Cyber-Criminals' Constantly Evolving Tactics Challenge Law Enforcement

A panel of cyber-security experts talked about the changing security landscape and how multinational collaboration is helping bring down some of these criminal syndicates.

Despite the constantly changing security landscape with evolving threats and new tactics, there are several key victories in the fight against cyber-crime, experts said.

There is big money in the Internet, said Adam Palmer, Norton lead cyber-security advisor at Symantec, and that applies to both businesses and criminals. It's important for the industry to work alongside law enforcement to share information about the latest threats and technology to fight cyber-crime, Palmer said at a "Tackling Digital Crime" panel, held Feb. 17 at Fordham University.

"Is cyber-crime real? Are we winning the fight?" asked Kevin Kelly, a professor in the computer and information science department at Fordham University and moderator of the panel.

About 73 percent of all Web surfers in the United States have been hit by some kind of cyber-crime, according to Palmer. Over 7 million people had their identities stolen in 2009, he said.

The key motivation for cyber-criminals is quite simply, "money," said Dan Larkin, director of strategic operations at National Cyber-Forensics and Training Alliance. Regardless of the type of attack used or the target, criminals are out to get more money, he said.

Cyber-crime can be old crimes committed in new ways, Palmer said. The fact that criminals are stealing money, property and information is not new, but now they are using computers and the Internet to make the tasks easier.

Cyber-crime "is definitely real" but the problem is in tracking down the criminals, said Christopher K. Stangl, a supervisory agent at the FBI New York Cyber Branch. Even if the crime occurred in the United States, the perpetrators could be in a different country, Stangl said. It's a challenge figuring out how the criminals did what they did and finding out where they are, he said.

Law enforcement officials from different countries are now also more willing to work together, Stangl said. Even 10 years ago, if the FBI identified criminals using a Russian IP address, "it was forget it, nothing we can do," said Stangl. That's no longer the case as the FBI conducts joint operations with other countries to share information and make arrests, he said.

The FBI had a "significant amount of success" in 2010 against cyber-criminals, Stangl said, naming the shutdown of the Mariposa botnet, the arrest of the Mega-D mastermind and the capture of several members in the gang behind the Zeus Trojan, among other arrests. The biggest achievement was "disrupting the groups," according to Stangl.

A "real time exchange" of government intelligence is critical, according to Palmer.

It's "tough" to say whether cyber-crime is becoming a bigger problem because it is constantly changing, said Larkin. The challenge facing the industry and law enforcement is continuously figuring the best methods to find and catch the criminals, Larkin said. It's an evolving process, he said.

The industry is constantly playing "catch-up" to criminals, Palmer said. With the proliferation of mobile devices, criminals have new ways to attack, he said. Security used to be about enforcing the perimeter, but that's no longer the case when one can "check Facebook from the TV," or regularly uses cloud-based services, Palmer said.

"There are more opportunities for bad guys to generate revenue," he said.

Without calling out any site in particular, the panelists said users not being careful with their identity information on social networks were a bigger threat than malware on the platform. Criminals can use the information on a victim's profile, such as organization affiliation, favorite stores and name of family members to target the victim, Palmer said.

Social-engineering attacks are more likely to target small businesses to steal money from their bank accounts, Stangl said. While "it used to be the case" that cyber-criminals would cast a wide net and send out hundreds of thousands of spam messages, there is a clear shift toward more targeted attacks, he said. Spear phishing is more effective and can net millions of dollars despite the smaller number of victims, according to Stangl.

Larkin also noted that a targeted attack on a small firm might lead them to high-value client accounts and wealthier victims.

The good news is that consumers are becoming more security-conscious and people in general are much more cyber-aware than they used to be, according to Palmer. There was a time when judges didn't know what a Website was, Palmer said. The bar is slightly higher now, because now the judges want to know what a "hash value" in programming code is, he said.