Quick viewing(Text Mode)

Digital Mafia: Into the Cybercrime World July 2010

Digital Mafia: Into the Cybercrime World July 2010

Digital mafia: into the world July 2010

Cybercrime is today a lucrative business that generates more than one trillion dollars profits every year. According to analysts, cybercrime is reaching the turnover spawn by drug trafficking. "Digital mafia: into the cybercrime world" is the new enquiry published by Bright enitrely focused on computer crime. The enquiry is based on the contribution of leading specialists in the field of cybercrime and security. Thanks to: Raoul Chiesa, Henry Peltokangas, Oksana Prykhodko, Internews Ukraine, Francesca Bosco and UNICRI.

Preface by Gianmaria Vernetti

Information Technology is one of the fastest evolving industries ever. The mass widespread of electronic devices, from computers to mobile phones, has radically changed the way people work, communicate and interact; it has changed as well the way organised crime gangs work, communicate and interact.

Cybercrime is today a lucrative business, generating more than one trillion dollars profits every year: according to several analysts, cybercrime is reaching the turnover spawn by drug trafficking. Data available are impressive: in 2009, about 182,395 attacks () were recorded worldwide. It is worth to note that 95% of all the attacks were launched by eight main criminal groups; during the second semester of 2009, a gang called Avalanche was responsible for the 66% of the phishing assaults. The rise of cybercrime as a massive phenomenon has been made possible by several factors. The exponential growth of the world wide web has given birth to new models of scale economies which are the ideal terrain for illegal activities. The rise of social interaction websites, such as social networks, has increased the diffusion of private data users that can be potentially and often easily stolen. Finally, the extreme flexibility of digital infrastructures such as servers and providers allows gangs to launch attacks without being obstacled by physical boundaries or geographical limits. Thanks to these elements, organised gangs dispose of a powerful tool to exert political pressure too: the represents the ideal case history to understand the role cybercrime can play on diplomacy and global affairs. This is particularly true for specific geographical areas: Eastern Europe, the Balkans, Caucasus, Russia and former soviet countries are the most important hub of illegal digital activities. A mix of high IT education level and corruption has made possible the creation of multi-national cybercrime gangs such as the RBN: powerful, flexible, with strong ties with the political establishment and able to operate on a truly global perspective. Considering this, what are and what can be the measures to prevent and struggle the cybercrime phenomenon? On a juridical level, several initiatives have been carried on in the last ten years by international organisations and national institutions. In 2001, the European Union adopted the Convention on Cybercrime, the first treaty committed to fight computer crimes and . The Convention, signed by Canada, Japan, USA and South Africa too, has been enforced in the last years, but has not represented yet a concrete countermeasure. As far as social contrast is concerned, currently it seems to be difficult to set up pragmatic objectives. The point – hard to explode – is that are publicly perceived less dangerously than crimes as drug or human trafficking. Whereas is somewhat easier to perform an effective awareness-raising communication for the latter topics, how does one deal with the task of raising awareness on cybercrime issues? In this perspective, one of the main obstacles is communication: contrary to drug trafficking-related matters, cybercrime attacks and operations rarely appear on newspapers and magazine, being isolated in technical magazines for insiders. The lack of proper communication and information impede consumers to set up a real approach to counterfight cybercrime. The goal of our enquiry is to underline that today cybercrime poses a big threat for the international civil society, no less than drug trafficking or : underestimating this fact would mean losing an important step in the social struggle against transnational organised crime. To understand trends and technologies, to communicate and inform is, in our opinion, the best way to raise awareness on a growing phenomenon that affects the way people work, communicate and interact.

Cybercrime: reasons, of the players and an analysis of their modus operandi by Raoul Chiesa

This article aims to run a first analysis of the roots of cybercrime, while applying a sort of profiling to the attackers from the past and nowadays, analysing the historical evolution of cybercriminals and their behaviour.

The article will then zoom on the modus operandi used by the actors, organised by macro areas, as well as the business model of the criminal organisations dealing with cybercrime. It is extremely important to learn the details of cybercrime if we want to fight it. And, it is not about a new story, as the next sentence states:

Every new technology opens the doors to new criminal approaches

«This is a statement on the fate of the modern underground. There will be none of the nostalgia, melodrama, black hat rhetoric or white hat over-analysis that normally accompanies such writing. Since the early sixties there has been just one continuous hacking scene. From to hacking, people came and have gone, explosions of activity, various geographical shifts of influence. But although the scene seemed to constantly redefine itself in the ebb and flow of technology, it always had a direct lineage to the past, with similar traditions, culture and spirit. In the past few years this connection has been completely severed. And so there is very little point in writing about what the underground used to be; leave that to the historians. Very little point writing about what should be done to make everything good again; leave that to the dreamers and idealists. Instead I am going to lay down some cold hard facts about the way things are now, and more importantly, how they came to be this way. This is the story of how the underground died». (from “Phrack”, Issue # 64, article # 13, by “”: The Underground Myth, April 11th, 2008)

I have decided to start my contribution quoting this very recent article from Phrack, the ’s magazine by decades now. My article in fact will not argue on the long-time debate on black-hat or white-hat, while it will try to supply a detailed overview of the attacker’s evolutions and their techniques along the years. In order to begin with the hacking roots, there is not a specific year when the hacking phenomenon started: someone claims 1979, others around 1980/1981. The truth is that, probably, a lot of computer incidents (break-ins) happened well before the first official and public cases, but in any case the first wave of computer started back after the movie Wargames was released, back in 1983. Teenagers from all over the world, mainly from USA, Canada, Australia and Europe, began asking their parents to buy them the very first home computers, toys like the Commodore C-64 and the Sinclair ZX Spectrum, along with those weird “ adapters”. Those teens then began dialing into BBS (Bulletin Board Systems), learnt how to access X.25 networks and how to run wardialing scans all over the world. Talking about the used attack’s techniques, at these times we were used to see stuff like password guessing, wardialing/scanning (both for PCs connected to , and systems connected to X.25 networks worldwide) and trying default accounts. In this era those hackers were, definitely, still matching the cliché of the hacker as we mean today. Nevertheless, they were curious guys, looking for network and computer accesses in order to learn.

1986-1990 I have split the decade 1980-1990 into two different parts. This mainly happened because of two, different aspects. First of all, the growing hacking scene created its own press arm, meaning magazines (e-zines) such as 2600 Magazine: the Hacker’s Quarterly and Phrack. This meant that now the hacking underground have its own magazines and the ability to have a voice shouting out what is happening and what the hacking scene is doing. As a secondary but pretty important aspect, those hackers – located in different parts of the world, as wonderfully detailed by Suelette Dreyfuss in her book “Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier” – had their very first chance to share together the results of their attacks and learned knowledge. This is a real important issue, since it is in this second part of the 80’s that those hackers began to hack in groups, starting posting their findings on BBS and X.25-located public systems, such as Altos, Pegasus, QSD and so on, as they will keep on doing for a part of next’s decade (1991-1995). On the attack’s point of view, nothing changed that much since the earlier period of time: password guessing and systems scanning were still the mainly used approaches. It was exactly by this approach that Hagbard and Pengo, two members from the CCC (Chaos Computer Club, a German-based organisation and the oldest hacking group in Europe) began hacking US Military and Government computer systems, as explained by Clifford Stoll in its book, “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage”, published in 1989. Last thing to notice, especially in Europe, is the launch during these years of Minitext-based services, such as Minitel in France, BTX in Germany and Videotel in Italy. These services allowed the very first series of users to use online services, such as chat systems, online shopping and much more. It is the way how thousands of today’s expert users began their approach with the TLC world.

1991-1994 These years represented an important time for the hacker’s communities all around the world. First of all different countries kept on talking together (meaning, different hacking scenes, belonging to different countries) as it has been explained and detailed in the book “Underground” mentioned above. This means that the Aussie scene (Australia), the European scene (UK, Italy, Germany and the Netherlands mainly) and the North-America scene (USA, Canada) used to work together on targeted attacks, at the same time sharing their findings and enhancing their skills. Unfortunately (for those hackers) those international dialogues were noticed also by Law Enforcement agencies and in 1992 the USA launched “Operation Sun Devil”, while in Italy in 1994 the Police launched the infamous “Italian Crackdown”, very well described by Carlo Gubitosa, from the Peacelink Association, in his book, “Italian Crackdown” and in 1995 the “Operation Ice-Trap”, where I was involved too. Again, along these five years the used hacking techniques were mainly the same, while it is important to notice how, since 1992-1993 (and 1994 in Italy, thanks to VOL – VideoOnLine, the first commercial Internet ISP) hackers began to gain access to the Internet, then exploiting TCP/IP systems with the public-available vulnerabilities, as seen on SecurityFocus.com, Phrack, etc. Nowadays those young hackers learning cutting-edge virtual experiences while playing an exciting playground, became the security professionals which fight everyday against the new hackers, who are often linked to organised crime, in an evil-to-devil endless war.

1995-2000 The year of 1995 meant year of the Internet for a lot of countries from all around the world. Old-school hackers started learning how to gain a free Internet access, often using a bridged-system connected both to X.25 networks and to the global Internet. Universities, academics and industries were the very first targets, along with military and government institutions. For a while, it is like a flashback towards the second part of the 80’s, were hackers pointed at those kind of targets, as well as NASA and the SPAN network, in order to “be cool” and brag with their friends. This period ranks high importance also for another aspect: newbies and script kiddies popped up, once again thanks to the Internet and the chance of downloading exploits and attacks tools, as well as brute-forcing software and dictionaries. In 2000 , aka Mafia Boy, downloaded a few DDoS (Distributed Denial of Service attack) tools from the web and, in a matter of a few days, was able to put on their knees Internet giants such as eBay, and Yahoo! That was the very first global demonstration of how script kids, even if not having a huge technical background, may represent a serious threat to the online economy. On the other side, in the latest parts of this five years period we were able to observe a phenomenon that would lead all of us in the next years – security researchers, hackers and InfoSec experts - to some serious choices: and this brings us back the initial thoughts and labels, such as those black-hat and white-hat approaches. I am talking about the entering of organised crime into the hacking scene. As far as I know, this happened in different ways in different countries, depending on a lot of factors. For example, in Italy and generally in Europe, the local mafias and mobs began realizing the business of the “Dialers”, often inserted as rogue software on porn websites. The trick was to force the web visitor to download and install specific software (dialer) in order to surf the web and get access to the porn material. What happened instead was that the installed Dialer forced to the user to disconnected from its ISP, then connecting its PC to international Premium Rates dialup numbers: the Internet access was supplied, but the cost of the data phone call was an international one, funding in this way the organised crime with fresh amount of cash (Fatal System Error, page 48 and further). The phenomenon of US-based mobs dealing with IT people started in the US back around the end of the 80’s (1988/1989), while it moved to European countries after 1995. It is in these years that those software developers (coders) and programmers started being hired by the mafia from all around the world, writing rogue software and supporting its “Client” while planning IT-based scams. I think that this excerpt from the book “Fatal System Error: the Hunt for the new Crime Lords who are bringing down the Internet” should give to the readers a certain idea of the approach used by the Mafia family “Gambino” back in the US: «One such training course was at the side of reputed Gambino soldier Richard Martino. His operation ran from the early 1990s until 2002, raking in $650 million with phone and Internet scams, the biggest haul in Gambino family history. The Martino racket went through several iterations as law enforcement cracked down on its techniques. It installed rogue dialers on home computers that called expensive overseas numbers. For a time, companies in the scheme also stuck consumers with unwarranted phone charges through 800 numbers. A later Web version of the scam was much simpler, an early system for . Internet visitors were asked to supply a credit card number proving they were eighteen in order to get free tours of membership porn sites—including HighSociety.com, Cheri.com, and Playgirl.com—owned by a company named Crescent Publishing Inc. Then they were charged as much as $90 a month».

2001-2005 This five years period may be officially labelled as the cybercrime’s roots era, since most of those really well-organised and planned attacks began in this years. This happened mainly because of two aspects:

1. As earlier mentioned, the hackers of the eighties and nineties became the security professionals of the new millennium; 2. The so-named “Internet boom”, along with keywords such as globalization, information highways, always-on, mobile communication, broadband and e-banking, lead to what I have labelled “Hacking prêt-à-porter”, meaning how that much is possible today to get your hands on highly- sophisticated and/or malicious infrastructures, even if not owning hard-to-find technical skills at hacking.

The sum of the two assumptions above, allowed these five years representing the weaning of a new brand of hackers, mixing up street thieves, low and medium level organised crime, famous Italian mafias’ families with geeks, wannabes and different categories of hackers. Also, this lead to the globalisation of cybercrime, where one of the biggest ever ATM skimmer’s vendor was Cha0 from Turkey, the owners of Dark Market were young people from UK and Germany (Markus Keller, aka Matrix001, Renu Subramaniam, aka JiLsi) and Max Ray Butler, aka Max Vision, aka Iceman, has probably been of the latest “real hackers” moving to cybercrime, running with CardersMarket a 86 USD million affair in fraud loss. At the same time, this extremely compacted while important period of time testified the venue of the first, raw cyber attacks dealing with the concept of state-sponsored attacks. China and apparently other countries slowly began an Internet-based information war and, still today these terms and words themselves, along with a plateau of different philosophies, are the central entity of a worldwide distributed debate between governments and military different approaches and views.

2005-today The last five years have seen the rise of Russian-based organised crime, ruling over more than 80% worldwide cybercrime market. There has been the time of RBN, the well-known Russian Business Network, and recently we are observing new crime lords coming up, such as those at IMU, Innovative Marketing Ukraine, and who knows how much more are already operating. On my personal point of view the issue we have got here it is not about “the Russians”, nor the organised crime, the hackers or “the Internet”. The issue here is about technology, is about the pervasion that IT is having in our lives, directly and indirectly. Broadband highways, IPv6, mobile communication, social networks, cloud computing, SCADA, critical infrastructures, ATM, EMV, VoIP, Phishing&Vishing, car’s hacking, satellite communication interception….these are the threats we must face. This should be our first thought whenever using a new technology, along with all the good things and enhancements the technology itself will surely give us. New challenges include – but are not limited to – cloud computing security, EMV ATM, VoIP & Vishing, SCADA & critical national infrastructures security: these are the words you will hear in the upcoming months. Watch out…the enemy is changing, shaping from a few to a lot, moving from home made crimes towards organised crime. This article began with a sentence: every new technology opens the door to new criminal approaches. This happened with all kind of technologies, even with the industrial revolution and the car’s boom: thieves began to steal the cars in order to rob banks and run away faster, so that governments and police authorities created the mandatory use of car plates on vehicles, and the bad guys began robbing car plates or falsifying them. It is a never ending loop, it is the fight between the good and the bad. That is why cybercrime will constantly represent an issue, now and in the upcoming future. Today the situation is changing, again. We are experiencing white collar crime linking with organised crime. Every day we learn about somebody that has been arrested for e-crime actions. Young people, students, consultants, hackers, criminals. I think those are just the peak of the iceberg. The key difference that apparently no one is still realizing is another one, no matter if the bad guy is “the IT consultant” rather than an anonymous teenager. Today much more people know about IT security and hacking. Resources are available in a really easy way. The Internet is everywhere, allowing worldwide distributed attacks. People should realize that just like social networks exist thanks to the Internet, we do also have a kind of criminal network(s), thanks to the Internet. It is a process that evolved along the years, and that is the nowadays scenario. There is pretty nothing we can do against it, but awareness, training and education, along with international cooperation. Cybercrime & underground economy: operating and business model by Raoul Chiesa

This analysis aims to provide a light research of the operating and business models used in cybercrime and underground economy activities: while not aiming to be an exhaustive nor complete research, I would like our readers to get the “big picture” and understand how today’s cybercriminals have grown up, both from an organizational and business point of view.

First of all, it is important to define what we exactly mean with the term “cybercrime”. Cybercrime is mainly related to the following, illegal activities, mainly carried out through the Internet media: • Phishing • Malware • Scams • DDoS attacks • Child pornography • Generic Porn • On-line games Often, IP classes used by cybercriminals (i.e. RBN), share their illegal services on various IP address, as we can see from the following screenshot, related to a research carried on by David Bizeul

Now, once realised which are the services that cybercriminals must sell out, it is pretty easy to figure out their needs in order to be able to supply all the above and the requests from other cybercriminals and cybergangs: • Hosting services • Good bandwidth Obviously, criminal organisations just cannot call up a given ISP asking them for a hundred hosting contracts, since “we must host child porn and some fake bank Web Front-End”….. This means that cybercriminals need other “add-ons” such as: • Anonymization • Laxism in closing websites • Lack of cybercrime laws • (possibly) interaction with other cybercriminals Well….RBN was the answer. Even if most of the security researchers guess RBN it is dead, my personal opinion is that the original RBN’s “team” have just been “unpacked” into tens of smaller cybercrime groups, making even harder for Law Enforcement to track them down. IMU is just another example of a “cybercrime ISP”, including its own “dark links” with third-party companies. RBN acted for some years as The Internet Service Provider for Cybercrime actions, delivering all kind of black-services to the whole world. The scheme shown below, grabbed from David Bizeul’s excellent research paper, shows the modus operandi proper of RBN.

In order to achieve all of the above goals, actions and crimes, a cybercrime organization must take the following steps:

Building the base: Malware and Here the crime team builds the “tools” and the electronic weapons they will need in order to execute the crime cyber-actions. This mainly means creating the malware, often (ab)using of already-existing vulnerabilities – just has it happened with the most famous worms in the recent past, or with the China attacks towards Google and US Government agencies – or, in some other, few and mostly rare cases, developing and/or acquiring from the Black Market 0-days vulnerabilities. Often, the real job is done modifying already-existing vulnerabilities, so that antivirus and other defense tools will not be able to spot the on-going attack. Talking about Botnets, quite the same approach applies here as well: attackers may set up the on their own, rather than buying hours from already-existing Botnet infrastructures, at very cheap prices even!

Identity Theft In this second step, attackers will run massive phishing attacks (or other kind of tricks, with the sole goal to steal IDs for different purposes), automated worms (i.e. on Facebook, Twitter, etc). A recent trend we have found is the one to exploit unknown (“fresh”) vulnerabilities on Social Networks, so that in this way the attackers may be able to gain thousands of IDs with a single attack action. Identity thefts may range from zoomed, intentional and highly planned financial information thefts, rather than personal information theft, that would be used in order to achieve different goals from the above ones (meaning: fake credit requests, applying for ATMs and Credit/Debit Cards under a fake identity, etc..). In the last months we’ve observed a very focused activity on e-banking information, with a couple of worms written explicitly with this goal in mind. A very recent example is Mariposa (“Mariposa worm”), a Russian botnet written in order to collect financial credentials and information from the infected PCs (see: http://scforum.info/index.php?topic=3280.0;prev_next=prev) e-crime execution Once the tools are built and the botnets are working properly in order to steal IDs, the bad guys need to run e-banking attacks – using the stolen credentials – and frauds/scams, such as on eBay. On my opinion this third step is the most important one, and it should be deeply investigated. In fact, “e-crime execution” can be run in tons of different ways, including “old-school” schemes such as Credit Requests, using the new chances offered by today’s IT, tough. What I mean is that this part should be really exploded and carefully analyzed, in order to gain much more knowledge of all the existing, available options for cybercriminals.

Money Laundering Here we go, the last but not least step…transforming all of those data into real money, without being caught. For sure this step is important as well, just like the previous one, since it’s among the less explored among security researchers, while the traditional “counter-fraud” and “anti money-laundering” already- existing departments in financial institutions often lack of real in-house knowledge when related to latest IT and ICT money-laundering techniques, aka “cyber laundering”. In any case, in this last step the cybercriminals set up money-laundering networks, that may act in different ways, while relaying on different actors and criminal profiles. For example, during the world-famous 9.5 Million USD thief run by 4 hackers at RBS WorldPay, also known as “The International Ring”, or the “TJX hack” run by and its associates, the cybercriminals used hundreds of “mules” from all over the world.

The Mules or “e-mules” issue is a big problem, strongly supported somehow by the global economical crisis and breakdown all the countries of the world are experiencing. This leads to more and more people that, intentionally or not, may accept to became an e-mule, laundering money than sending it to places such as Russia, Ukraine and so on, directly in the hands of the cybergangs. In order to let our readers gain a better understanding of how complex is the “ecosystem” of cybercrime, I’m adding the next scheme as a gold-mine. In fact, this is referred to a carding web site, where subscribers sell and buy stolen credit card information (as well as identities, banking credentials, etc.). As we can see, the structure is really complex and being a Member of a given cybercrime portal simply means that you are at the beginning of a scale-pyramid, that sees over the top the real Administrators of the crime web site. Among them, we can see as well the Trial Vendors and the Reviewed Vendors (that means, an important status in the crime-ecosystem), then jumping to the reviewers (1st level of Site Management), moderators , global moderator(s) and the real owners (possibly?), meaning the administrators. Bringing all the above to a criminal scheme would just look like this: So the actors we can see are mainly: • Hackers, Coders and Scammers, working on phases 1, 2 and 3; • Providers, e-launderers and e-mules, working on phases 3 and 4; • A centralized “brain”, one or more human minds, taking care of the two groups of actors and supervising all the phases. • (bottom line), the Underground Economy itself, meaning trading in stolen goods and information, malware, tools, expertise and skills. After RBN, the technical approach kept quite the same, while we can find an extremely important, while small, difference with the previous scheme:

Right now what we have, with or without “RBNs” around us, is the fact that those 3 groups just became a single entity, coordinated and acting like a unique and single mind: the cybercrime organization model.

Conclusions I hope this article may help out those security researchers, Law Enforcement Officers, Agencies, public and private Institutions in order to better understanding thus fighting nowaday’s cybercrime. What I do expect to observe in the next months will be a total raise up of cybercrime actions, pushing more and more on 0-days vulnerabilities, social networks and mobile users (handsets) exploiting. The rule is always one and it’s pretty easy: trust no one. The power of networking: an insight on the Russian Business Network by Gianmaria Vernetti

Whether you are a web addict or an occasional user, you have surely heard about spam and junk e-mail: on your account you receive everyday weird messages from unlikely mail addresses, be them online pharmacies or soft porn. If you think that is just a pursuit for hackers and geeks, you are quite far from the truth.

Consider that 90 trillion of emails were sent on internet during 2009. Consider that 85% of those emails were spam. And, finally, consider that the majority of that spam was released by an organised crime gang: the Russian Business Network.

Born to be wild The Russian Business Network (RBN) is the biggest cyber-organised crime gang in the world, judged by the security company veriSign as “the baddest of the bad”. Activities of the RBN include spam, child pornography, online casinos and phishing scams for identity theft, but the main source of income of the RBN comes from internet pharmacies: one of these, Canadian Pharmacy (which, despite the name, it is based in Ukraine and Russia) is the top spammer and malware worldwide. Currently, the RBN operates through 19 different names and operating divisions. Official origins of the Russian Business Network dates back to 2006, when the company was registered as an internet site. One of the main quotes is that the RBN leader and creator, known in the web as Flyman, is allegedly to be the nephew of a powerful and well-connected Russian politician. According to enquiries, all the projects carried on were entirely legal at first, but soon the owners decided to turn the business into criminal activities, starting offering web hosting services and internet access for illegal transactions and money laundering: in short time, the RBN reached the market leadership with a share in internet crimes of about 60%. By the end of 2006, the company started increasing its operations, both in terms of geographical diffusion (for example the denial-of-service attack at the National Australia Bank in October 2006) and activities, becoming a powerful cybercrime service provider. The beginning of 2007 marked a turning point in the history of the RBN: its leading role in the spamming arena and the attacks led worldwide prompted the FBI to start investigations in partnership with the Russian Federal Security Service. By the end of the year, the RBN virtually disappeared from Russian servers and disbanded itself; rather than representing the end, the move marked a shift in its strategy, fragmenting the company, along with its 406 web addresses and 2.090 domain names, in small organisations with servers relocated in China, Turkey, Ukraine, Panama and United States: since then, according to Aleksandr Gostev, director of Kaspersky Labs, «the world has got about 10 RBNs».

