Crimeware: Theft of Information and Identity

There was a time when the authors of malicious software (or malware) were interested primarily in notoriety, fame and perhaps anarchy. Unfortunately, those good old days are long gone. The reality on the ground today is completely different.  From an early part of the twenty-first century, a notable shift occurred in the cyber-threat landscape. For the first time, hackers and cyber attackers realised that they could potentially reap some serious income from their intrusions. With the number of people conducting online transactions on a steep rise, malicious scripts were no longer just malicious.  Now intentions became more criminal than anything else, giving rise to new terminology for a group of malicious software: crimeware. Crimeware is a class of software that executes illegal actions unintended by the user of the software. Often these actions are expected to produce financial benefits for the crimeware’s author.

Identity theft is a form of cheating or fraud in which another party assumes someone else’s identity without the knowledge or concern of the targeted person. Typically, attackers do this in order to access resources, information or benefits belonging to or authorised only for the original person (e.g., credit card information). A victim (i.e., someone whose identity has been hijacked by the intruder) can suffer a wide array of adverse consequences apart from direct financial or information loss. If the victim is assumed to be accountable for the illegal actions performed by the perpetrator while assuming the victim’s identity), then a wide range of adverse consequences may occur. The term identity theft was first used back in 1964. Many experts think it is a misnomer, since the crime under consideration is not actually stealing of identity (impossible in a literal sense) but rather identity fraud or illegal impersonation. Even identity cloning might be a more appropriate term, but identity theft has stuck and is now frequently used by experts and the general public.

 

Threats from Crimeware: A Business Perspective

In the past, a lot of crimeware has been used against corporate rivals, although the majority of cases have been on a small scale. According to a report by United States Department of Homeland Security, the number of keylogger programmes that carries unique signatures is rising almost fourfold per year. The number of sites that actively distribute such crimeware is increasing at an even steeper rate. A huge amount of malware is expected to affect Internet businesses, irrespective of their size. Experts can argue the intentions of crimeware attacks, but from the point of view of business, a cyber-war is definitely on, whether with overly aggressive competitors or with individual hackers looking for personal fortune.

A particular type of crimeware intended to steal classified information from business websites has caused a lot of headaches for the online business community. In severe cases, these data can be used to perpetrate a type of identity fraud commonly called an identity threat.  Cyber identity theft, in which sensitive data is illicitly obtained from a computer or network and used for commercial profit, is a rapidly growing business itself. Some experts estimate that the direct economic loss due to phishing alone exceeds USD 1 billion each year. But the actual extent of losses is even more severe if account-replacement costs, customer-service expenses and the decreased use of online services owing to public fear about the vulnerability of online financial transactions are all factored in. Crimeware can be utilized to get hold of various kinds of classified information, including passwords and user names, bank account numbers, credit card details, Social Security numbers and personal information (e.g., birth dates, etc.). In addition to misappropriation of customers’ online identities, crimeware is also used to execute targeted attacks against corporations such as theft of access to businesses’ virtual private networks (VPNs) and theft of business data or intellectual property.

Two different potential uses of stolen identities should worry corporations. First, customers’ identities can be faked once some classified information about them is known; for example, an attacker who obtains a customer’s bank account number/user name and password can access the customer’s account history, opening the door to fraud transactions as well as fraud communications. This can lead to significant business losses. Two of the most publicized and as well as severe payment card breaches in recent times are suspected to have been caused by crimeware. Heartland Payment Systems and RBS Worldpay were the victims of those two attacks. The breach at Heartland remained undetected for no less than six months, compromising more than 100 million cards used for 175,000 merchants. RBS had to acknowledge publicly that the financial data of 1.5 million customers had been lost from its payroll cards business. The stolen card data were in turn used to draw out more than USD 9 million from ATMs across the world. Similar attacks (e.g., the Russian Coreflood Gang attack) also appear to be due to crimeware.  Finances are not all that is at stake, however.

The most important loss can be that of reputation. Such breaches are often widely publicized in the media, creating a perception that the transactions involving the company in question lack safety.  A lot of customers will stop using the businesses services for fear that the company will not be able to keep their secret information safe.

The other potential application is for an attacker to pretend the identity of the business itself. If some crucial access into the company’s internal network can be gained, collecting sensitive information or even crippling operations can be extremely easy. A typical example of this involves theft of passwords and user names for vital systems (e.g., internal mail service, operations control, etc.) of a corporate. A near cousin of this type of attack is phishing, in which an outsider pretends the identity of a service provider and communicates with customers just as the original business does. Fooling customers in this way can be a very easy way to get useful information directly from them.

The scale of the targeted business hardly matters for these attackers. Every prominent business has its fair share of competitors and rivals, however small it may be. Usually, the smaller the scale of a business, the easier an attacker will find breaching their information security. Looking at the track record of identity thieves and the kinds of corporations they have attacked can make anyone with a small Internet business get a shiver down the spine. Moreover, when a large service provider such as a payment gateway is compromised, the breach also affects the thousands of small businesses that use their services. Effectively, every business with some significant operations (e.g., sales, promotion, data maintenance, etc.) is vulnerable to identity theft.

These types of attacks falls into the so-called grey area of the law, as legislation about them are far from well structured. Moreover, tracing back the wrong doer is extremely difficult since they use extremely smart techniques to mask their identities. Once victimized, the legal frontier offers few effective options. When it comes to identity theft, it’s best to remember the old saying, “Better safe than sorry.”

 

The article is contributed by Dr Michael Teng, Managing Director of Corporate Turnaround Centre Pte Ltd and author of 23 management books. Dr Teng will soon be releasing yet another book titled: Corporate Cyber-War.