842
Crime in Cyberspace:
Offenders and the Role of Organized Crime Groups
Working Paper 15.05.2013
Roderic Broadhurst, Peter Grabosky, Mamoun Alazab, Brigitte Bouhours, Steve Chon & Chen Da
Australian National University Cybercrime Observatory1
Contact: [email protected]
School of Regulation, Justice & Diplomacy Australian National University
Canberra, ACT, 0200 Australia
Abstract
This working paper summarizes what is currently known about cybercrime offenders and groups. The paper briefly outlines the definition and scope of cybercrime, theoretical and empirical challenges faced when studying cyber offenders, and the likely role of organized crime groups (OCG). The paper gives examples of known cases that illustrate individual and group behaviour, profiles typical offenders, including online child exploitation perpetrators, and describes methods and techniques commonly used to identify crimeware and trace offenders.
Key words
Cybercrime; Internet crime; cyber offenders; online offenders; online child sex offenders; online investigation
1 The research is funded by an ARC Discovery Grant on the evolution of cybercrime (DP 1096833) and supported by the ARC Centre of Excellence in Policing and Security. We also thank the Australian Communication & Media Authority (ACMA) and the Computer Emergency Response Team (CERT) Australia for their assistance in the provision of data. The authors thank Chen Da, Chinese People’s Public Security University and Visiting Fellow, ANU, for his assistance in the translation of relevant Chinese language papers.
2
Introduction
Cybercrime exploits cross-national differences in the capacity to prevent, detect, investigate, and prosecute such crime, and is fast becoming a growing global concern.2 This transnational character provides cybercriminals, whether operating as individuals or as organized crime groups (OCGs), with the potential to escape counter-measures, even when these are designed and implemented by the most capable actors.3 Cybercrime has evolved in parallel with the opportunities afforded by the rapid increase in the use of the Internet for e-commerce and in the developing world. In February 2013, 2.7 billion people, nearly 40% of the world population, had access to the Internet. The rate was higher in the developed world (77%) than in the developing world (31%). While Africa had the lowest Internet penetration rate (16%), between 2009 and 2013 Internet penetration has grown fastest in Africa (annual growth of 27%) followed by Asia-Pacific, the former Soviet Union, and the Arab States (15% annual growth rate). Around one-quarter of all Internet users used English (27%) on the web, and another quarter (24%) used Chinese.4 A main reason for the growth in the scale and scope of cybercrime since the mid-2000s has been attributed to the proliferation of ‘botnets’5 as mass tools for computer misuse and the amplification of these activities via ‘toolkits’ (e.g. Zeus) that simplify their deployment. Spam and malicious websites are still the usual vectors for deceptive intrusion and widespread distribution of ‘malware’ such as ‘bots’.6 Various forms of social engineering are also common means of compromising computers. Botnet operators or ‘herders’ provide such services for fees that reflect the number and likely value of ‘zombie’ (or infected) computers in the botnet. These activities operate like criminal services in other domains of crime, for example, those of forgers or money launderers. Crimeware toolkit users also adopt the ‘software as a service’ approach by renting out malicious software from their creators or owners for a specified period of time during which they are able to commit crime. A more basic service is that of a stolen data supplier, who allow others to download stolen data, such as credit card details, for a fee.7 In short, cybercrime has quickly evolved from a relatively low volume crime committed by an individual specialist offender to a mainstream or common high volume crime ‘organized and industrial like’.8 2 United Nations, A More Secure World, Our Shared Responsibility: Report of the High-Level Panel on Threats, Challenges, and Change (online, 2004), <http://www.un.org/secureworld/report2.pdf>. 3 S Brenner, ‘Cybercrime Jurisdiction’, 2006, Crime, Law and Social Change, 46, 189-206; Council of Europe, ‘Summary of the Organized Crime Situation Report: Focus on Cybercrime’, 2004, Octopus Interface Conference: Challenge of Cybercrime, September 15-17, Strasbourg; R Broadhurst & K K R Choo, ‘Cybercrime and Online Safety in Cyberspace’, in C Smith, S Zhang, & R Barbaret (eds), International Handbook of Criminology (Routledge, 2011), 153-165. 4 International Telecommunication Union, ICT Facts and Figures (Geneva, ITU, 2013), <http://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2013.pdf>. 5 A botnet is a network of individual computers, which have been compromised by malicious software and are controlled by a third-party, usually for the purpose of criminal activities (e.g. sending spam). 6 Malware stands for ‘malicious software’ such as worms, viruses, and trojans. Bots or web robots allow a malicious user to control remotely computers infected by malware. 7 Y Ben-Itzhak, ‘Organized Cybercrime and Payment Cards’, (2009) 21(2) Card Technology Today, 10–11. 8 See T Moore, R Clayton, & R Anderson, ‘The Economics of Online Crime’ (2009) 32(3) Journal of Economic Perspectives, 3-20, 3-4, 17; R Anderson, C Barton, R Bohme, R Clayton, M van Eeten, M Levi, T Moore, & S Savage, ‘Measuring the Cost of Cybercrime’, Workshop on the Economics of Information Security (WEIS), 25 June 2012, Berlin, Germany, <http//weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf>.
3
While many types of cybercrime require a high degree of organization and specialization, there is insufficient empirical evidence to ascertain if cybercrime is now dominated by OCGs and what form or structure such groups may take.9 Digital technology has empowered individuals as never before. Teenagers acting alone have succeeded in disabling air traffic control systems, shutting down major e-retailers, and manipulating trades on the NASDAQ stock exchange.10 What individuals can do, organizations can also do and often better. It is apparent that many if not all forms of criminal organization are capable of engaging in cybercrime. The Internet and related technologies lend themselves perfectly to coordination across a dispersed area. Thus, an OCG may be a highly structured traditional mafia like group that engages delinquent IT professionals. Alternatively, it could be a short-lived project driven by a group that undertakes a specific online crime and/or targets a particular victim or group. Rather than groups, it may involve a wider community that is exclusively based online and dealing in digital property (e.g. trading in ‘cracked’ software or distributing obscene images of children).11 It may also consist of individuals who operate alone but are linked to a macro-criminal network12 as may be found in the ‘darknet’ and Tor13 undernet sites. Many cybercrimes begin with unauthorized access to a computer system. Information systems may be targeted for the data they contain, including banking and credit card details, commercial trade secrets, or classified information held by governments. Theft of personal financial details has provided the basis for thriving markets in such data, which enable fraud on a significant scale.14 The Internet has also been used as a vehicle for fraud. Spurious investment solicitations, marriage proposals, and a variety of other fraudulent overtures are made daily by the hundreds of millions (for example, see case study on scareware scam). In recent years, insurgent and extremist groups have used Internet technology as an instrument of theft in order to enhance their resource base.15 As digital technology pervades modern society, we have become increasingly dependent upon it to manage our lives. Much of our ordinary communications and record keeping rely on the
9 J Lusthaus, ‘How Organised is Organised Cybercrime?’ (2013) 14(1) Global Crime, 52-60. 10 US Securities and Exchange Commission, In the Matter of Jonathan G. Lebed (2000), <http://www.sec.gov/litigation/admin/33-7891.htm><http://www.usdoj.gov/criminal/cybercrime/juvenilepld.htm>; <http://cbc.ca/cgi-bin/templates/view.cgi?/news/2001/01/18/mafiaboy010118>. 11 The Internet has been used to communicate a wide variety of content deemed offensive to the point of criminal prohibition in one or more jurisdictions. Such material includes child pornography, neo Nazi propaganda, and advocacy of Tibetan independence, to list but a few. Jihadist propaganda and incitement messages also abound in cyberspace. 12 See T Spapens, ‘Macro Networks, Collectives, and Business Processes: An Integrated Approach to Organized Crime’ (2010) 18 European Journal of Crime, Criminal Law and Criminal Justice, 185–215. 13 Tor is an encrypted re-routing service designed to obscure the original source of an email or website on the Internet, sometimes known as The Onion Router. Law enforcement concerns about the widespread misuse of Tor recently led Japanese police to recommended blocking access to the service to those that misuse it (BBC Technology, ‘Japanese police target users of Tor anonymous network’, 22 April 2013, <http://www.bbc.co.uk/news/technology-22248692>. 14 M Glenny, Dark Market (Knopf, 2011). 15 Imam Samudra, convicted architect of the 2002 Bali bombings, reportedly called upon his followers to commit credit card fraud in order to finance militant activities (cited in A Moghadam, The Globalization of Martyrdom: Al Qaeda, Salafi Jihad, and the Diffusion of Suicide Attacks [Johns Hopkins University Press, 2009]).
4
Internet and related technologies. Just as digital technology enhances the efficiency of our ordinary legitimate activities, so too does it enhance the efficiency of criminal activities. Criminals and terrorists use the Internet as a medium of communication in furtherance of criminal conspiracies.16 And like for law-abiding citizens, it is a means of storing records and other information, and performing financial transactions, albeit in the case of criminals, such transactions may be part of money laundering activities. Manufacturers of illicit drugs advertise and trade recipes over the Internet.17
Scareware Scam
One of the most widespread online scams involves ‘scareware’, a malicious type of software that claims to detect viruses and other threats that do not actually exist. The software is often advertised through alarming pop-‐up messages saying your computer is infected and you need to buy the antivirus software being advertised. The pop-‐ups are persistent, often difficult to close, and in extreme cases it is possible to become infected when trying to cancel the notification. In 2011 a coordinated international law enforcement operation, Operation Trident Tribunal, disrupted the activities of two cybercrime groups involved in the sale of scareware. The groups are believed to be responsible for victimizing more than one million computer users and causing more than $74 million in total losses. One scam was attributed to a group based in Kiev, Ukraine, which used a variety of tactics to infect computers with scareware, such as directing users to a web page featuring fake virus scans that instead installed the malicious software. People were then asked to supply their credit card number and had to pay to have their computer repaired (see full example of IMU below). In another similar scam, two individuals in Latvia had created a fake advertising agency. Visitors to the agency’s website were infected with a malicious scareware and required to pay a fee to have their computers restored. The success of Operation Trident Tribunal rested on the cooperation of law enforcement among 12 nations: Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Lithuania, Romania, Canada, Sweden, the United Kingdom, and the US.18
This paper focuses on common criminal activities in cyberspace, such as fraud, and what we know about offenders and their modus operandi. We briefly discuss some characteristics of offenders involved in online child sex exploitation and touch on matters related to the use of computers in furtherance of political or ideological aims or as instruments of defence or state initiated cyber-warfare (see case study on Operation Olympic Games). For example, Anonymous is a loose collective of anarchists who engage in what Denning referred to as ‘hacktivism’.19 Members of this group tend to attack prominent symbols of capitalism and government. The 16 A. Moghadam, 2009, ibid. 17 J Schneider, ‘Hiding In Plain Sight: An Exploration of the Activities of a Drugs Newsgroup’ (2003) 42(4) Howard Journal of Criminal Justice, 372–389. 18 <http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_062211>. 19 D E Denning, ‘Activism, Hacktivism, and Cyberterrorism: the Internet as a Tool for Influencing Foreign Policy’, in D Arquilla & D F Ronfeldt (eds), Networks and Netwars: The Future of Terror, Crime and Militancy (Rand, 2001), 239-288.
5
chosen vehicles for their activities consisted of defacing the websites of government agencies and corporations, distributed denial of service attacks, which paralysed target computers by overwhelming them with data, and occasionally the publication of confidential data, like in the AT&T case. These attacks were usually complemented by online verbal abuse.
Operation Olympic Games
was a covert collaboration between the US National Security Agency and its Israeli counterpart, Unit 8200, which intended to disrupt the Iranian nuclear enrichment program. It allegedly involved the clandestine insertion of an extremely complex and sophisticated set of software, named Stuxnet, into the communication and control systems at the Natanz nuclear facility. The software reportedly included a capacity to monitor communications and processing activity, as well as the ability to corrupt control systems at the facility. The operation succeeded in delaying the progress of uranium enrichment through remotely controlled destruction of a number of centrifuges used in the process. The secrecy surrounding the operation was compromised in part when the malicious software escaped because of a programming error. Neither the United States nor the Israeli government acknowledged the existence of the operation.20
Imbued with the hacker ethos that information should be free, the group also targeted the secrecy of the Church of Scientology, the proprietary commercialism of the Motion Picture Association of America, and became a supporter of Wikileaks. When the US Government prevailed upon various electronic payment service providers to discontinue processing of contributions to Wikileaks following its publication of secret US State Department messages, Anonymous orchestrated denial-of-service attacks against the complying sites.21 A well-known Anonymous campaign is illustrated in the open letter to Colonel Gadhafi’s Internet Service Provider (ISP) during the civil war in Libya (Figure 1). An activity worth noting is a form of vigilantism or ‘counter-hacking’ in which individuals may take direct action against some forms of cybercrime. Rather than simply alerting law enforcement to a successful or attempted intrusion, or reporting a website that hosts illicit material such as sexual images of children or a market for stolen credit card details, cyber vigilantes seek unilaterally to vandalize or disable the offending site. The greater the skills of the vigilante, the greater the damage they can inflict. For example, on 25 April 2013, hacking group Anonymous temporarily took down several child pornography websites as part of what they called Operation Alice. Anonymous has a long history of battling online paedophile rings.22 Such 20 D Sanger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power (Crown Publishers, 2012). 21 See P Olson, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency (Little, Brown & Company, 2012); G Coleman, ‘Anonymous: From the Lulz to Collective Action’, The New Everyday, 6 April 2011, <http://mediacommons.futureofthebook.org/tne/pieces/anonymous-Lulz-collective-action>. 22 M Stone, ‘Operation Alice: Anonymous Punishes Pedophiles, Targets Child Pornography Sites’, Examiner.com (25 April 2013), <http://www.examiner.com/article/operation-alice-anonymous-punishes-pedophiles-targets-child-porn-sites>.
6
response is illegal in many jurisdictions and counter-hackers may be disinclined to publicize their exploits. Victims, whose actions provoked the response, are understandably reluctant to call attention to their own offending. However, there have been some notable disclosures; for example, a number of retaliatory cyber-attacks by various companies and by the US Department of Defence in response to electronic intrusions have been documented.23 Grubb revealed how an Indian software firm had been engaged by the film industry in response to piracy. The firm searched the Internet to find movies that were being illegally uploaded, then sent the hosting server a request to remove the pirated content. Noncompliance with a second request was met with a denial of service attack. The firm has also claimed to have remotely destroyed pirated products in order to prevent further illegal use.24
Anonymous at AT&T
A former AT&T contractor, Lance Moore, allegedly handed over to Anonymous tens of thousands of phone numbers, confidential IP addresses, usernames, and passwords, plus corporate emails, and other documents. These were used by LulzSec25 to embarrass AT&T via a public data dump of these stolen addresses and documents in June 2011. The alleged offences were discovered through AT&T’s network auditing and log management that identified an AT&T VPN connection used to upload documents to FileApe.com at the same time that unauthorized access was made to sensitive information. The IP address used was assigned to a small group of contractors, and further investigation showed that Moore’s account was the only one used to access both FileApe.com and the servers with the stolen data.26
23 R Majuca & J Kesan, Hacking Back: Optimal Use of Self-Defense in Cyberspace (Illinois Public Law Research Paper No. 08-20, 2009), <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1363932>; see also B Smith, ‘Hacking, Poaching and Counterattacking: Digital Counterstrikes and the Contours of Self-Help (2005) 1(1) Journal of Law, Economics and Policy, 171-195. 24 B Grubb, ‘Film Industry Hires Cyber Hitmen to Take down Internet Pirates’, Sydney Morning Herald, 8 September 2010, <http://www.smh.com.au/technology/technology-news/film-industry-hires-cyber-hitmen-to-take-down-internet-pirates-20100907-14ypv.html#ixzz205Bikun9>. 25 Lulz Security, commonly abbreviated as LulzSec, was a computer hacker group comprising at least seven individuals (residing in the US, Ireland and the UK) that claimed responsibility for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. It was affiliated with Anonymous and AntiSec. The group also claimed responsibility for taking the CIA website offline (see <http://en.wikipedia.org/wiki/LulzSec>). In April 2013 one of those responsible (25 year old Cody Krestinger) was sentenced to prison for a year and to 1,000 hours of community service by a US court for his part in the Sony hack on the play-station network while four others (all under the age of 26) involved with LulzSec in the UK were still awaiting sentence. Police in both countries were able to secure confessions after getting cooperation from other hackers (BBC Technology, ‘Kretsinger, Sony Hacker Recursion, Jailed for 1 Year’, 19 April 2013, <http://www.bbc.co.uk/news/technology-22214506>. 26 See P Olson, 2012, op. cit., 286-287 for an account of the machinations within LulzSec; E Chickowski, ‘Notorious Cybercrooks of 2011 and How They Got Caught’, (2011) Dark Reading, <http://www.darkreading.com/security/attacks-breaches/232300124/the-most-notorious-cybercrooks-of-2011-and-how-they-got-caught.html?itc=edit_stub>.
7
Figure 1. Anonymous Press Release urging an ISP to decline hosting the website for Colonel Gadhafi.
8
In summary, the Internet may be used for criminal activity in three basic ways: it can serve as the instrument of crime; the target of crime; or it can be used incidentally in furtherance of criminal activity. The three modes apply to both individual and organizational use, and are not mutually exclusive. Measuring cybercrime is not straightforward. First, there are many differences in definition within and between jurisdictions. Second, a large proportion of cybercrime goes unreported, and possibly unnoticed for some time. In a recent comprehensive study the UN listed four ways of measuring cybercrime: 1) by using police statistics; 2) by conducting cyber victimisation surveys of individuals and businesses; 3) by encouraging victims to report; and 4) by drawing on information from the cyber security industry.27 This study estimated that of all instances of cybercrime known to police in 61 countries, one-third related to fraud and forgery; between one-third and one-half, depending on the country, involved content crime, for example, distribution of child pornography or terrorism-related material, and copyright infringements; the remaining 10 to 33% involved hacking and illegal access to computer systems. Individual cyber victimisation is higher than victimisation via conventional crime. UNODC estimated that between 1% and 17% of the world population with Internet access had been victims of online credit card fraud, identity theft, email account hacking, or had responded to a phishing attempt.28 Many new computer viruses and malware codes are developed by nation state actors or their surrogates for strategic or tactical offensive action against ‘enemies’rather than as crimeware (e.g. Stuxnet, the worm created for the Operation Olympic Games against Iran; see also GhostNet below).29 However, this malware may ‘escape’, or otherwise become available to OCGs, which then use it to extend their criminal capabilities. The information security industry is another potential distribution vector for malware, as when penetration testing generates new codes capable of avoiding filtering and other malware detections. Such malware can be sold or made available by delinquent security professionals. The anonymity afforded by the Internet makes it relatively difficult to identify offenders. Skilled hackers, whether employed by the state, by a criminal organization, or working on their own, are often able to conceal their true identity. As a result, when one’s information systems are subject to intrusion, one cannot be sure whether the intruder is a sole teenager, an organized criminal group, or agents of a foreign government. Indeed, two or more of these may be acting in concert, under arrangements of sponsorship or in some hybrid form. Nor can one be confident of the physical location from which the attack originated. It has become a cliché to suggest that cyberspace knows no boundaries, and a crime can be committed against a target on the other side of the world as easily as a target in one’s own jurisdiction.
27 United Nations Office on Drugs and Crime (UNODC), Comprehensive Study on Cybercrime (UNODC, February 2013), <http://www.unodc.org/documents/commissions/CCPCJ_session22/13-80699_Ebook_2013_study_CRP5.pdf>. The report of the comprehensive study on cybercrime was prepared by UNODC under the auspices of the open-ended intergovernmental expert group. 28 UNODC, 2013, ibid., 25-26. 29 Some are also used by states for cyber espionage, an increasingly controversial area; see D Fiddler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17(10) Insight, 1-6.
9
GhostNet
The name given by a group of Canadian researchers in 2010 to a cyber-‐espionage operation apparently operating from commercial Internet accounts in China. The hackers compromised government computers in over 100 countries on several continents; they also targeted emails from the server of the Dalai Lama. The Chinese Government denied involvement, and there was no conclusive evidence to the contrary. There was, however, some evidence of government complicity. Chinese officials have confronted expatriate dissidents returning to China with transcripts of Internet chats in which they were involved during their absence.30 Whether the activity in question was the work of patriotic hackers acting unilaterally, or skilled individuals with guidance from state authorities who were otherwise acting at arm’s-‐length, remains unclear. Canadian investigators found evidence of links to two individuals in the underground hacking community of the PRC.31
The standard definition of organized crime enounced in the UN Palermo Convention,32 based on the participation of three or more persons acting in concert, does not extend to certain highly sophisticated forms of organization such as the mobilization of robot networks that may be operated by a single person. So-called botnets involve an offender using malicious software to acquire control over a large number of computers (the largest including more than a million separate machines). Even though the individual and institutional custodians of compromised computers may be unwitting participants in a criminal enterprise, some commentators maintain that botnets should be considered a form of organized crime.33
Challenges of Theory and Evidence
The absence of evidence about the extent, role, and nature of OCGs in cyberspace impedes the development of sound countermeasures. While a growing number of experts consider that cybercrime has become the domain of organized groups and the days of the lone hacker are past, little is yet known about the preferred structures and longevity of groups, how trust is assured, and the relationship with other forms of crime. There is an absence of evidence-based research
30 Information Warfare Monitor, Tracking GhostNet: Investigating a Cyber Espionage Network (2009), <http://www.infowar-monitor.net/ghostnet>. 31 <http://www.nartv.org/mirror/shadows-in-the-cloud.pdf>; J Markoff & D Barboza, ‘Researchers Trace Data Theft to Intruders in China’, New York Times, 5 April 2010, <http://www.nytimes.com/2010/04/06/science/06cyber.html?pagewanted=all>. 32 Article 2(a) of the United Nations Convention against Transnational Organized Crime defines an ‘organized criminal group [as] a structured group of three or more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit’. Article 2(c) clarifies that ‘a structured group shall mean a group that is not randomly formed for the immediate commission of an offence and that does not need to have formally defined roles for its members, continuity of its membership or a developed structure’. 33 L Y C Chang, Cybercrime in the Greater China Region: Regulatory Response and Crime Prevention across the Taiwan Strait (Edward Elgar, 2012).
10
about offender behaviour and recruitment in cyberspace, although learning and imitation play important roles.34 Hence, OCGs cannot be understood from just their functional (illicit) activities, that is – as rational profit-driven networks of criminal actors, since socio-cultural forces also play an important role in the genesis and sustainability of such groups. In some cases obsessive-compulsive behaviour is evident; in others, a sense of impunity (born of over-confidence in anonymity) is apparent. Greed may be only one of many motives: lust, excitement, rebellion, technological challenge, and the desire for notoriety or celebrity status may be present to varying degrees, depending on the types of crime. Organized crime is often explained using functionalist (strain theories of disadvantage), learning (notably differential association),35 conflict theories, as well as rational choice theories. Crime prevention practices based on actor choice, and which rely on deterrence, are usually applied.36 In cyberspace, we have limited understanding and empirical evidence about these ‘causes’ with respect to profit or content forms of cybercrime. Broadhurst and Choo hypothesized that OCGs would be attracted by profits and, therefore they would be more likely to target the more lucrative online markets. Rather than traditional ‘mafia-like’ groups, these offending networks would tend to take new forms.37 In addition, drawing on the broader organized crime literature, they argued that more permanent or semi-durable forms of online OCGs are likely to get involved the extortion of victims who are the owners or custodians of credit card and identity details.38 They would be less likely to engage in systematic fraud or deception-related cybercrime where dynamic and fluid groups or networks would dominate.39 In turn OCGs have resources, are resilient, and are able to adapt to changes in their environment. Digital technology has facilitated OCGs’ involvement in transnational crime and contributed to the success and longevity of some OCGs. Understanding the various organizational structures of OCGs helps predict their behaviour and may improve the ability of police to investigate, disrupt, and weaken organized crime activity.40 It is assumed that OCGs are profit-focused enterprises that seek out opportunities provided by ill -managed ISPs and jurisdictions with weak regulatory control of the Internet. They acquire the necessary resources for cybercrime by (inter alia) using delinquent IT professionals and targeting weakly protected computers/networks or other digital devices. Consequently,
34 R Broadhurst & P Grabosky, ‘Computer-Related Crime in Asia: Emergent Issues’, in R Broadhurst & P Grabosky (eds), Cybercrime: The Challenge in Asia (University of Hong Kong Press, 2005), 347-360. 35 T J Holt, G Burruss, & A Bossler, ‘Social Learning and Cyber Deviance: Examining the Importance of a Full Social Learning Model in the Virtual World’ (2010) 33 Journal of Crime and Justice, 31-61. 36 G Newman & R Clarke, Superhighway Robbery: Preventing E-Commerce Crime (Routledge, 2003); T J Holt, & A Bossler, ‘Examining the Applicability of Lifestyle-Routine Activities Theory for Cybercrime Victimization’ (2009) 30 Deviant Behavior, 1-25; M Yar, ‘The Novelty of “Cybercrime”: An Assessment in Light of Routine Activity Theory’ (2005) 2 European Journal of Criminology, 407-427. 37 Broadhurst & Choo, op. cit. 38 P Grabosky, R Smith, & G Dempsey, Electronic Theft: Unlawful Acquisition in Cyberspace (Cambridge University Press, 2001), 34-50. It is apparent that some services in cyberspace offer means to protect illicit data or information obtained by illicit means; however, these services may not mimic the usual forms of protection offered by terrestrial OC groups. 39 K von Lampe, ‘Explaining the Emergence of the Cigarette Black-Market in Germany’, in P C van Duyne, K von Lampe, M van Dijk, & J L Newell (eds), The Organised Crime Economy (Wolf Legal, 2005), 209-229. 40 See R Broadhurst & V Ly, ‘Transnational Organized Crime in East and Southeast Asia’, in A Tan (ed), East and South-East Asia: International Relations and Security Perspectives (Routledge, in press).
11
deterrence (increased penalties and detection) is the preferred policy response, complemented by appropriately trained police (capable guardians) and target ‘hardening’. Alternative theoretical approaches that posit particular offender motives or pathologies, or the role of social conflict, have not featured widely in explanations of cybercrime. Early accounts of hackers emphasized individuality and a non-profit orientation, but also observed the likely shift to profit-oriented misuse as the Internet developed.41 Indeed, the role of social learning and offender pathology has been neglected but may play a significant role in predisposing some actors to criminal activity and risk-taking in cyberspace, where anonymity reduces social surveillance and self-control.42 Hate and so-called ‘content’ crimes perpetrated via the Internet may reflect social or individual pathologies, and less the exercise of rational choice – although it may be ‘rational’ to adopt Internet strategies of dissemination.43 Functionalist approaches assume crime is a normal adaptation to change, and indeed represents a creative response to adversity, usually experienced as different forms of social exclusion. Cybercrime in this sense is normal, albeit novel in its form. Thus, successfully suppressing cybercrime may only be achieved at the cost of limiting the Internet’s natural advantages, such as low-cost connectivity. Another approach is to explain certain forms of crime as the result of conflict within society and disputes about what constitutes crime. In this view, criminalization of an act represents the exercise of power by elites. Thus, defining behaviour as deviant or criminal may represent only sectional interests with little real community support. For example, the development of digital technology has recently made it possible to easily copy movies and music as digital media. Many people embraced the new technology and started exchanging such media. Subsequently the practice of illegally copying digital media without paying the copyright holders was ‘criminalized’, with attendant changes to community attitudes, opportunities for criminals, and policing practice. In the following sections we discuss a number of current and past examples of cybercrime, and the role of groups and individuals that are involved in these crimes. We begin with the role of groups or networks, and individuals involved in distributing child pornography on the Internet. In general, this activity has attracted more interest and research about offenders than have other types of cybercrime. However, such child exploitation groups or networks may not share the organizational forms of other criminal groups operating in cyberspace. This section draws on recent work by the authors for the Virtual Global Taskforce (VGT) on Child Protection – a consortium of several police agencies across the globe. Then we turn to the ‘volume’ cybercrime par excellence, spam
Online Child Sexual Exploitation
The production and dissemination of child pornography (CP) and child exploitation material (CEM) has been widely criminalized. As the Internet facilitates the accessibility to CEM there 41 A Chantler, ‘Risk: The Profile of the Computer Hacker’, unpublished PhD Thesis (Curtin University, 1996). 42 R Broadhurst & K Jayawardena, ‘Online Social Networking and Paedophilia: An Experimental Research “Sting”’, in K Jaishankar (ed), Cyber Criminology: Exploring Internet Crimes and Criminal Behavior (CRC Press, 2007), 79-102. 43 R Broadhurst, ‘Content Cybercrimes: Criminality and Censorship in Asia’ (2006) 34(1&2) Indian Journal of Criminology, 11-30.
