Sunday, October 22, 2006

Cybercrime Update

From USA Today

Criminals covet your identity data like never before. What's more, they've perfected more ways to access your bank accounts, grab your Social Security number and manipulate your identity than you can imagine.

Want proof? Just visit any of a dozen or so thriving cybercrime forums, websites that mirror the services of and the efficiencies of eBay. Criminal buyers and sellers convene at these virtual emporiums to wheel and deal in all things related to cyberattacks — and in the fruit of cyberintrusions: pilfered credit and debit card numbers, hijacked bank accounts and stolen personal data.

The cybercrime forums gird a criminal economy that robs U.S. businesses of $67.2 billion a year, according to an FBI projection. Over the past two years, U.S. consumers lost more than $8 billion to viruses, spyware and online fraud schemes, Consumer Reports says.

In 2004, a crackdown by the FBI and U.S. Secret Service briefly disrupted growth of the forums. But they soon regrouped, more robust than ever. Today, they are maturing — and consolidating — just like any other fast-rising business sector, security experts and law enforcement officials say. In fact, this summer a prominent forum leader who calls himself Iceman staged a hostile takeover of four top-tier rivals, creating a megaforum.

Security firms CardCops, of Malibu, Calif., and RSA Security, a division of Hopkinton, Mass.-based EMC, and volunteer watchdog group Shadowserver observed the forced mergers, as well, and compiled dozens of takeover-related screen shots. "It's like he created the Wal-Mart of the underground," says Dan Clements, CEO of CardCops, an identity-theft-prevention company. "Anything you need to commit your crimes, you can get in his forum."

The Secret Service and FBI declined to comment on Iceman or the takeovers. Even so, the activities of this mystery figure illustrate the rising threat that cybercrime's relentless expansion — enabled in large part by the existence of forums — poses for us all. In the spy vs. spy world of cybercrime, where trust is ephemeral and credibility hard won, CardersMarket's expansion represents the latest advance of a criminal business segment that began to take shape with the formation of the pioneering Shadowcrew forum.

Shadowcrew, which peaked at about 4,000 members in 2004, arose in 2002. It established the standard for cybercrime forums — set up on well-designed, interactive Web pages and run much like a well-organized co-op. Communication took place methodically, via the exchange of messages posted in topic areas. Members could also exchange private messages. Shadowcrew gave hackers and online scammers a place to congregate, collaborate and build their reputations, says Scott Christie, a former assistant U.S. Attorney in New Jersey who helped prosecute some of its members.

In the October 2004 dragnet, called Operation Firewall, federal agents arrested 22 forum members in several states, including co-founder Andrew Mantovani, 24, aka ThnkYouPleaseDie. At the time, Mantovani was a community college student in Scottsdale, Ariz. In August, he began serving a 32-month federal sentence for credit card fraud and identification theft.

$67.2 billion: FBI estimate of what U.S. businesses lose annually because of computer-related crimes.
$8 billion: Consumer Reports estimate of what U.S. consumers lost the past two years because of viruses, spyware and Internet scams.
93.8 million: Privacy Rights Clearinghouse's count of personal records reported lost or stolen since February 2005.
26,150: The Anti-Phishing Working Group's count of unique variations of phishing scams reported in August 2006.

Typical costs of goods and services in cybercrime forums:
$1,000 to $5,000: Trojan program that can transfer funds between online accounts.
$500: Credit card number with PIN.
$80 to $300: Change of billing data, including account number, billing address, Social Security number, home address and birth date.
$150: Driver's license.
$150: Birth certificate.
$100: Social Security card.
$7 to $25: Credit card number with security code and expiration date.
$7: PayPal account log-on and password.
4% to 8% of the deal price: Fee to have an escrow agent close a complex transaction.
Free: Access to a service that gives details of the issuing bank for any credit card number.

No comments: