Desperate times call for desperate measures, and to law enforcement officials tasked with fighting criminals online, the skyrocketing number of cyber-crimes is a full-blown crisis.
From the front lines, the call is for more of everything—more investigators, more funding and more attention from lawmakers and upper management. That call may finally be getting some attention.
While obstacles remain, those involved in the cyber-crime fight say there are growing reasons for optimism. Law enforcement agencies are sharing information more often and more widely than ever before. Investigators are more experienced. And, for its part, the technology industry is working on a variety of products that address some fundamental issues behind common cyber-crimes.
Evidence that this heightened diligence can turn the tide may be found in the battle against one of the most widespread and insidious forms of cyber-crime: phishing.
Through the clever use of company logos, verbatim text and links to convincing replicas of corporate Web sites, phishing scammers entice unsuspecting users to give up private information with appeals bearing titles such as “Problems with your account” and “Account security measures.”
Despite the pilfered graphics, the messages frequently contain obvious spelling and grammatical errors that can make them more easily identifiable as fakes. However, some of the messages simply ask recipients to follow an embedded link that takes them to an exact replica of the victim companys Web site, where they are then prompted to enter sensitive information. These sorts of attacks are far more difficult to sniff out, especially given that many of them use authentic-looking URLs.
In March, there were 402 unique new phishing attacks, a 43 percent increase from the previous month, according to numbers compiled by the Anti-Phishing Working Group, an industry consortium that tracks phishing activity and comprises financial institutions, banks and vendors such as PassMark Security LLC, of Woodside, Calif., and Science Applications International Corp., of San Diego.
The schemes are getting more sophisticated with attacks that plant Trojan horses and backdoors on users PCs as soon as users open malicious e-mail messages.
“[Phishers] are starting to work with crackers and virus writers. Theyre sharing code, using common techniques and taking advantage of vulnerabilities to drop something on the machines,” said Dan Maier, director of product marketing at Tumbleweed Communications Corp., a provider of secure e-mail solutions based in Redwood City, Calif., and a member of the Anti-Phishing Working Group. “Its very sophisticated code,” Maier said.
Acknowledging the problem and taking a lead in the effort to thwart such scams, the Department of Justice in April issued a five-page report on phishing, warning consumers and laying out suggested defenses.
The report followed similar efforts from the Office of the Comptroller of the Currency at the Federal Deposit Insurance Corp., which urged banks to increase monitoring of phishing-type activities and expand incident-response capabilities to deal with the spike in online fraud.
Phishing has the attention of the private sector as well. One of the underlying problems that allows phishing to flourish is that it is hard to determine with any degree of certainty whether the Web site an unsuspecting victim visits is what it claims to be.
By using URL redirectors and other means of deceit, scammers can easily hide the true address of their malicious site and make it appear as legitimate as eBay.com or Amazon.com. Identrus LLC, a company that provides identity authentication services to banks and other financial institutions, is working on a solution to the problem.
Fighting Back Against Cyber-Crime – Page 2
Identrus, whose customer base includes most major U.S. banks, plans to issue “institutional certificates” to its customers and enable those banks to offer client digital certificates to bank customers later this spring. The institutional certificates will allow the banks to prove their identities to their customers digitally and the customers to prove their identities to the banks digitally as well.
For example, a customer of Bank of America would be issued a digital certificate by the bank. That certificate, along with the banks certificate, would mutually authenticate the user and the banks Web site each time the user visits the site. As big a problem as phishing and the resultant identity theft are for consumers, it is orders of magnitude worse for the banks and other enterprises whose reputations and balance sheets absorb the brunt of the hit.
“For the retail side of the house, its absolute panic time. Its a massive problem. Theyre searching for anything they can to fix this,” said Karen Wendel, CEO of New York-based Identrus. “They know that most identity theft is related one way or another to the banking relationship. The banks arent telling [their customers] how identity theft typically occurs.”
The Identrus system also has the potential to help solve the other major flaw that makes phishing scams so simple: unauthenticated e-mail. SMTP, which is used to forward the majority of e-mail on the Internet, does not require any authentication from the sender. This enables spammers, phishers and other criminals to spoof the sending address of a message and make it appear to be legitimate.
Re-engineering the protocol at this point is not feasible, but there are movements afoot to add unforgeable identifying information to mail headers in order to implement a so-called e-mail caller ID system.
In fact, Microsoft Corp. has developed a technical specification for a proposed system that would prevent spoofing of the senders Internet domain. The Microsoft plan relies on the publication of information such as the IP addresses of outbound mail servers, which would enable the mail gateway at the receiving end to verify that the message actually came from the domain listed in the SMTP header.
In many ways, the call is similar to the cries for help issued by law enforcement at the peak of the drug problem in the early 1970s. At that time, state and local police forces were overwhelmed by the volume of drug traffic and couldnt handle the cases coming at them.
It wasnt until President Richard Nixon signed an executive order creating the Drug Enforcement Administration in 1973 that the federal government got involved in the drug war in a major way.
That same kind of dedication is needed to address cyber-crime fully, according to experts.
“The government needs a cyber-crime czar. There has to be a recognition that theres a problem,” said Jim Melnick, director of threat intelligence at iDefense Inc., in Reston, Va., and a former officer in the Defense Intelligence Agency.
“It has to be on the national agenda,” Melnick said. “I just hope it doesnt take a major incident to get it there.”
The DEAs budget for fiscal year 2004 is about $1.5 billion, and, as of the end of last year, the agency had more than 4,600 special agents working solely on drug cases.
By contrast, the FBIs budget called for $60 million in funding to fight cyber-crime—a number that is projected to drop to $55 million in fiscal year 2005—and none of the money is earmarked for new agents.
“It just doesnt get the attention it needs. Im not sure what else we can do with what we have right now,” said one federal cyber-crime agent, who asked not to be identified.
And even with federal leadership to bolster the newfound focus and the emerging technical solutions, it could—much like the war on drugs—take years before any dent in cyber-crime is achieved.
“We have to be realistic in how long it will take. The threats were facing will get worse,” said Amit Yoran, director of the National Cyber Security Division of the Department of Homeland Security, in Washington. “These technology refreshes will take a very long time.
“But weve built an excellent network of allies around this. Were [still] not sharing as much information and data as we could. Were not where we want it to be, but Im hopeful.”
Security insiders applaud the growing public-private partnership and the increased attention to cyber-crime issues. What remains, they say, is a need for government leadership to commit to fighting the online menace.