12
are concerns that it may in turn stimulate the demand for newer and more extreme images as well as increase the risk of ‘real life’ abuse. An early example of online trade in CEM was the activity of a group known as W0nderland. Established around 1995, its membership consisted of about 180 persons from 49 countries who exchanged thousands of illicit images of children, until it was closed by the combined cross-national police investigation Operation Cathedral in 1998. This closed group operated in a similar way to other peer-to-peer (P2P) online groups who traded in illicit goods such as pirated software or music. A recent study found that in a sample of over 3,500 online CEM offenders, one in six were also involved in ‘offline’ molestation of children.44 Additional research on online sexual offenders is ongoing and studies addressing, for example, differences between online and offline child sex offending,45 potential links between online and offline offending,46 and online grooming behaviours47 are available. This body of research about potential links between online offending and child sexual molestation has produced contradictory findings.48 A review of 27 studies addressing the question of whether online offenders differ from offline offenders found that online offenders were more likely to be Caucasian, unemployed and marginally younger than offline offenders. 49 They showed higher levels of empathy (toward victims), but also greater levels of sexual deviance than offline offenders. The researchers concluded that online offenders appeared to exercise more self-control than offline offenders. They suggested that further research should explore the barriers to acting on their deviant interests and whether the emotional distance inherent in child pornography (CP) use is a feature of online offending. Between July 2010 and June 2011 the Virtual Global Taskforce (VGT)50 collected data on a small, non-random sample of 103 suspected CEM possessors who allegedly downloaded and exchanged such material through the medium of online P2P services provided to Internet-enabled users. Because of the small size of the sample and its non-random case selection process, findings are not generalisable to the population of online offenders, but some insights into the characteristics of these individuals and their offending can be gained.51 44 J Wolak, D Finkelhor, & K Mitchell, ‘Child Pornography Possessors: Trends in Offender and Case Characteristics’ (2011) 23(1) Sex Abuse: A Journal of Research and Treatment, 22-42. 45 A Elliot, A Beech, R Mandeville-Norden, & E Hayes, ‘Psychological Profiles of Internet Sexual Offenders: Comparisons with Contact Sexual Offenders’ (2009) 21(1) Sex Abuse: A Journal of Research and Treatment, 76-92; L Webb, J Craissati, & S Keen, ‘Characteristics of Internet Child Pornography Offenders: A Comparison with Child Molesters’ (2007) 19 Sex Abuse: A Journal of Research and Treatment, 449-465. 46 J Endrass, F Urbaniok, L C Hammermeister, C Benz, T Elbert, A Laubacher, & A Rossegger, ‘The Consumption of Internet Child Pornography and Violent and Sex Offending’ (2009) 9 BMC Psychiatry, 43-49. 47 Broadhurst & Jayawardena, op.cit.. 48 For example, Broadhurst & Jayawardena, ibid.; Elliot et al., op. cit.; Endrass et al., ibid.; Webb et al., op. cit.. 49 K Babchishin, R Hanson, & C Herrmann, ‘The Characteristics of Online Sex Offenders: A Meta-Analysis’ (2011) 23(1) Sex Abuse: A Journal of Research and Treatment, 92-123. 50 The Virtual Global Taskforce (VGT) for Combating Online Child Sexual Abuse is an international partnership between nine law enforcement agencies established in 2003 – for details see <http://www.virtualglobaltaskforce.com/>. 51 B Bouhours & R Broadhurst, Statistical Report: Virtual Global Taskforce P2P Online Offender Sample July 2010–June 2011 (Australian National University, 2011), available at SSRN <http://ssrn.com/abstract=2174815> or <http://dx.doi.org/10.2139/ssrn.2174815>.
13
All suspects were male and ranged in age from 15 to 73 years (mean age = 41.2 years and median age = 40 years). One in five suspects was not working but was retired, unemployed, or receiving sickness benefit; the others were working or studying. Forty-two per cent were living with a partner and/or children and were significantly older than single offenders (50 years on average compared to 35.2 years). Around 4% of offenders were reported as having a mental health problem. It was estimated that around 30% of the sample had above average access to children because, among other reasons, they themselves had children, they worked with children or they occasionally had access to other people’s children, for example, when babysitting. Suspects had been involved in online CP-related activities for an average of 4.8 years (ranging from 6 months to 30 years). The offending material seized from the suspects’ computers included both sexualized and non-sexualized images of children, and 35% of the suspects possessed 10,000 or more images. Over 60% of suspects not only collected CP but also traded/distributed it through the P2P network, and 35% were involved in network(s) other than P2P. Of those, half were participating in ‘offline’ networks, which suggests that individuals who go beyond collecting CP to trading or producing it do so online but also in ‘real life’. Fewer than 20% of suspects collected exclusively images of children not engaged in sexual activity. For 35% of suspects, the most serious images in their possession involved sexual activity between children, and for 47%, sexual assault by adults including penetration and sadistic activities. All suspects were concerned with hiding their activities from others, but only 60% succeeded in separating it totally from their daily life. For the rest of the group their offending activities tended to become obsessive, were more or less enmeshed with their daily life, and were possibly not well hidden from others. The latter group tended to be of low socio-economic status and to be highly computer literate. Of the 103 arrested suspects, 5.8% had previously been charged with online child sex offending (CSO), 17.5% with contact CSO involving children younger than 16 years, and 14.6% with non-sexual offending. In addition, evidence that at the time of their arrest suspects were also engaged in offline, ‘hands-on’ CSO was found in 15.5% of cases. Two-thirds of those suspects had a prior history of sexual offending against children. There was little overlap between prior sexual and non-sexual offending, which suggests specialization in child sex offending. Based on the suspects’ length of offending, the type of offending activities they were carrying out, the way in which they managed their offending, and the amount of CEM found in their possession it was possible to construct a ‘depth of involvement’ scale ranging from 1 (low involvement) to 4 (deepest involvement). About one in five suspects were categorized as ‘low involvement’, one-third had a medium depth of involvement, the same proportion was categorized as deeply involved, and it was estimated that just over 10% had the deepest involvement. As Table 1 shows, suspects with the deepest involvement in CEM activities were also those most likely to have engaged or currently engage in ‘real life’ CSO.
14
Table 1. Concurrent offending by suspect’s depth of involvement in online CSO (%)
Depth of involvement in online CSO
Type of offending Low
N=22 Medium N=34
Deep N=31
Deepest N=11
Prior/current ‘real life’ CSO 0.0 26.5 16.1 45.5**
Prior/current ‘real life’ and prior online CSO 4.5 29.4 25.8 63.6**
Prior non-sexual offending 13.6 11.8 16.1 27.3
** p<.01. Source: Bouhours and Broadhurst 2011
To sum up, this study found that offenders in the VGT sample had a relatively high rate of previous and concurrent hands-on child sex offending, and for over half the suspects with prior child molesting charges, there was also evidence of current engagement in hands-on offending. However, because of the small sample size in this study and potential selection bias, it is not possible to answer the question of whether men who engage in online CSO are at greater risk of also engaging in ‘real life’ sexual offending against children. This would be an important line of inquiry for future research.
SPAM as Infection Vector
While the Internet permits the rapid distribution of a wide range of material, it has also resulted in the circulation of a large volume of unwanted messages or spam. There is no universal definition of spam. The Australian Communication and Media Authority (ACMA) defines spam as ‘unsolicited commercial electronic messages’. Under this definition, a single electronic message can be considered spam.52 On the other hand, Spamhaus53 consider that an email is spam if it is both unsolicited and sent in-bulk. Unsolicited messages have created a serious problem due to their enormous volume. For example, the Grum botnet, taken down in July 2012, was able to generate 18 billion emails a day!54 Spam takes many forms. It can be used to merely advertised products or services; however, spam is often the initial means for cybercriminals, such as the operators of a fraudulent scheme, to contact and solicit prospective victims for money, or to commit identity theft by deceiving them into sharing bank and financial account information (the Zeus case illustrates such malware). Spam emails remain the major vector for the dissemination of malware that infects computers clandestinely. Unlike the type of low volume-high value cybercrime that targets banks and financial services and requires advanced hacking capability, spam enables malware to reach
52 The Australian Communications and Media Authority (ACMA), <http://www.acma.gov.au/WEB/STANDARD/pc=PC_2861>. 53 Spamhaus Project is an international non-profit organization, which tracks Internet spam operations and sources, and collaborates with law enforcement agencies to identify and pursue spam gangs worldwide. Spamhaus maintains a number of real time spam-blocking databases, including the Spamhaus Block List, the Exploits Block List, the Policy Block List and the Domain Block List; see < http://www.spamhaus.org>. 54 S Cowley, ‘Grum Takedown: “50% of Worldwide Spam is Gone”’, CNN Money, 19 July 2012, <http://money.cnn.com/2012/07/19/technology/grum-spam-botnet/>.
15
‘high volume-low value’ targets that are less likely to have effective anti-virus or other countermeasures in place. Such malware is distributed in one of two types of spam: those with an attachment that contains a virus or trojan that installs itself in the victim’s computer when the attachment is opened; and those with a hyperlink to a web page where the malware is then downloaded onto the compromised computer.
The Zeus trojan
The malware ‘Zeus’ was used by Ukrainian hackers to gain access to the computers of employees of small businesses, local government, and non-‐government organizations in the United States. Target computers were hacked when the victims opened a seemingly benign email message. This enabled access to the computer’s data such as bank account numbers and password details. Cybercriminals in Ukraine were then able to log on to the bank accounts and illegally withdraw funds. Associates of the Ukrainian organizers advertised on Russian language websites inviting students living in the US to help in transferring the stolen funds out of the country. These ‘mules’ were provided with fake passports and asked to open accounts under false names in various US banks, building societies and other financial institutions. Ukraine-‐based organizers transferred funds from the victims’ legitimate accounts to the mules’ accounts, who were instructed to transfer the money to offshore accounts or to physically smuggle it out of the US. Five persons were arrested in Ukraine, 11 in the United Kingdom, and 27 in the US (8 more were charged in the US but remained at large). The motive of the organizers was solely financial and the Zeus malware was the ‘toolkit’ used. The volume and repeated nature of these offences drew the attention of police and led to their discovery.55
In order to mitigate the threat of infection via attachments, security firms and other organizations often block or reject emails that contain an executable file (e.g. with the extension .exe). Cybercriminals have adapted by sending malware within PDF attachments or images. Another way is to use a double extension: the first extension is that of a benign attachment (e.g. .jpg), but the second extension represents what the file really is (.exe); a gap between the two extensions prevent spam filters to discover that the attachment is actually an executable file. Malicious URLs included in spam emails seem to be more effective than attachments and have become the major way of infecting computers. The email often uses alarming language (for example, ‘your Google account suspended’) to convince users to click on the malicious URL. When they do, users are prompted to install a malicious code disguised as legitimate software, or the link itself is infected. Alternatively, users can be redirected to a fake website where they are asked to enter confidential information such as bank details. The Australian National University Cybercrime Observatory is currently conducting research on large domestic and international samples of spam emails collected over one year. One aim of the project is to describe the diversity of spam emails and examine whether it varies overtime. The 55 <http://www.fbi.gov/newyork/press-releases/2010/nyfo093010.htm>; <http://www.justice.gov/usao/nys/pressreleases/September11/garifulinnikolaypleapr.pdf>; <http://www.justice.gov/usao/nys/pressreleases/September10/operationachingmulespr%20FINAL.pdf>.
16
study also tries to classify spam emails depending on whether they contain malware as attachment, malicious URLs, or are merely annoying communication that causes no harm to the computer. Finally, it is hoped that these and other analyses will permit to predict which types of spam are most dangerous and develop prevention strategies.
Offenders and the Role of Organized Crime Groups
In this section we review some of the available data on online offenders, groups, and networks. Information about cyber offenders is limited. It often relies upon retrospective studies of prosecuted cybercrime cases and limited or convenience samples, but also self-report studies, observation of the ‘dark net’ or underground Internet, and ‘honeypots’.56 An increasingly common method used by researchers to gather data on offenders is through the observation of communication in discussion forums and chat rooms. Undercover law enforcement operations also target online underground forums. It may be easier to identify those engaged with OCGs when such groups are discovered. We stress that at present there is a scarcity of evidence about the nature and behaviour of online offenders as compared to other offenders, and that even less is known about the structure or morphology of criminal groups/networks operating in cyberspace. The fundamental hypothesis is that criminal structures evident in the ‘real world’ are likely to be duplicated in the ‘cyber world’. It is also likely that virtual only criminal networks or groups will manage the essential issue of trust in ways that will mimic the conventional practices of crime groups in the real world.57
‘Typical’ offender profile
Yip et al. argue that the cyber security industry has so far had a narrow response to cybercrime by focusing essentially on its technical aspects.58 This approach runs the risk of leading to a never-ending cat-and-mouse chase, as new technologies emerge and cybercriminals adapt to them. They suggest a different approach, which considers cybercrime a ‘socio-technological’ phenomenon and attempts to understand some of the characteristics of the people committing these crimes: their motivations, attitudes, and behaviour, as well as the environments in which they operate. As access to computers and the Internet became widespread, hackers have grown more sophisticated. Criminal hackers who apply their skills to acquiring material benefits have increasingly supplanted the thrill-seeking, computer-savvy hackers of the 1970s and 1980s who promoted a quasi-ideological culture of the ‘free’ Internet.59 Li attempted to draw a profile of cybercriminals by analysing 115 ‘typical’ cases of cybercrime prosecuted in the US between 1998 and 2006.60 These cases involved a total of 151 offenders who were overwhelmingly male (98%) and ranging in age from 14 to over 45 years. Forty per
56 Honeypots are computer systems set up to attract and trap potential offenders who try to access data illegally. 57 M Yip, C Webber, & N Shadbolt, ‘Trust among Cybercriminals? Carding Forums, Uncertainty and Implications for Policing’ (2013) Policing and Society: An International Journal of Research and Policy, DOI:10.1080/10439463.2013.780227. 58 M Yip, N Shadbolt, T Tiropanis, & C Webber, ‘The Digital Underground Economy: A Social Network Approach to Understanding Cybercrime’, paper presented at the Digital Futures conference, Aberdeen, 23-25 October 2012. 59 Y Lu, X Luo, M Polgar, & Y Cao, ‘Social Network Analysis of a Criminal Hacker Community’ (2010) Winter Journal of Computer Information Systems, 31-41. 60 X Li, ‘The Criminal Phenomenon on the Internet: Hallmarks of Criminals and Victims Revisited through Typical Cases Prosecuted’ (2008) 5 University of Ottawa Law & Technology Journal, 125-140.
17
cent were 25 years or under, 35% were 26 to 35 years and the rest were over 35 years. A more recent review of over 7,000 documentary sources and interviews with expert practitioners conducted by McGuire confirmed that the average age of cyber offenders is increasing: he estimated that 43% of digital crime group members were over 35 years and only one-third (29%) younger than 25 years.61 Lu et al., drawing on data from the Criminal Investigation Bureau of Taiwan’s cybercrime database between 1999 and 2004, showed that the top five cybercrimes in Taiwan were: distributing messages regarding sex or trading sex on the Internet, Internet fraud, larceny, cyber piracy, and pornography. Over 80% of offenders were male and nearly 30% belonged to the 18-23 age bracket; 45% had attended some senior high school and 24% were currently enrolled students. The majority acted independently and about one-third were involved with other offenders.62 Most of the cases analysed by Li did not use complicated techniques. Overall, 65% of attacks used basic skills, 13% required moderate skills and 22% advanced skills. The most sophisticated attacks were those using viruses, worms, and spyware.63 McGuire noted that the possibility of purchasing or downloading crimeware such as ready-made viruses that exploit the vulnerabilities of individual computers, or more sophisticated toolkits able to hijack many computers, indicates that criminals no longer need advanced technical skills.64 Marcum et al.’s study is one of only a few about the sentencing of convicted cybercrime offenders. The data suggest that cyber offenders may be among the least likely to be sentenced to jail.65 Information from the United States Department of Justice for the five-year period 2006–2010, showed that a total of 1,177 individuals were convicted for cybercrimes. Of these, just over half (51.7%) received a sentence including any prison time. Sentences were typically short: of those sentenced to incarceration, more than one-third (35%) were sentenced to 12 months or less in prison; 27% to 13–24 months; 12% to 25–36months; and 19% to more than 3 years. In their sample of convicted cyber offenders under state supervision from three western states, Marcum et al. found that 65% of offenders had been sent to prison rather than community corrections. Sixty-two per cent of the sample was male with an average age of 35 years. Eighty-six per cent of the sample was white and the average education was a high-school diploma. Six per cent were members of a gang and a high proportion had prior convictions. The sample had a relatively high rate of prior violent convictions, which may explain the high rate of prison sentences.66 A study of sentencing outcomes for computer crime in Australia and New Zealand revealed no significant differences between cases where a computer was used in the commission of the offence and those where computers were absent. Sentences imposed on offenders who
61 M McGuire, Organised Crime in the Digital Age (John Grieve Centre for Policing and Security, London Metropolitan University, 2012). 62 CC Lu, WY Jen, W Chang, S Chou, ‘Cybercrime & Cybercriminals: An Overview of the Taiwan Experience’ (2006) 1(6) Journal of Computers, 11-18. 63 Li, 2008, op. cit. 64 McGuire, 2012, op. cit. 65 C D Marcum, G E. Higgins, & R Tewksbury, ‘Incarceration or Community Placement: Examining the Sentences of Cybercriminals’ (2012) 25(1) Criminal Justice Studies, 33–40. 66 Marcum et al., 2012, ibid., 35-37 – actual sample size was not given and attempts to contact the authors were unsuccessful.
18
used computers appeared slightly more lenient than those received by their exclusively terrestrial counterparts. These findings should be treated with caution, since they were based on cases arising from offences that occurred more than a decade ago. The data base, moreover, may have been vulnerable to sampling bias.67
Cyber-‐criminals in China
With recent massive economic growth, China has become as vulnerable as other places to cybercrime focused on financial rewards, as the case study on online fraud illustrates. The Ministry of Public Security reported that half of all cyber offenders identified in 2005 were over the age of 26, 45% were between 18 and 25 years, and the rest were under the age of 18. Fraud was the typical crime. Data for 2011-2012 from the Hubei province indicated that 90% of known cyber-criminals were 30 years of age or less. Cybercrime cases reported in Luoyang, Henan province, between 2006 and 2009 consisted for the most part of online fraud (70%), online theft (10%), and online pornography (5%).68 In 2011 in Shenzhen, Guangdong province, 57% of cybercrime cases known to the police were online fraud, 15% were online pornography, and 6% online theft.69
PRC and Taiwan police crack telecom fraud gang70
In a joint investigation, the Chinese and Taiwan police ‘cracked’ a major online fraud case targeting Taiwan residents, one of several cross-‐strait fraud crime groups interdicted in recent years.71 On July 26, 2012 police from Fujian, Guangdong and Hainan, assisted by Taiwanese police, raided 33 locations, and detained 260 suspects, including 26 Taiwanese. Pretending to be online web staff, the suspects illegally obtained customers’ personal information then phoned them. They told the online shoppers that due to bank system errors, their lump sum payment had been shifted to an instalment account. Gang members lured the customers into transferring payment into the gang’s bank accounts by saying they could avoid paying extra transaction fees to the bank.
Studies conducted in the provinces of Jiangsu (2007-2010) and Guangdong (2004-2006) provide some offender demographic data. In Suzhou (Jiangsu), one of China’s most economically developed cities, 120 cases were recorded by the prefecture’s judicial and procuratorial agencies between 2007 and 2010. Of the 195 offenders involved in these cases, 91% were males, 81% were aged between 18 and 35 years, and 37% were college educated or above; however, a
67 P Grabosky, R Smith, & G Urbas, Cyber Criminals on Trial (Cambridge University Press, 2004). The fact that certain offences (such as child pornography offences) are being viewed with increasingly intense disapproval by authorities, and that such offences are greatly facilitated by digital technology, suggests that the salience of digital technology to sentencing outcomes may become greater in the future. 68 W Zhang, ‘An Empirical Research on Cybercrime in Metropolis’, Master dissertation (China University of Political Science and Law, Beijing, 2010). 69 Personal communications with MPS PRC January 9, 2013 cited from various Chinese sources. 70 Xinhua News, 12 December 2012. 71 The MPS reported that since 2010 over 2,500 suspects had been apprehended operating similar scams, and each illicit operation appeared to engage large groups, often in excess of 100 persons.
19
relatively large proportion were unemployed (40%), while 29% worked for private enterprises and 12% were self-employed.72 About one in five (23.3%) cases in Suzhou involved more than one offender, but an earlier study in Guangdong indicated that the proportion of ‘joint offences’ was higher and the trend was increasing.73 Cybercrime groups often work regionally and countermeasures require collaboration between police forces. In 2010, the Taiwanese Criminal Investigation Bureau and Chinese police officers arrested 329 individuals in China, 121 individuals in Taiwan, as well as some individuals in Vietnam in relation to phone and Internet auction fraud.74 The group leader and the core crime group were based in Taiwan. The group consisted of three subgroups with specific functions: the first, called the ‘technical support team’, comprised five IT specialists who maintained the network and computer infrastructure and provided technical support and service. The second subgroup consisted of smaller teams working in underground locations in some China provinces such as Anhui, Hunan, and Guangdong. They used information consultancy companies to cover for the making of fraudulent calls, and some experts provided training and created scripts for these phone calls. Finally, there was also a financial team that transferred illicit money through underground banks. These three subgroups shared the profits and got respectively 30%, 40%, and 30% from each successful fraud operation. More recently, in 2012, police from Fujian, Shaanxi, and Anhui raided 17 gang locations and apprehended 86 suspects including the leader Liu Xinglin, a Taiwanese fugitive wanted for fraud.75 The crime group may have been operating since 2003 and is thought to have swindled over 20 million CNY (US$3.16 million). Offenders involved outside of the core group included suspects in PR China and Vietnamese nationals. The fraud succeeded because of loopholes in the regulation of the financial and communication companies that were targeted. Members of the crime group posed as government officials and were able to withdraw cash from Taiwanese online bank accounts.
The role of organized crime groups
Governments, law enforcement, academic researchers, and the cyber-security industry speculate that ‘conventional’ organized crime groups have become increasingly involved in digital crime. The available empirical data suggest that criminals, operating online or not, are more likely to be involved in loosely associated illicit networks rather than formal organizations.76 McGuire’s review found that up to 80% of cybercrime could be the result of some form of organized activity. This does not mean, however, that these groups take the form of traditional, hierarchical organized crime groups or that these groups commit exclusively digital crime. Rather, the study suggests that traditional organized crime groups are extending their activities to the digital world alongside newer, looser types of crime networks. Crime groups show various levels of
72 Z Li, C Jin, F Zhang, & M Yan, ‘Survey and Analysis on Cybercrime from 2007-2010 in Suzhou City’ (2011) 10 Journal of Criminal Science, 120-126. 73 X Zhang, ‘An Empirical Research on Property-Related Crime over the Internet in Guangdong (2007) 4 Journal of Criminal Science, 95-101. 74 See <http://www.cib.gov.tw/news/news01_2.aspx?no=2974>; <http://www.gwytb.gov.cn/guide_rules/exe/201210/t20121030_3250408.htm> (translated from Chinese by Chen Da). 75 Xinhua News, 19 October 2012. 76 D Décary-Hétu & B Dupont, ‘The Social Network of Hackers’ (2012), Global Crime, available at SSRN <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2119235 DOI:10.1080/17440572.2012.702523>.
20
organization, depending on whether their activity is purely aimed at online targets, uses online tools to enable crimes in the ‘real’ world, or combine online and offline targets. McGuire’s review estimated that half the cybercrime groups in his sample comprised six or more people, with one-quarter of groups comprising over 10 individuals. One-quarter of cybercrime groups had operated for less than 6 months. However, the size of the group or the duration of their activities did not predict the scale of offending, as small groups could cause significant damage in a short time. Cybercriminals may increasingly operate as loose networks but evidence suggests that groups are still located in close proximity even when their attacks are cross-national. For example, small local networks as well as groups centred on relatives and friends remain significant actors. Cybercrime hot spots with potential links to OCGs are found in countries of the former Soviet Union.77 Hackers from Russia and Ukraine are regarded as skilful innovators. For example, the cybercrime hub in the small town of Rmnicu Vicea in Romania is one of a number of such hubs widely reported in Eastern Europe.78 As discussed above, there is also increasing concern about cybercrime in China.79 The source and extent of malware attacks (whether of domestic or foreign origin) and the scale of malware/botnet activity remain unclear, but a substantial proportion of Chinese computers are compromised and it is likely that local crime groups play a crucial role.80 A recent study of spam and phishing sources found that these were heavily concentrated in a small number of ISPs (20 of 42,201 observed), which the author dubbed ‘Internet bad neighbourhoods’; one in particular, Spectranet (Nigeria), was host to 62% of IP addresses that were spam related. Phishing hosts were mostly located in the United States while spam originated from ISPs located in India, Brazil and Vietnam.81 Given the diversity of the types and sources of cybercrime, it is important to avoid stereotypical images of cybercriminals or spreading an alarmist or ‘moral panic’ narrative associated with cybercrime. Popular images include the menacing Russian hacker in pursuit of profit or more recently the Chinese ‘hacker patriot’. Such offender images offer a specific type of ‘folk devil;’ David Wall regards them as inherently misleading about the assumptions of offender action and sources of cybercrime.82 Despite the media image, offenders come from many nations and
77 N Kshetri, Cybercrime and Cybersecurity in the Global South (Palgrave Macmillan, 2013), chapter 3; see also Microsoft Security Blog <http://blogs.technet.com/b/security/archive/2010/03/25/profile-of-a-global-cybercrime-business-innovative-marketing.aspx>. 78 Y Bhattacharjee, ‘Why Does A Remote Town In Romania Have So Many Cybercriminals?’ (2011) February, 19(2) Wired. 79 China Daily, ‘Internet Policing Hinges on Transnational Cybercrime’, 10 November 2010. <http://www.china.org.cn/business/2010-11/10/content_21310523.htm>; D Pauli ‘China is the “World’s Biggest Cybercrime Victim”’, 22 March 2012, <http://www.scmagazine.com.au/News/294653china-is-the-worlds-biggest-cybercrime-victim.aspx>. 80 Kshetri, 2013, op. cit.; Chang, 2012, op.cit.; N Kshetri, ‘Cyber-Victimization and Cyber-Security in China’ (2013) in Communications of the ACM (forthcoming); R Broadhurst & Y C Chang YC, ‘Cybercrime in Asia: Trends and Challenges’, in B Hebenton, SY Shou, & J Liu, Asian Handbook of Criminology (Springer, 2013), 49-64. 81 G C Moura 2013, Internet Bad Neighbourhoods (Enschede, The Netherlands: Centre for Telematics and Information Technology, 2013). 82 D S Wall, ‘The Devil Drives a Lada: The Social Construction of Hackers as Cybercriminals’, in C Gregoriou (ed), The Construction of Crime (Palgrave Macmillan, 2012), 4-18.
21
motivations are diverse, although financial motives tend to dominate.83 The Butterfly Botnet case study exemplifies both the diversity of national involvement and the use of bespoke toolkit malware– in this case the small group of offenders were Spanish and the alleged creator of the software, Slovenian.
