Cyber Crime 2.0
Recent history has demonstrated that cyber criminals will continue to innovate their techniques and tactics to stay one step ahead of law enforcement because the financial rewards of cyber crime are too great and the risk of punishment too little.
It Pays to Hack
Cyber criminals will continue to innovate as long as there are rich financial incentives. Recent research revealed the amount of money a low-level cyber criminal can expect to earn from a typical attack. These low-level criminals will typically infect as many computers as possible in order to establish a network of infected machines, known as a botnet. The attacker will typically use the rogue botnet to carry out crimes: spam, identity theft, adware installation, and denial of service (DOS) attacks.
The HoneyBlog, authored by Thorsten Holz, one of the founders of the German Honeynet Project, recently shed light on how much one attacker can earn through the operation of a botnet. According Holz’s research, a recently discovered botnet, composed of more than 7,700 machines, via its command and control architecture, installed DollarRevenue.com adware onto the infected machines that compromised the botnet. The botnet master was able to earn more than $430 in less than one day.
This $430 represents a very small fraction of the overall earning potential of a botnet master. Botnet masters could easily install adware from other vendors onto the same network of infected machines and/or rent the use of their botnet for other illegal activities. For example, convicted cyber criminal Jeanson James Ancheta rented out his botnet for approximately $3,000 for use in both distributed DOS attacks and a spam operation .
Crime, but No Punishment
Although there have been a handful of recent high-profile prosecutions of cyber criminals, anecdotal evidence indicates that cyber criminals face little chance of serious jail time. According to FBI Director Robert Mueller, in 2004 only 20 percent of companies that suffered computer intrusions reported the incidents to authorities. Obviously, a cyber criminal faces little chance of prosecution if the crime is not reported.
Moreover, authorities are often only able to prosecute low-level cyber criminals while the high-level cyber criminal masterminds remain at-large. Many of these cyber criminal masterminds operate in Eastern Europe and are protected by complex and nebulous international law. As a result, the only option is to round up the low-level cyber criminal operatives based in countries willing to cooperate with US law enforcement.
Jody Westby, the managing director of security and privacy practice at PricewaterhouseCoopers, believes only about five percent of cyber criminals are ever caught. Westby said, “the criminals are too hard to track and trace, too hard to prosecute, and the information they steal is too easy to use.”