Origins of the RBN and ties with organised crime What are the reason behind the astonishing entrepreneurial success of the RBN and its leadership in the cyber-criminal arena? Several professionals have pointed out that the Russian Business Network is the diamond point of a massive cyber movement flourished in former soviet-bloc countries since the 90’s, linked in heterogeneous ways with the rise of organised crime gangs. To explain this phenomenon a mix of elements should be taken into consideration. First of all a high level of tertiary education; according to statistics from the World Bank, in 2007 Russia had a GER (Gross Enrolment Ratio) of 72,3%, one of the highest in the world, far beyond the European average. Then it must be considered the socio-political environment. With the fall of the Soviet Union and the disband of the bureaucratic apparatus, several former scientists, researchers and professors turned themselves into organised crime: this brand new “army” of experts provided cyber organised crime gangs with a high level of expertise and know-how. Thirdly, a high level of corruption; in the last release of the Transparency International Corruption Perceptions Index, Russia scored 2.1, the worst data in the rank: the perception of corruption in the country is almost null. Finally, the political environment originated by the rise of oligarch-like systems has provided the organised crime gangs with the ideal terrain to grow and prosper, in all Russian-speaking countries, with a strong protection from the political élite. In some cases, institutional actors have benefited from organised crime gang activities and have used them to strengthen political influence: that is the case of the Russian Business Network

The political environment Ties between the RBN and the Kremlin can be assessed by three interesting episodes of cyber-diplomacy. On 26 April 2007, the Estonian government decided to move a Soviet memorial of the Second World War from the centre of Tallinn to the outskirts; this provoked the uprising of Moscow and of the Russian-born Estonian citizens. In the following days, the Estonian web system came under attack of hundreds of DDos (denial-of-service) from large amounts of ICMP traffic, causing serious consequences on the stability of the system; thanks to a huge IT infrastructure, the main servers lasted out and the normalcy was soon restored. On 20 July 2008, the website of the Georgian president came under a denial-of-service attack, shutting the website down for about 24 hours. Then, on 8 August, a distributed denial-of-service was launched against the Georgian government websites, contemporary to the attack led by the Russian Army against the Georgian forces. The cyber war between Georgia and Russia focused on shaping public opinion on the internet, using a variety of cyber techniques such as the creation of fake web sites to control the respective version of the truth. Finally, on 18 January 2009, the two main internet servers in Kyrgyzstan came under a denial-of-service attacks shutting down websites and email within the country. The attack originated from Russia on the same day the Russian government was pressuring Kyrgyzstan to stop US access to the airbase at Bishkek at Manas. All the three attacks share common elements: they all affected former Soviet republics; they all occurred during a diplomatic crisis with Russia; they all originated from Russian servers; they all were conflict attempts against the Russian sphere of influence in the region. Even though there is no certainty of a direct involvement of the Kremlin, several sources have suggested the role of some member of the Russian political establishment in the management of the attacks. As far as the Russian Business Network is concerned, its involvement in the attacks seem almost clear: no other cyber-gang has, at least in Russia, the same power, both in terms of IT infrastructures and know-how: further technical analyses have moreover confirmed the role of the company in the attacks. It is interesting to underline, however, that the Russian Business Network seems not to have concrete political interests: in the episodes mentioned, it has probably worked as supplier. RBN goal is ultimately business; in this perspective, the role of the company in the Ddos attacks against the Iranian opposition at the end of 2009 confirms this statement.

The invisible threat With a yearly estimated turnover of two billion dollars, the Russian Business Network is currently a leading organised crime gang. The great strength of its success lies in the “invisible” kind of activities it is able to carry on, operating on massive scale economies around the world with a high level of expertise. This is undoubtedly a concrete threat for web users as well as for the civil society. It is worth to note that today cybercrime is one of the safest ways for money laundering operations; the use of and botnets allow cybercriminals to steal identity and therefore to set up money laundering networks in a safe and precise way. Links with “traditional” crime gangs have given birth to a synergy between the real world and the virtual one, with few possibilities for public authorities to fight the phenomenon. That is why the RBN represents an invisible threat, sharing the same power of Mexican drug lords and Italian mafia. So forget the traditional stereotype of the Russian organised crime: whether you are a web addict or an occasional user, be aware of the (cyber) world you live in. International cybercrime by Henry Peltokangas

In the past decade cybercrime has evolved and expanded from hacking to organised eCrime networks. These groups are primarily interested in financial gains contrary to the cyberwarriors of the past who were motivated by the challenge of penetrating secure computer systems and the bragging rights that came with it.