Mariposa ‘Butterfly’ Botnet 84
The suspected creator of the Butterfly Bot software known by the alias ‘Iserdo’ was arrested in Slovenia in 2010. The purpose of the malware was to infiltrate vast numbers of computers, which could then be controlled remotely by criminals. These cybercriminals monitored the activities of the infected computers to steal information such as bank account numbers and passwords. The malware could self-‐propagate to non-‐infected computers connected to the same network. The Butterfly Bot software was allegedly purchased by Días de Pesadilla (DDP or in English, Nightmare Day Team), a small cybercrime group based in Spain. Using the software, the group managed to build a botnet of 12 million computers worldwide, for the purpose of fraud. This was one of the largest known botnet for the purpose of fraud.85 It was widely used to steal login credential data from various sites such as banks. The DDP gang leader (a 31-‐year old male) and two other principals were arrested by Spanish National Police in early 2010 and the software creator later that year; but in late 2012, another suspected crime group of 10 persons also using the Butterfly Bot were arrested in Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States. The group was estimated to have made over $USD850 million.
Structure of cybercrime groups
McGuire has suggested a typology of digital crime groups, which comprises six types of group structures. He emphasized that ‘these basic organizational patterns often cross-cut in highly fluid and confusing ways’ and the typology represents a ‘best guess’ based on what we currently know about cyber offenders. He notes that it is likely to change as the digital environment evolves.86 McGuire’s typology includes three main group types, each divided into two subgroups depending on the strength of association between members: Type I groups operate essentially online and can be further divided into swarms and hubs. They are mostly ‘virtual’ and trust is assessed via reputation in online illicit activities.
83 The 2012 Verizon Data Breach Investigation Report identified that 75% of 621 confirmed breaches of data were financially motivated, <http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf>. 84 See <http://www.fbi.gov/news/pressrel/press-releases/fbi-slovenian-and-spanish-police-arrest-mariposa-botnet-creator-operators>; <http://www.fbi.gov/news/pressrel/press-releases/fbi-international-law-enforcement-disrupt-international-organized-cyber-crime-ring-related-to-butterfly-botnet/>; see also <http://en.wikipedia.org/wiki/Mariposa_botnet>. 85 S P Correll, ‘Inside Mariposa: The Largest Botnet Takedown in History’ (2010) May ISSA Journal, 47-48, <http://www.bluetoad.com/publication/?i=37466&p=47>. 86 McGuire, 2012, op. cit, 58.
22
o Swarms share many of the features of networks and are described as ‘disorganized organizations [with] common purpose without leadership’. Typically swarms have minimal chains of command and may operate in viral forms in ways reminiscent of earlier ‘hacktivist’ groups. Swarms seem to be most active in ideologically driven online activities such as hate crimes and political resistance. The group Anonymous illustrates a typical swarm-type group (see the case study on AT&T above).
o Hubs, like swarms, are essentially active online but are more organized with a clear command structure. They involve a focal point (hub) of core criminals around which peripheral associates gather. Their online activities are diverse including piracy, phishing attacks, botnets and online sexual offending. The distribution of scareware often involves hub-like groups (see the case study box on scareware by the IMU criminal enterprise and also Hun1).
HUN 1 Copyright Piracy
In this case the two principal organizers of a group of about 30 people based in Hungary supplied legal computer server and hosting services for several private individuals and business associations. Through this licit activity they concealed hundreds of ‘smswarez’ (refers to the illegal trade in content protected by copyright in return for payment by SMS), ‘smswebs’ (webpages where copyright-‐protected content can be downloaded in return for payment by SMS) and ‘torrents’ (a system that allows an Internet user to download the desired file or parts of files not from a central server, but from unknown users who already have it). The advantage of the torrent system is that if a file becomes very popular, more and more people download it and its distribution becomes even more widespread. In HUN 1, the organizers used spam to advertise these illicit services, which ultimately led to the seizure of 48 illegal servers with a capacity of 200-‐250 terabytes. After this group was arrested, the Internet data turnover in Hungary was reduced by about 10 per cent. 87
Type II groups combine online and offline offending and are described as ‘hybrids’, which in turn are said to be ‘clustered’ or ‘extended’.
o In a clustered hybrid, offending is articulated around a small group of individuals and focused around specific activities or methods. They are somewhat similar in structure to hubs but move seamlessly between online and offline offending. A typical group will skim credit cards then use the data for online purchases or on-sell the data through carding networks.88
o Groups of the extended hybrid form operate in similar ways to the clustered hybrids but are a lot less centralized. They typically include many associates and subgroups and carry out a variety of criminal activities, but still retain a level of coordination sufficient
87 An abridged version of cases reported in UNODC 2012, op. cit., 112. 88 See McGuire, 2012, op. cit., 50, and other papers on carding groups/forums: e.g. M R Soudijn & B C Zegers, ‘Cybercrime and virtual offender convergence settings’ (2012) 15 Trends in Organised Crime, 111-129.
23
to ensure the success of their operations. (As knowledge of group structure is often not known, it is difficult to pinpoint a case study, but see Rus 13 case).
RUS 13 Extortion
This case involved the extortion of British bookmakers. Officials from the United Kingdom National Hi-‐Tech Crime Unit (now part of the Serious Organised Crime Agency [SOCA]) and the US Secret Service were involved in the investigation. The criminal group used a network of computers (botnet) from which they launched distributed denial-‐of-‐service (DDoS) attacks. The roles assigned to the members of the criminal organization all required specialized knowledge and special programming skills. In order to conceal their activities, they used anonymous proxy servers, virtual private network (VPN) services and anonymous mail servers. The extorted funds were sent via existing international payment networks to residents in Latvia, who then transferred the funds the Russian Federation. The bookmaking companies depended entirely on continuous access to the Internet, because the bets were placed exclusively online and, hence, they were vulnerable. In one instance, a DDoS attack flooded the targeted company’s server with approximately 425 unique IP addresses establishing over 600,000 simultaneous connections with the company’s web server, sending requests for information at over 70 MB per second (the web server would normally receive requests at 2 MB per second). This attack cut off the company’s website from the Internet, and the criminals demanded and obtained US$40,000, threatening that if their demands were not met, they would continue attack until the company was ruined.89
Type III groups operate mainly offline but use online technology to facilitate their offline activities. McGuire argues that this type of group needs to be considered because they are increasingly contributing to digital crime. Like the previous group-types, Type III groups can be subdivided into ‘hierarchies’ and ‘aggregates’, according to their degree of cohesion and organization.
o Hierarchies are best described as traditional criminal groups (e.g. crime families), which export some of their activities online. For example, the traditional interest of mafia groups in prostitution now extends to pornography websites; other examples include online gambling (see case study), extortion, and blackmail through threats of shutting down systems or accessing private records via malware attacks or hacking (see Ransomware and IMU case studies).
o Aggregate groups are loosely organized, temporary, and often without clear purpose. They make use of digital technologies in an ad hoc manner, which nevertheless can cause harm. Examples include the use of Blackberry or mobile phones to coordinate gang activity or public disorder, which has been seen during the 2011 UK riots or the Sydney riots in September 2012.90
89 Abridged from an account in UNODC 2012, Digest of Organized Crime Cases (English): A Compilation of Cases with Commentaries and Lessons Learned (United Nations, 2012), 110-113. 90 <http://www.smh.com.au/nsw/police-investigate-rioters-text-messages-20120916-260mk.html>.
24
‘Ransomware’ locks computers and demands payment
In May 2012, the Internet Crime Complaint Center (IC3) issued a warning about the Reveton virus, which had become widespread in the US and internationally. The Reveton virus is described as a ‘drive-‐by’ malware because it installs itself when a victim simply clicks on a compromised website. Once installed, the malware immediately locks the infected computer and displays a message stating, ‘a violation of federal law (e.g. relating to some illegal online activity) has been identified by the FBI’. The user is then required to pay a fine online. Removing the virus is complex. The IC3 has received many complaints but many people have also paid the so-‐called fine.91
McGuire, as noted above, estimated that about 80% of cybercrime was likely the result of some form of organized activity, a proportion that appears to have increased over time. However, there is limited corroborative evidence available to validly estimate the proportion (prevalence) and frequency of OCGs relative to other actors, including States or quasi-state actors.While a number of typologies focus on the specific activities of crime groups,92 McGuire’s typology is both simple and clear, even if notions of association and centrality of actors are imprecise. The question of the motivation of the offenders or group may not be an essential element of the structure of a crime group and so broadening the range of organizational types regardless of whether money, ideology or other reasons are in play can be more helpful than motivational based typologies where complex actions are often not readily reduced to core motivations. The typology suggested by McGuire could also be a basis for further refinement along the dimensions of function (i.e. the type criminal activity or enterprise, duration/ monopolization and role in protection). Hun 1 and Innovative Marketing Ukraine (IMU) cases are examples of enterprise forms of crime that help illustrate the range of criminal organization and the kinds of deceptions that have proven effective to the present. IMU operated openly in Kiev as a company specializing in online marketing and was a large-scale operation with a substantial transnational dimension that offered a ‘franchise-like’ operation. IMU used scareware to persuade victims to provide credit card information to pay US$50-80 for the fake AV software. IMU’s WinAntivirus mimicked the appearance of Microsoft security software. IMU’s fake advertisements, when ‘clicked’, triggered bogus AV scans showing that the victim’s computer were virus-infected. It then directed users to purchase IMU’s fake AV software. LinkedIn records showed some former IMU employees were now working at leading banks, consulting companies and other Kiev-based antivirus companies, which may have assisted in extending IMU’s the operations.
91 <http://www.fbi.gov/news/stories/2012/august/new-internet-scam/new-internet-scam>. 92 S W Brenner, ‘Organized Cybercrime? How Cyberspace may Affect the Structure of Criminal Relationships’, (2002) 4(1) North Carolina Journal of Law & Technology, 1-50; P Grabosky, ‘The Internet, Technology and Organized Crime’ (2007) 2 Asian Journal of Criminology, 145-162; Broadhurst & Choo 2011, op. cit..
25
Innovative Marketing Ukraine (IMU) 93
The ‘grey’ enterprise IMU was an early promoter of ‘scareware’ or fake anti-‐virus (AV) programs and used affiliates (independent ‘hackers’) and legitimate businesses such as banks and credit card processors to expand business. IMU was founded in 2002 by three men, including Canadian Marc D’Souza. IMU originally operated to sell pirated music, grey A/V software, pornography and Viagra. It then developed an Adware malware program that became its main business. IMU was an illicit business that operated openly in Kiev as a company specializing in online marketing. IMU employed around 600 people in Kiev and in India, Poland, Canada, the U.S., and Argentina. The staff worked in a range of roles from receptionists, finance, webmasters and engineers. Many of IMU’s staff had LinkedIn profiles and one analysis found a large proportion worked for at least a year for the company and comprised young college students.94 A former IMU employee explained: ‘When you are just 20, you don't think a lot about ethics. I had a good salary and I know that most employees also had pretty good salaries’. IMU also invested in call centre facilities in the Ukraine, India and the U.S., taking around 2 million calls in 2008 alone. When people called to complain, the call centre helped them through the steps needed to ‘install’ and rectify the non-‐existent problem. Many victims were apparently satisfied with the outcome and were unaware of the scam. IMU also paid affiliates 10 cents for each compromised computer and generated average returns in the range of US$ 2-‐5 through software sale and product promotion. A recruiting site, earning4u.com, paid up to US$180 for every 1,000 computers infected via non-‐spam and IMU rewarded the top sales performers. In one such reward event for scareware installers a briefcase full of Euros was awarded to the best seller.95 At least four principals were engaged (British and US nationals) in the business as manager/proprietors and they were charged in 2010 in a joint U.S. Federal Trade Commission and FBI investigation.
Detection and Identification of Offenders
Individuals and groups are continually finding new ways to commit crimes on the Internet. Some crimes take place exclusively on the Internet while others facilitate traditional forms of crime. The anonymity of the Internet, one of its essential characteristics, presents a challenge to identify individuals and groups that use the Internet for dishonest and criminal purposes. 93 Kshetri 2013, op. cit., chapter 3; see also Microsoft Security Blog <http://blogs.technet.com/b/security/archive/2010/03/25/profile-of-a-global-cybercrime-business-innovative-marketing.aspx>. 94 F Paget, ‘McAfee Helps FTC, FBI in Case Against ‘Scareware’ Outfit’ (June 2010), <http://blogs.mcafee.com/mcafee-labs/mcafee-helps-ftc-fbi-in-case-against-scareware-outfit>. 95 IMU received approximately 4.5 million orders in the first 11 months of 2008, valued at up to US$180 million; see J Finkle, Reuters, 24 March 2010, <http://www.reuters.com/article/2010/03/24/us-technology-scareware-idUSTRE62N29T20100324>.
26
Online gambling by a mafia family
In 2008, 26 individuals – including reputed members of the New York Gambino organized crime family – were charged with operating an illegal gambling enterprise, which included four gambling websites in Costa Rica. New York District Attorney Brown stated ‘...law enforcement crackdowns over the years on traditional mob-‐run wire rooms have led to an increased use by illegal gambling rings of offshore gambling websites where action is available around the clock’. As gambling is illegal in the United States the websites took advantage of gambling’s legality in other jurisdictions. Bets were placed in New York but processed offshore and the data transmitted through a series of servers so to evade detection by law enforcement.96
Cybercriminals have been able to evade authorities because of obfuscation techniques that help avoid the tracing of their criminal activity. A range of computer-based methods can be used to commit a crime. These include using network services that encourage illicit activity, computer and software infrastructure such as botnets and P2P networks, and the use of encryption. Some technologies designed for legitimate functions can also have criminogenic features that can be employed by criminals.97 These technologies make it difficult for authorities to track and trace criminals on the Internet. There are other non-technical factors that can hinder the detection and subsequent identification and prosecution of cyber offenders. These include the lack of cooperation between states, limited policing capacity on the Internet, delays in acquiring mutual legal assistance even among cooperating states, and the absence of a cohesive legal framework to address cybercrime across jurisdictions. While there are general investigative approaches to address cybercrime (e.g. covert and undercover operations) the most promising approach, given the frequent cross-national form of the crime, has been the emergence of cross-national taskforces that engage in both undercover and ‘sting’ operations. Operation Rescue in 2007 was an example of such cooperation between the UK Child Exploitation and Online Protection Centre and the Australian police.98 There are also instances of informal partnerships between the public and private sector forming to help with investigations. One such example is the Mariposa Working Group (MWG), an informal collaboration between academia, private sector, and law enforcement that was specifically created to assist in the Mariposa botnet case in 2009 (see case study on Butterfly bot).99 An example of a more structured form of cross-border co-operation is the Virtual Global Task force, 96 Queens County District Attorney (QDA), ‘Twenty-six Charged in $10 Million Dollar Gambino Organized Crime Family Gambling, Loan Sharking and Prostitution Operation’, (2008) Media Release #27-2008, <http://www.queensda.org>. 97 A Maurushat, ‘Australia’s Accession to the Cybercrime Convention: Is the Convention Still Relevant in Combating Cybercrime in the Era of Botnets and Obfuscation Crime Tools?’ (2010) 33(2) University of New South Wales Law Journal, 431-473. R V Clarke & G R Newman ‘Modifying Criminogenic Products-What Role for Government?’ (2005) 18 Crime prevention studies, 7. 98 D Casciani, ‘World’s largest paedophile ring uncovered’, BBC News, 16 March 2011, <http://www.bbc.co.uk/news/uk-12762333>. 99 <http://pandalabs.pandasecurity.com/mariposa-botnet/>.
27
which, as noted above, operates to counter the advantages of CEM dissemination offered by the borderless nature of cyberspace. A key solution to the global reach of cybercrime is to improve the cooperation among law enforcement agencies across all jurisdictions – especially those at risk of offering a haven for cybercriminals and ‘bullet proof’ ISPs, and those states that lack the resources and knowledge to recognize that a crime has taken place and to be able to respond effectively.
A number of successful operations to identify and capture cybercriminals have occurred through undercover sting operations on online forums (Operation Card Shop/Carder Profit – see box). These investigations entailed setting up an online forum. Through disguising their identity, investigators were able to gain trust among criminals such as in cases related to online child exploitation (e.g. Operation Orion100). Traditional ‘undercover’ operations include methods such as covert infiltration, disguised identity, and fake transactions that help to gain the trust of participants in an illicit network. They also include the creation of a specific site, in the form of a ‘sting’ operation to lure and capture those committing a crime on the Internet. As in other crime, police also respond to cases reported by victims, potential victims, or informants who provide valuable intelligence about these activities.
Carding Profit
In June 2010, the FBI established an undercover carding forum called Carder Profit (the ‘UC Site’) to collect intelligence. This was a traditional carding forum similar to DarkMarket, an illegal online forum taken down in 2008 by the FBI and its international partners, but different in that the police actually set-‐up and controlled the forum. Users discussed various topics related to carding and to communicate offers to buy, sell, and exchange goods and services related to carding. The UC Site was configured to allow the FBI to monitor and to record the discussion threads posted to the site, as well as private messages sent through the site between registered users. The UC Site also allowed the FBI to record the Internet protocol (IP) addresses of users after they logged on. In May 2012 Police and law enforcement officials arrested 24 people (now 27) in 13 countries (including the US, UK, Bosnia, Bulgaria, Norway and Germany).101
Cybercrime investigations are generally initiated because of a complaint reported by a member of the public, or arising from intelligence related activities such as undercover operations, and the use of honeypots.102 However, identification involves making a request to access data logs from Internet Service Providers (ISP), as well as telecommunication providers, in order to begin to trace the probable source of a cybercrime. The source IP address, the unique identification 100 <http://www.ice.gov/news/releases/1206/120608washingtondc.htm>. 101 <http://www.fbi.gov/newyork/press-releases/2012/manhattan-u.s.-attorney-and-fbi-assistant-director-in-charge-announce-24-arrests-in-eight-countries-as-part-of-international-cyber-crime-takedown> (2012). An earlier example was Operation Firewall (2004), which arrested an OCG that operated a credit card fraud and a counterfeit document service. The offenders were located in United Kingdom, Poland, Canada, Sweden, Bulgaria, the Netherlands, Belarus, Ukraine, and the United States. 102 J Jang, 2008, Best Practices in Cybercrime Investigation in the Republic of Korea, <http://www.unafei.or.jp/english/pages/RMS/No79.htm>.
28
number of a device connected to the Internet, can be used to establish the origin of the criminal activity and may help in finding the offender. As mentioned previously, obfuscation techniques used by criminals can make this difficult and in many cases impossible to track down possible offenders. Other conceptual models place data at the centre of any cybercrime investigation. In Hinton’s schema the logic of the attack is based on the data objectives (identities, passwords and so on), the exploitation tactics and subsequent attack methods, and finally the technical implementation of an attack. His model also considers the primary compounding factors that involve the purpose of the criminal activities, the difficulties of a globalized environment, and digital evasion and concealment by the cybercriminal.103 Apart from diverse methods of deception (aka ‘social engineering’) that do not rely on hacking, cyber-criminals take advantage of flaws in technology that interfaces with the Internet, which can include computers, programs, and networks. Much of this widespread activity occurs through the use of a single (or more commonly a group) of compromised computers (botnets), and, are used as proxies for criminal activity. These compromised computers act as a buffer, making it difficult to trace criminals. Much of the activity that takes place can only be traced back to these computers rather than offenders. A variety of techniques that recognize computer based traffic and data involved in criminal activity are available to assist traditional investigation. These methods, widely used in the computer security field, primarily assist in understanding traffic data and other data on the Internet generated by criminals. These techniques rarely identify individuals, and at best, are able to identify the origin of the activity and geographical vicinity of the compromised computer. The majority of malicious Internet activity is now thought to result from automated forms of cybercrime.104 As a result, efforts to detect and locate criminals may be futile in many cases.
Technology-‐assisted investigation
There are also many technology-based methods and tools that assist in identifying malicious code and criminal activity in cyberspace. Techniques or methods of investigation can be classified as active or passive, depending on whether the object of the investigation is still in active operation, or whether it has been seized and the data are ‘frozen’. Active investigations are initiated by law enforcement and can be obtrusive. They include covert operations on discussion forms and chat rooms or the use of honeypots.105 The passive approach, on the other hand, is reactive and the investigation occurs after a crime has taken place. It is commonly referred to as ‘computer forensic’. Technology-assisted cybercrime investigations can include the retrospective analysis of malicious software, network traffic, or any type of data. Table 2 summarizes two general technology centric strategies to identify activity generated by compromised computers.
103 P Hinton, ‘Data Attack of the Cybercriminal: Investigating the Digital Currency of Cybercrime’ (2012) 28 Computer Law and Security Review, 201-207. 104 D S Wall, Cybercrime: The Transformation of Crime in the Information Age (Polity, 2007), vol 4. 105 For an example of honeypot, refer to the Carder Profit example, where the FBI created a ‘carding forum’ to lure criminals for the purpose of entrapment.
29
Table 2. General strategies to detect compromised computer activity
Type of detection strategies Examples of approach a
Host-based Antivirus detection, rootkit detection, modification of critical Windows files, random popups of adware, slowness of machine, suspect DNS server
Network-based Identifying IRC traffic analysis on ports, using botnet command and control blacklists, unexplained behaviour of networked computers, use of a honeypot to detect malware, unusual traffic on network and important ports
Source a <http://www.shadowserver.org/wiki/pmwiki.php/Information/BotnetDetection>. It is apparent that law enforcement agencies in many jurisdictions have limited capacities to respond to cybercrime and are hindered by a lack of technical expertise and policing capacity on the Internet. Because of their expertise, the information security and information technology industry has played a quasi-policing role by defending and protecting information for both public and private sectors. For example, Microsoft runs its own Digital Crimes Unit, which includes investigators, technical analysts, lawyers, and other specialists who work on making the Internet more secure through strong enforcement, global partnerships, as well as policy and technology solutions (see case study on Operation b71). Governmental agencies also fulfil that function, in particular when it involves the mitigation of malicious Internet activity (e.g. national Computer Emergency Response Teams - CERT). Monitoring of potentially malicious activities by non-governmental non-profit organizations (such as Shadowserver) is another resource to identify criminal activity.106 Analysis by independent security professionals can assist in investigation efforts by uncovering intended targets and methods used by criminals (for example, abuse.ch). Research-focused organizations dedicated to examining cyber-attacks, such as the Honeypot Project,107 contribute to the fight against malware and hacking. Ultimately, cooperation between these groups is essential for cybercrime investigations to be successful. The Koobface case provides an example of the combination of technical and conventional investigative techniques in the successful identification of cybercrime suspects. In this case, the analysis of the relevant network data and the investigation was undertaken by Sophos, a private computer security company, and police were not involved, although the Russian police were notified. Information security-based techniques are often leveraged to identify activity generated by compromised computers, with host-based detection strategies focusing on monitoring the internal system of a computer, and network-based strategies centring on determining unauthorized access to a computer by analysing network and Internet traffic. These strategies entail the use of a range of software tools, 3rd party resources, and analytical techniques illustrated in Table 3.
106 European Network and Information Security Agency (ENISA), 2011, Proactive Detection of Security Incidents, < http://www.enisa.europa.eu/activities/cert/support/proactive-detection>. 107 <https://www.projecthoneypot.org/>.
30
Koobface
Koobface is a worm-‐based malware that targets Web 2.0 social networks such as Facebook (the name of the malware is an anagram of Facebook). Koobface spread by sending messages to ‘friends’ of an infected Facebook account user. The message directed the recipient to a fake website where they were prompted to download what was presented as an update to Adobe Flash Player. Once the fake program was installed, Koobface controlled the computer’s search engine use and directed it to illicit websites affiliated in offering various scams such as false investments, fake AV programs, fake dating sites, etc. The Koobface botnet made money through pay-‐per-‐install and pay-‐per-‐click fees from these other websites.108 Sophos identified five potential members of the Koobface gang, also referred to as ‘Ali Baba & 4’ who operated from Russian and Czech locations. One member was older than the others and possibly the leader, but the structure of the group was not fully understood. Members of the group had previously worked in online pornography, spyware, and also attempted to conduct a legitimate mobile software and services business, MobSoft Ltd.109 The Koobface crime group was able to continuously upgrade and adapt the botnet, which included an effective Traffic Direction System that managed the activity on affiliate sites and boosted the Internet traffic to the botnet (e.g. targeting showbiz fans, online daters, casual porn surfers, and car enthusiasts). The overall structure of the botnet was resilient in surviving takedown attempts and countermeasures by targets such as Facebook, Google, and other social networks. Data found in the botnet’s command-‐and-‐control system suggested the group has earned around $2 million a year. They apparently could have made more money through identity fraud but a 2009 Christmas e-‐card to security researchers, left inside victim computers, stated that Koobface would never steal credit card or banking information. It called viruses ‘something awful’ and never deployed automatic malicious programs, but allowed its victims to make ‘several unwise clicks’. In other words they argued that it was victims themselves who downloaded the virus through careless use of the Internet.
It is worth noting that the question of public disclosure of a suspect’s identity prior to police action or in lieu of police or judicial action is inherently problematic. In the case of likely immunity from prosecution in the offender’s jurisdiction, a ‘naming and shaming’ approach may be justified. This occurred in the Koobface case, when Facebook revealed the names of those suspected. However, it is at the cost of alerting suspects to what may be known about their 108 J Baltazar, J Costoya, & R Flores, The Real Face of Koobface: the Largest Web 2.0 Botnet Explained and Show me the Money: The Monetization of Koobface (Trend Micro, 2009). <http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_real_face_of_KOOBFACE_jul2009.pdf>. 109 J Drömer & D Kollberg, The Koobface Malware Gang Exposed (Sophos, 2012), <http://nakedsecurity.sophos.com/koobface/>. R Richmond, ‘Web Gang Operating in the Open’, New York Times (16 January 2012), <http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?pagewanted=all&_r=0>; N Villeneuve, Koobface: Inside a Crimeware Network (2010), <http://www.infowar-monitor.net/reports/iwm-koobface.pdf>.
31
activities. The identification of the Koobface crime group suspects has not prevented Koobface ‘tools’ from continuing to operate and evolve, nor is it known if the five suspects or some of them continue to be involved or if they have sold out or moved on. Often, cybercrime activities may be discovered through their consequences but no suspects are identified. In such recent cases, Microsoft has pioneered an innovative response using civil law action. Table 3. Three approaches used to detect compromised computer activity
Type of approach a Examples
Tools Snort (intrusion prevention system), IDA Pro (reverse engineering), Dionaea (honeypots), VMWare (researching infections), Wireshark (packet analysis)
Resources Zeustracker (identified servers linked to botnet activity), malwaredomainlist.com (blacklist of malicious websites), Spamhaus (unsolicited emails)
Techniques Sinkholing, DNS monitoring, sandboxing, attribution algorithms, data mining, network packet analysis, signature-based detection
Note a These approaches are not mutually exclusive. The table includes only a few examples for illustrative purposes, but the list is not exhaustive.
Legal interventions
In February 2013, for the 6th time since 2010, Microsoft used a civil legal process to disable botnets controlled by criminals (see the case of Operation b71).110 In these cases, Microsoft relied on the Racketeer Influenced and Corrupt Organizations (RICO) Act to obtain permission from the court to sever the command-and-control structures of the botnet(s). Microsoft will then be able to pursue civil cases against anyone associated with the operation of the botnet. The analysis of the cases provides intelligence that is disseminated to ISPs and CERTs and that can be applied to other cases. When appropriate, the collected evidence is referred to law enforcement to initiate criminal prosecutions against the individuals involved (as in the case of the Rustock botnet takedown). In 2011 the FBI had used a similar court process to disable the Coreflood botnet.111 Dittrich argued that technological interventions or legal interventions alone are not as successful as those that combine technical methods with civil and/or criminal legal process. Coordinated operations were used in the takedown of several complex botnets (e.g. Coreflood, Rustock) and succeeded on the first try. The advantage of using the legal process is that it allows the removing of all the top-level domains.112 In addition, civil actions are a first step and they do not preclude subsequent criminal actions against specific individuals, particularly when evidence for the civil
110 J Finkle, ‘Microsoft and Symantec Disrupt Cybercrime Ring’, Reuters (6 February 2013), <http://www.reuters.com/article/2013/02/06/us-cybercrime-raid-idUSBRE91515K20130206>. 111 For this and other examples of takedown, see D Dittrich 2012 ‘So you Want to Take Over a Botnet?’, Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats (UNESIX Association), <http://dl.acm.org/citation.cfm?id=2228349>. 112 Dittrich, 2012, op.cit.
