by Alan Wlasuk of 403 Web Security
A big anniversary weekend in the city -- pack the kid off to grandma’s, drive into town, park at the new fancy hotel and check-in. Dinner at the high end Italian restaurant next door, a concert with George Winston, drinks that evening at a jazz bar.
Then, end the evening back at the hotel with a room that is special enough to relive your wedding night of many years ago. A late breakfast at the hotel and a drive back to grandma’s to retrieve the kid.
Welcome to the comfort of middle America. This is the dream of our generation.
It was a special weekend for you and your spouse, one to remember. What you missed, however, was the darker half of society. Your car didn’t get stolen from the parking garage, but two others in the same garage did that night; the local organized gang had them chopped up for parts and shipped out before the evening was over.
You didn’t meet the illegal aliens who fixed your dinner, or realize the hotel chef has a cocaine problem, hiding just under that big white hat of his.
Your leisurely walk to the theater was not marred by a junkie on crack, but the couple down the hall from you at the hotel did give up their cash and jewelry.
The bartender made a few copies of credit cards that night, fortunately not yours.
In short, crime swirled around you yet you were oblivious.
You didn’t see this half of society, because you were lucky and, quite honestly, you weren’t looking. As you read the paragraphs above you may have been nodding your head, because while you probably didn’t experience it, you do know this seedier side exists in our society; it just seems so remote. Remote that is, until it’s your car that gets jacked or the kid with the knife picks you for his new funding source some evening.
The probability of a crime against your person in 2010 was remote, just 3.3 percent (according to the U.S. Government’s Disaster Center’s website). We can put a name to it and understand its cause and effect on society.
While you enjoyed the city, your son, age 12, spent his weekend in his version of middle American bliss, in the suburbs with Grandma. As is the duty of grandmas everywhere, she spoiled him with too much food and a late night. Also, being a bit more progressive than most grandmothers, she let him spend far too much time on her two-year old Dell desktop computer.
Your son’s PC time included surfing the Web, playing online video games, and wandering over to a few of the "racier" sites that he would never get away with at home (boys will always be boys, after all).
Unfortunately, grandma’s computer is just a bit out of date. The factory installed virus protection software expired last year and her version of Internet Explorer missed the last few automatic patches.
In the two hours of his surfing, your son encountered six infected websites that attempted to install malware on grandma’s computer. Two of the attacks came from the side trips to racier sites, one came from a site that claimed to be able to help your kid with cheats on his online video game passion -- but the other three came from sites that most of us would consider safe. Your son had no idea he was the target of an attack.
On the bright side, four of the malware attacks were repulsed by the aged virus protection software that, while old, could still handle some of the older attack types. The other two malware attacks were a study in today’s cyber crime underground.
The first made it through and lodged itself firmly into the Dell’s operating system and hard drive. It would take an expert to even detect its presence, let alone remove it.
The second malware attack was built by a Korean hacker whose goal it is to build a huge network of bots. This botnet would be his ticket to cyber crime and financial freedom. These two malware bots recognized each other, engaged in cyber war and in a few microseconds the Korean hacker’s bot neutralized the other malware bot (yes, a literal attack and killing occurred) and snuggled into the void left behind. Once again, your son was oblivious to what had occurred.
When your son went to sleep that night, grandma finally got a chance to sit down, watch a little TV and check her email (as I said, a progressive lady). One of the emails, from Citibank, warned grandma that her account was about to expire, could she please just verify her account information.
Grandma was being phished.
She went to the bogus website noted in the email (if asked, she would have said it looked so real) and entered her Citibank login credentials.
Before we feel bad that grandma fell for the phishing scam, we should note the fact that the new bot her grandson invited into her life that day was now recording her every keystroke and texting it to its bot herder in Korea. Grandma’s Citibank credentials, and every other online financial account she has, would be toast before long.
In the middle of the evening the bot on the old Dell was awoken by its Korean command and control network and was part of distributed denial of service (DDoS) attack on the Bank of America. It was one of six million bots that participated in that cyber attack that evening.
So as to not waste spare bot time, the Dell was also instructed to send out a spam email every 10 minutes. The email that you might have received from the personal attorney to the late Capt. Peter Force, a German national, about the boxes of gold may have come from grandma’s computer, or the nice grade school teacher in Idaho. According to the MessageLabs Intelligence Report by Symantec, over 77% of all spam emails you receive these days is sent from bot controlled zombie computers.
Oh yes, Grandma’s Citibank account information was sold on the cyber black market that same night eighteen times for $100 each. The hacker never considered lying by telling his buyers that they were the sole buyers. There is no honor amongst thieves. Grandma’s soon to be collected credit card information will be sold for $10 each and her identity will be stolen before the end of the year. It will be a hard year for grandma.
Unlike the parents, grandma and your kid were totally unaware of the seedier side of society they came into contact with that evening -- the cyber world.
Unlike the physical crime we can identify with and readily understand, cyber crime is absolute magic to us. We cannot touch it and wouldn’t have the faintest idea of how to identify, avoid or report it.
Chances are you will never be mugged and your car will never be stolen. But your computer is being attacked every day and you are the recipient of ever-evolving phishing emails. The 2011 Norton Cyber crime Report estimates the total cost of cyber crime at $388 billion per year. Keep in mind that cyber criminals do not need to be in your city or even your country to target you as a victim.
This same report disclosed that over 74 million people in the United States (about 1 in every 4) were victims of cyber crime in 2010. These criminal acts resulted in $32 billion in direct financial losses. Worldwide cyber crime already surpasses the total of black market marijuana and cocaine sales, which totals $288 billion.
Cyber criminals don’t carry weapons or even leave the comfort of their homes. The botnet and phishing systems cyber criminals utilize are constantly aware of their vast networks that grow virally without human intervention. Any fan of the cult classic Matrix movies can see the potential of these cyber crime systems to become the sentient network that rules the world of the future.
Alan Wlasuk is CEO of 403 Web Security is a full-service, secure web application development company. 403 offers website security scanning, consultation on results of security scans, remediation of existing websites and development of new, secure websites. Drawing upon the company’s involvement with Software Quality Assurance (SQA), security is at the forefront of all development efforts.