32
action is collected by experts who are skilled at forensics and safeguarding digital evidence, as in the case of Microsoft.113
Microsoft Operation b71
Botnet operators using Zeus and SpyEye malware were able to redirect Internet traffic to fake banking websites and obtain victims’ credentials. With this information, they could steal money from victims’ bank accounts. Microsoft estimated that 13 million computers were infected and $100 million had been stolen. On 25 March 2012, Microsoft, through a civil law action, obtained from a federal court an ex parte temporary restraining order that allowed it to take over Internet traffic related to the botnets. The court also ordered US Marshals to assist Microsoft and others to serve search warrants and physically seize computers in two US states. The move, conducted in collaboration with financial services organizations and code-‐named Operation b71, followed months of investigation. Rather than targeting directly the perpetrators, who had not been specifically identified, the lawsuit focused on the botnets that they controlled. Microsoft had used a similar tactic previously to take down single botnets but it was the first time multiple botnets were taken down at once. Although not able to name the perpetrators, Microsoft provided in their complaint information such as the nicknames and email addresses of 39 ‘John Doe’ individuals, a list of compromised domain names, and a summary of each individual alleged criminal activities.114 The list included the software creators and developers, IT technicians, software users, as well as money mules and their recruiters.
Summary and Conclusion
It is often stated that the control of cybercrime needs a comprehensive approach. Realising a ‘comprehensive’ approach that merges technical, social, and international means is, however, no easy task. Given that technical measures alone cannot prevent cybercrime, it is important that law enforcement agencies have the capacity to investigate and prosecute cybercriminals effectively. A key solution is the creation of effective partnership between law enforcement agencies and various stakeholders such as ISPs and software and hardware suppliers. While governments and regional governance mechanisms need to supervise or control the Internet, they must avoid lessening its astonishing efficiency and creativity. Many tools, techniques and processes are available to assist police and network defenders, such as passive monitoring and collaboration with civil society and industry partners. These are reactive measures and although they can enhance the security of a network, they are also limited. Offenders are also becoming increasing difficult to identify from the sources of the illegal and malicious activity/methods
113 D Dittrich, 2012, ‘Thoughts on the Microsoft’s “Operation b71”’, Honeynet Project, <http://www.honeynet.org/node/830>. 114 Microsoft press release <http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx>. For a summary of the operation and a copy of Microsoft complain to the court see <http://news.cnet.com/8301-30685_3-57404275-264/the-long-arm-of-microsoft-tries-taking-down-zeus-botnets/>.
33
identified; hence the risks of arrest or intervention are generally so low as to constitute little or no deterrence. Further work is needed on estimating the costs and benefits of different strategies for minimizing cybercrime and the most effective roles for public police and other interested and capable actors who can partner with police in this challenging task. One of the few systematic studies of the cost of cybercrime recommended less investment on antivirus software and more investment on improved policing of the Internet. They note that in general computer security approaches (as currently performed) are ‘extremely inefficient’ at fighting cybercrime and they suggest investment in more effective policing arguing, ‘…we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.), and more…on the prosaic business of hunting down cyber-criminals and throwing them in jail’.115 Anderson, the lead author at Cambridge’s Computer Laboratory noted: ‘A small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software’.116 Given this situation, continued attention is required across several domains as follows:
• The evolution of effective and well-defined laws against cybercrime at both national, regional and international levels and the means to routinely update them in the light of technological advances.
• The further development of technical measures, and new investigative approaches especially more focus on electronic evidence forensics and its legal validity.
• The continued improvement of security and risk management in cyberspace (i.e. detection, and the response to cyber-attacks), including accreditation schemes, protocols and standards.
• The establishment of cost-effective partnerships with industry, public police and cyber-communities.
• Adequate support for consumer and industry education about anti-crime measures on the Internet and in the digital economy.
• A more effective and rapid response international cooperation among law enforcements. Cybercriminals are capable of undertaking computer/digital device capture and control, however, the advent of malware toolkits such as Zeus and others has lowered the skill levels required. Cybercrime sometimes requires a high degree of organization to implement and may lend itself to small crime groups, loose ad hoc networks or enterprise style organized crime. In short, the nature of offenders and the kinds of criminal groups that are active most likely reflect patterns in the conventional world. The demographic characteristics of cybercrime offenders reflect the conventional world in that young males are the majority (as in conventional crime) although the 115 R Anderson, C Barton, R Bohme, R Clayton, M van Eeten, M Levi, T Moore, & S Savage, 2012 ‘Measuring the Cost of Cybercrime’, Workshop on the Economics of Information Security (WEIS), 25 June, Berlin, <http//weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf>. 116 R Anderson, 2012, <http://www.cam.ac.uk/research/news/how-much-does-cybercrime-cost/>.
34
age profile is increasingly showing older individuals. While higher education, especially in the relevant computer related science fields, may be helpful to prospective offenders, many are not graduates. An over-emphasis on particular notorious cybercrime groups and their origins is unproductive and may lead to overlooking other groups (the false negative problem). There is a lack of systematic research about the nature of criminal organizations active in cyberspace. More research is needed about the links between online offenders and offline offending. Despite the urge to generalize, the current state of cybercrime by individuals and by organizations requires a great deal more in the way of basic research. Motives are varied and diverse; they are by no means limited to greed or rebellion. Different organizational forms lend themselves to different offence types, which in turn lend themselves to different strategies for control and interdiction. Such a systematic approach could provide the basis for a new paradigm for the study of cybercrime.
35
Appendix Examples of cybercrimes and offenders
In the first set of cases, individual offenders are the focus of attention. All these offenders were male; four were under 30 when they committed their offences, the other two were in their mid-30s. Only one of these cases had a financial motive, although Pearson, the offender, denied this. Cleary and Auernheimer claimed that the reason for their offending was, at least in part, altruistic. They wanted to demonstrate that, despite claims to the contrary, the data repository of large corporations and organizations, which kept important confidential information on their clients, was not secure. It is likely that the desire for fame and recognition of their skills also played a part in their actions. Swartz was also motivated by ideology and believed that information should be freely accessible. The two other hackers were pushed by emotional reasons: Chaney by his obsession with the stars, and Yin, by his desire for revenge after losing his job. Pearson benefited financially from hacking, but he could potentially have stolen much more. The final case illustrates the potential harm that just one cybercriminal might cause. All faced the risk of long prison sentences. Ryan Cleary: DDoS on SOCA
Police in the UK arrested 19-‐year-‐old Ryan Cleary for allegedly orchestrating a distributed denial-‐of-‐service (DDoS) attack against the website of the British Serious Organised Crime Agency (SOCA) website in 2011, and the websites of the International Federation of the Phonographic Industry and the British Phonographic Industry, the previous year. Cleary allegedly rented and sublet a large botnet to conduct the attack. Cleary was associated with the hacking group LulzSec, although the group itself denied that Cleary was a member, but merely a loose associate. Cleary’s arrest followed his exposure by Anonymous who published his name, address, and phone number as retaliation against Cleary’s hacking into the group AnonOps’ website and exposing over 600 nicknames and IP addresses. Cleary was reported as stating that AnonOps was ‘publicity hungry’. Cleary has pleaded guilty to most of the charges and will be sentenced in May 2013.117 Andrew Auernheimer: Apple iPad Snoop
In June 2010, 25-‐year-‐old Andrew Auernheimer managed to obtain the email addresses of 114,000 iPad users including celebrities and politicians, by hacking the website of the telecommunication company AT&T. Auernheimer was a member of the group Goatse Security, that specializes in uncovering security flaws. The attack was carried out when Auernheimer and other hackers realized they could trick the AT&T site into offering up the email address of iPad users if they sent an HTTP request that included the SIM card serial number for the corresponding device. Simply guessing serial numbers, a task made easy by the fact that they were generated sequentially during manufacturing, generated a large number of addresses. Auernheimer and Goatse released details about the attacks to Gawker Media. Shortly after, the
117 E Chickowski, ‘Notorious Cybercrooks of 2011 and how they Got Caught’, (2011) Dark Reading, <http://www.darkreading.com/security/attacks-breaches/232300124/the-most-notorious-cybercrooks-of-2011-and-how-they-got-caught.html?itc=edit_stub>; see also Olson, 2012, op.cit.
36
FBI arrested Auernheimer in connection with the breach. In March 2013, he was sentenced to 3 ½ years in prison for exploiting AT&T security flaw, but was unrepentant for his action.118 Aaron Swartz: Content Downloader
A programmer and fellow at Harvard University’s Safra Center for Ethics, 24-‐year-‐old Aaron Swartz was indicted in 2011 after he downloaded more than 4 million academic articles through the Massachusetts Institute of Technology (MIT) network connection to JSTOR, an online academic repository. Swartz used anonymous log-‐ins on the network in September 2010 and actively worked to mask his log-‐ins when MIT and JSTOR tried to stop the massive drain of copyrighted material. After JSTOR shut down the access to its database from the entire MIT network, Swartz went on campus, directly plugged his laptop in the information infrastructure of a MIT networking room, and left it hidden as it downloaded more content. However, an IT administrator reported the laptop to the authorities. A hidden webcam was installed and when Swartz came and picked up his laptop, he was identified and arrested. Swartz did not steal any confidential data and, once the content of the site had been secured, JSTOR did not wish to initiate legal actions; however, the Attorney General went ahead and charged Swartz with 13 counts of felony.119 Swartz was known as ‘a freedom-‐of-‐information activist’ who called for civil disobedience against copyright laws, particularly in relation to the dissemination of publicly funded research. Swartz said he was protesting how JSTOR limited academic research and that he had planned to make the articles he downloaded publicly and freely available. Early in 2013, JSTOR made millions of academic articles available to the public for free. Swartz’s life ended tragically when he committed suicide in early 2013, before his court case was finalised. His family accused the government of having some responsibility for his death because of the overzealous prosecution of what they described as a non-‐violent victimless crime. In March 2013 he was posthumously awarded the James Madison Award by the American Library Association, a prize to acknowledge those who champion public access to information.120
Christopher Chaney: Celebrity Hackerazzi
In what amounted to ‘cyberstalking’, celebrity-‐obsessed Christopher Chaney, 35 years, used publicly available information from celebrity blog sites to guess the passwords to Google and Yahoo email accounts owned by over 50 stars, including Scarlett Johansson, Mila Kunis, and Christina Aguilera. He successfully managed to hack into the accounts and set up an email-‐forwarding system to send himself a copy of all emails received by the stars. From November 2010 to October 2011, Chaney had access to emails, photos, and confidential documents. He was responsible for the release of nude photos of Scarlett Johansson that subsequently circulated on the Internet. He was also accused of circulating nude photos of two (non-‐
118 Chickowski, 2011, ibid.; see also <http://en.wikipedia.org/wiki/Goatse_Security>; O Thomas, ‘Infamous iPad Hacker Makes no Apology as he Faces Jailtime’, Business Insider, 18 March 2013, <http://au.businessinsider.com/andrew-weev-auernheimer-att-ipad-hacker-sentencing-2013-3>. 119 Chickowski, 2011, op.cit.; <http://about.jstor.org/news/jstor-statement-misuse-incident-and-criminal-case>. 120 A Cohen, ‘Was Aaron Swartz really “Killed by the Government”’, Time Ideas, 18 January 2013, <http://ideas.time.com/2013/01/18/was-aaron-swartz-really-killed-by-the-government/>; J Bort, ‘The American Library Association Has Given Aaron Swartz Its First Ever Posthumous Award’, Business Insider, 16 March 2013, < http://au.businessinsider.com/aaron-swartz-granted-posthumous-award-2013-3>.
37
celebrity) women but he denied this. FBI investigators did not give details of how they tracked Chaney who was sentenced to 10 years jail in December 2012. Chaney apologized for his actions; he said that he empathized with the victims but could not stop what he was doing.121 Sam Yin: Gucci Hacker
Fired after being accused of selling stolen Gucci shoes and bags on the Asian grey market, a former Gucci IT employee, Sam Yin, 34 years, managed to hack into the company’s system using a secret account he had created while working and a bogus employee’s name. He shut down the whole operation’s computers, cutting off employee access to files and emails for nearly an entire business day. During that day he deleted servers, destroyed storage set-‐ups and wiped out mailboxes. Gucci estimated the cost of the intrusion at $200,000. Yin was sentenced to a minimum of 2 years and a maximum of 6 years jail in September 2012.122 Edward Pearson: Identity Theft
Originally from York, Northern England, 23-‐year old Edward Pearson stole 8 million identities, 200,000 PayPal account details, and 2,700 bank cards number between January 2010 and August 2011. Using the malware Zeus and SpyEye, which he rewrote to suit his purpose, he managed to not only hack into the PayPal website but also into the networks of AOL and Nokia, which remained down for two weeks. Pearson finally got caught after his girlfriend tried to use forged credit cards to pay hotel bills. He was described as ‘incredibly talented’ and a clever computer coder, who had been active in cybercrime forums for several years prior to his hacking spree. His lawyer, however, argued that Pearson was not so interested in making money but that hacking was ‘an intellectual challenge’. A prosecutor estimated that based on the information he had stolen, he could potentially have stolen $13 million; yet, before his arrest, he had only stolen around $3,700, which he had spent on takeaways and mobile phone bills. Pearson was sentenced to 26 months jail in April 2012.123 The next set of cases involves small groups or networks of offenders, and illustrates the diversity of OCGs operating across crime types. LulzSec was a loose network of like-minded hackers responsible for infiltrating the systems of high profile organizations, supposedly to draw attention to potential security failures. W0nderland was a members-only group that exchanged illicit images of children until it was closed down in 1998. DrinkOrDie was an organization devoted to piracy and the dissemination of pirated content. The four other organizations were motivated by financial profit. Each organization was the target of successful law enforcement action, and, as such, they may not be representative of other organisations that managed to avoid prosecution. One common characteristic of these groups was their transnational reach. Each was
121 <http://www.fbi.gov/losangeles/press-releases/2011/florida-man-arrested-in-operation-hackerazzi-for-targeting-celebrities-with-computer-intrusion-wiretapping-and-identity-theft>; Chickowski, 2011, op.cit. 122 L Italiano, ‘Ex-Staffer Sentenced to 2-6 Years for Hacking into Gucci’s System’, New York Times, 10 September 2012, <http://www.nypost.com/p/news/local/manhattan/ex_staffer_sentenced_to_years_for_13AyFGWuEyvGrnEaj7ZyiO 123 M Liebowitz, ‘UK Hacker Sentenced for Stealing 8 Million Identities’, NCB News, 4 April 2012, <http://www.nbcnews.com/id/46955000/ns/technology_and_science-security/t/uk-hacker-sentenced-stealing-million-identities>.
38
comprised of members from different countries and was active across borders. Some members of these groups have been convicted for their cybercrimes, and we cannot avoid wondering at the disparity in sentencing between the members of W0nderland, who besides their cyber activities were also physically abusing children but were sentenced to a maximum of 2 ½ years jail, and the long prison sentences meted out to some of the hackers, who committed non-violent offences. LulzSec and Sony Hackers
Cody Kretsinger (nicknamed Recursion) was arrested for allegedly carrying out an attack against Sony Pictures on behalf of LulzSec in September 2011. Kretsinger, aged 25, was arrested when the UK-‐based proxy server HideMyAss, a service that disguises the online identity of its customers, provided logs to police, which allowed them to match time-‐stamps with IP addresses and identify Kretsinger.124 In April 2012, Kretsinger pleaded guilty to breaching Sony Pictures Entertainment, conspiracy and attempting to break into computers, and he was later sentenced to one year in jail and 1,000 hours community service. Kretsinger with other members of LulzSec hacking group obtained confidential information from the computer systems of Sony Pictures by using an SQL injection attack against the website. They disseminated the stolen data on the Internet. The stolen data contained confidential information such as names, addresses, phone numbers, and e-‐mail addresses for thousands of Sony customers. The hackers did not use the data illegally but wanted to demonstrate Sony’s website was not secure. Hector Xavier Monsegur, 28, the former alleged leader of LulzSec, was arrested in June 2011 and agreed to act as an informant for the FBI. He provided information on his fellow hackers and is believed to have played an important role in the identification and arrest of other members. Other members of LulzSec include Ryan Cleary (19), Jeremy Hammond (27), Mustafa al-‐Bassam (18), Jake Davis (18), and Raynaldo Rivera (20) who all pleaded guilty and are awaiting sentencing in May 2013. On 24 April 2013, the Australian Federal Police (AFP) arrested a Sydney man known online as Aush0k who had claimed to be the leader of the LulzSec hacking group.
Figure 2. LulzSec logo, a hacking group associated with Anonymous
124 Chickowski, 2011, op.cit; Olson, 2012, op.cit.
39
W0nderland
On 2 September 1998 a multi-‐national police investigation codenamed Operation Cathedral ended with simultaneous raids in 14 countries, during which 107 individuals were arrested because of their involvement in child pornography. The investigation started in 1996 when a 10-‐year-‐old girl in California complained that she had been sexually molested by a man who recorded the abuse via a camera attached to his computer. A police search of the computer revealed that the accused had been communicating with three individuals in the UK. A search of one of the suspects’ computer by UK authorities led to a number of additional correspondents. Ultimately the investigation uncovered the largest and most prolific child pornography ring at the time, the W0nderland Club. The group had been established in the mid-‐1990s to facilitate file sharing of images and videos. Collectively, members possessed over 750,000 illicit images of children and over 1,800 digitized videos depicting child abuse. W0nderland was highly organized. Prospective members were carefully screened, requiring sponsorship by an existing member and vetting by a membership committee. Membership was restricted to individuals with at least 10,000 images that they were willing to trade. Members were particularly careful about security. Some of the computers had material encrypted in such complex ways that it was impossible to break the code to present the evidence in court. The group counted 180 members in 49 countries. Carr reported that most of the men were well educated and employed in a range of professions with a significant number of IT professionals. Some social isolates found camaraderie in addition to sexual gratification. Carr (p.16) quoted one member saying ‘I never had so many friends’. Of the 107 members arrested, ten committed suicide rather than face trial. In the UK seven men aged from 25 to 46 were sentenced in February 2001. The heaviest sentence was 2 ½ years jail.125 DrinkOrDie
DrinkOrDie, founded in Moscow in 1993, was a group of copyright pirates who illegally reproduced and distributed software, games, and movies over the Internet. Within three years the group expanded internationally and counted around 65 members in 12 countries including Britain, Australia, Finland, Norway, Sweden, and the US. The membership included a relatively large proportion of undergraduate university students who were technologically sophisticated and skilled in security, programming, and internet communication. The group was highly organized, hierarchical in form, and entailed a division of labour. A new program was often obtained through employees of software companies; ‘crackers’ stripped the content of its electronic protection; ‘testers’ made sure the unprotected version worked; and ‘packers’ distributed the pirated version to around 10,000 publicly accessible sites around the Internet. The content was available to casual users and to other criminal enterprises for commercial
125 J Carr (2001), ‘Theme Paper on Child Pornography for the 2nd World Congress against the Commercial Sexual Exploitation of Children’,<http://www.childcentre.info/robert/extensions/robert/doc/ 67ba32d30c03c842b7032932f2e6ce74.pdf>; G Niland, ‘Net Paedophiles and the Malice of Wonderland’, Independent.ie, 18 February 2001, < http://www.independent.ie/opinion/analysis/net-paedophiles-and-the-malice-of-wonderland-26247206.html>.
40
distribution. Members were not motivated by profit but by their desire to compete with other and achieve recognition as the first group to distribute a perfect copy of a newly pirated product. DrinkOrDie’s most prominent achievement was its illegal distribution of Windows 95 two weeks prior to the official release by Microsoft. The group was dismantled by authorities in 2001 and 20 members were convicted worldwide. Eleven people were prosecuted in the US in 2002 including one woman. They were between 20 and 34 years. Two of the leaders were sentenced to 46 and 33 months jail respectively.126 Dark Market
Dark Market was a website providing the infrastructure for an online bazaar where buyers and sellers of credit card and banking details could meet and illicit material such as malicious software could be purchased. The forum was founded in May 2005. Banking and card details were illicitly obtained by various means, including surreptitious recording at ATMs using ‘skimming’ devices, unauthorized access to personal or business information systems, or techniques of ‘social engineering’ where victims were persuaded to part with the details. Initially trading in stolen information occurred on a one-‐to-‐one basis, but given the sheer volume of such material, using a forum where prospective parties could interact collectively was much more efficient. At its peak, Dark Market was the world’s pre-‐eminent English language ‘carding’ site, with over 2500 members from a number of countries around the world, including the UK, Canada, the US, Russia, Turkey, Germany and France. The group was highly organized. Prospective vendors had to prove that they were able to provide useable credit card information, which was assessed for its validity. Members were nominated and vetted. A maximum of four administrators ran the site at any time. They ensured the security of the site, provided an escrow service, and patrolled the site for ‘illicit’ activity such as dealing in drugs or child pornography. It seemed that reputation and status was more important for these VIP members than self-‐enrichment. Ordinary members who traded in information and used the information they bought to make money generally sought to keep a low profile. The forum was infiltrated by an FBI agent and the investigation resulted in 60 arrests worldwide. One of the most prominent members, a 33-‐year-‐old Sri-‐Lankan born British man, was sentenced to 5-‐year jail in March 2010.127 DNSChanger
Six Estonian men, posing as the legitimate company Rove Digital, have been arrested in November 2011 for creating and operating the DNSChanger malware, which allowed them to control Domain Name System (DNS) servers. DNS is an Internet service that converts domain names into numerical data that computers understand. Without DNS and DNS servers, Internet browsing, access to websites, and emails would be impossible. The group were running an
126 <http://www.justice.gov/criminal/cybercrime/press-releases/2001/warezoperations.htm>; US Department of Justice, ‘Warez Leader Sentenced to 46 Months’ (17 May 2002) <http://www.justice.gov/criminal/cybercrime/press-releases/2002/sankusSent.htm>. 127 Glenny, 2011, op. cit. C Davies, ‘Welcome to Dark Market: Global One-Stop Shop for Cybercrime and Banking Fraud’, Guardian, 14 January 2010, <http://www.guardian.co.uk/technology/2010/jan/14/darkmarket-online-fraud-trial-wembley>.
41
Internet fraud operation that enabled them to manipulate Internet advertising. The malware was propagated using social engineering techniques; in one instance, the malware was offered as a video coded that was supposedly required to watch adult movies. At its peak it is estimated that four million computers worldwide were infected with the malware. DNSChanger worked by substituting advertising on websites with advertising sold by Rove Digital and redirecting users of infected computer to rogue servers controlled by affiliates of the group. When users clicked on the links to a licit official website, they were in fact taken to a fake website that resembled the legitimate website but promoted fake, and sometimes dangerous, products. The group allegedly netted $14 million in stolen advertising views. A joint operation, Operation Ghost Click, between the FBI and private corporations over five years was undertaken after Trend Micro researchers identified the gang’s botnet. The six offenders were aged between 26 and 31 years. It is likely they will all be extradited to the US for trial. A seventh member of the group is a 31-‐year-‐old Russian man who has not yet been arrested.128 Carberp
Carberp is a malware designed to steal banking information, which first appeared in 2009. Initially, Carberp was used exclusively by a small closed group operating only in Russian-‐speaking countries. In 2011 the malware’s creators started selling it to a few customers in the former Soviet Union. In March 2012, following a joint investigation with Group-‐IB, a Russian cyber security firm, Russian authorities arrested eight Carberp operators. The group was led by two brothers in their late 20s. One of them was already a known criminal with a record related to real estate fraud. The group demonstrated a high level of collaboration. Carberp’s group members were working remotely from different cities in Ukraine. Using stolen banking data, they illegally transferred large sums of money into accounts controlled by the group. The money was then withdrawn from a variety of ATM machines in the Moscow area. It is estimated the group had stolen around $2 million from over 90 victims.129 Despite the arrest Carberp continued to evolve with added functionality. Since its creation, three different cybercrime groups worked with Carberp.130 The first group had a direct association with the creator of the malware. In 2010 Carberp source code was sold to the organizer of the second group and they worked in parallel to develop a second version. The third group was already engaged in online bank fraud with the botnet Origami Hodprot but switched to using Carberp in 2011. As the botnet grew, the group’s operations became increasingly organised and members of the group were highly coordinated. They had command-‐and-‐control servers in several European countries and the US and attacked Russian as well as foreign banks. In December 2012, members from the Carberp team posted messages on underground Russian cybercrime forums, offering a new version of Carberp for rent. At US$40,000 per month, this was one of the most expensive kits in history. Carberp is said to be
128 FBI press release, <http://www.fbi.gov/news/stories/2011/november/malware_110911>; <http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/>. 129 G Warner, ‘Russian MVD Announces Arrest of Carberp Gang’, Cybercrime and Doing Time, 20 March 2012, <http://garwarner.blogspot.com.au/2012/03/russian-mvd-announces-arrest-of-carberp.html>. 130 A Matrosov, ‘All Carberp Botnet Organizers Arrested’, ESET, < http://www.welivesecurity.com/2012/07/02/all-carberp-botnet-organizers-arrested/>.
42
more effective and more dangerous than Zeus and SpyEye, and might soon be able to target US and Australian banks.131 ‘Unlimited Operation’
On 9 May 2013 in the New York federal court, eight men were charged for withdrawing US$2.8 million in stolen cash from a number of ATM machines. These men formed the New York cell of an international cybercrime ring running ‘unlimited operations’. The head quarter of the cyber gang is located outside of the US, but there may be other cells in the US. The masterminds of the group had hacked the network of global financial institutions to steal prepaid debit card data. They managed to eliminate the withdrawing limit on these cards. Using fake cards manufactured from the stolen data, ‘casher crews’ were able to withdraw virtually unlimited funds from ATMs around the world. The group arrested in New York was one of these ‘casher crews’. Although he was charged, the leader of the gang had been murdered in April. Six of the seven suspects were under 25 years, and all were US citizens. Two worked as bus drivers for a private company.132 The New York gang conducted two successful operations. During the first one, which occurred in December 2012, a total of US$5 million was withdrawn in 20 countries. In New York City, the group scoured 140 ATMs and stole US$400,000, in just 2 hours and 25 minutes. The second operation went for just over 10 hours on 19-‐20 February 2013. Worldwide, over US$40 million was taken; in New York City, the defendants withdrew US$2.4 million from around 3,000 ATMs. The success of such attacks revolves around the speed and minutia of these ‘unlimited operations’. The New York prosecutor remarked:133
‘Unlimited operations’ are marked by three characteristics: 1) the surgical precision of the hackers carrying out the cyber-‐attacks, 2) the global nature of the cybercrime organization, and 3) the speed and coordination with which the organization executes its operations on the ground. These attacks rely upon both highly sophisticated hackers and organized criminal cells whole role is to withdraw the cash as quickly as possible’.
131 Constantin, L. 2012, ‘Improved Carberp Banking Malware will Target North American Banks, Group-IB Says’, IDG News Service, 17 December 2012, <http://www.computerworld.com.au/article/print/444820/improved_carberp_banking_malware_will_target_north_american_banks_group-ib_says/>. 132 J Marzulli, ‘Global Cyber, ATM Heist Nets Thieves $45 Million from 26 Countries’, NY Daily News, 9 May 2013, <http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051>. 133 US Attorney’s Office, ‘Eight Members of New York Cell of Cybercrime Organization Indicted in $45 Million Cybercrime Campaign’, 09 May 2013, <http://www.justice.gov/usao/nye/pr/2013/2013may09.html>.