Globally but especially in Europe the cyber criminals have specialised and organised, which has led to a very resilient phenomenon due to its network structure. Each node acts independently, monetizing on specific intermediate products. These criminal activities are supported by semi-legal operations, such as bulletproof hosting infrastructures, domain creation and software or malware development. Fighting this relatively new phenomenon has turned out to be problematic due to the borderless nature of the Internet and its anonymity. The average Internet user leaves a relatively clear trail into the cyberspace for both law enforcement and criminals to exploit. However, the opposite is true for cyber criminals, who are often more familiar with the Internet’s infrastructure than the law enforcement authorities trying to catch them. In addition, criminal cases are often dropped after the evidence leads outside the country where the victim lives due to limited jurisdiction. In these cases the law enforcement has to rely on international cooperation, which is rarely initiated without proof that the damages from the attack have been severe. However, in many cases it is hard to establish exactly how severe the crime has been or to quantify the damages from it. Damages from a single fraud or theft rarely warrants an international investigation and attributing several cases to a single actor is often problematic not only due to lack of evidence but also because victims rarely report them to the police. Sometimes not knowing that they have been victimised or in the case of large corporations they might be unwilling to enclose that their systems have been compromised because they fear its impact on their investments. Another obstacle in investigating and prosecuting cyber criminals is that several countries, like Russia, Belarus, Ukraine and several Central American countries act as safe havens for cybercrime. Combination of inadequate legislation, strife corruption, uncooperative law enforcement and/or lack of mutual legal assistance and extradition treaties make these countries ideal for both traditional organised crime and organised cybercrime. Investigating crimes in these countries is not only problematic due to the aforementioned obstacles but also because despite a successful investigation and prosecution it is likely that only low level criminals will ever be convicted, thus undermining the system’s effectiveness.

Innovative Marketing Inc. Case in point is a story about Belize-based Internet company named Innovative Marketing Inc. (IMI) founded by Daniel Sundin and Sam Jain in 2002. The company generated revenue by selling pirated music, software, pornography and Viagra via the Internet. In 2004, Jain and his associates were sued by Symantec for allegedly creating pop-up ads that told victims that their Symantec software was about to expire, after which they were directed to a website that sold software similar to that of Symantec’s. The case resulted in a closed settlement after Jain failed to appear in front of the court. Despite the default sentence of $3 million USD to be paid by Jain and his associates, including James Reno, the owner of ByteHosting, to Symantec the settlement only forbid them to sell Symantec software ever again. Based on a statement by Reno, none of the defendants ever paid a penny to Symantec.

Expanding the business model Despite the legal problems IMI faced in 2004, the company continued its illegal business by innovating the first generation of rogue antivirus (AV) software. The software dubbed ComputerShield appeared to be like any other legitimate except it did not protect its users from any kind of malware. Despite the software not working, the company decided to take advantage of the recent panic over worm and aggressively marketing their software online, allegedly achieving monthly profits of more than $1 million USD from software sales. IMI’s Ukrainian office, Innovative Marketing Ukraine (IMU) was responsible in developing and re-branding the IMI’s rogue AV-software, which quickly became one of the most elaborate schemes, including hundreds of brand names, thousands of domains and a network of affiliate programs that were used to spread the fraud. The first rogue AV-programs scammed people to think their computer was infected with malware by a fake alert and then encouraging them to buy one of IMI’s softwares to fix the problem. Later an additional adware component was included that redirected victims to travel, pornography, discount drugs, fake AV and other product websites. This business model earned IMI estimated $180 million by 2008; however the number is likely a lot higher.

Affiliates and shell companies Initially the adware was spread via paid hackers that IMI called “affiliates.” The hackers used browser hijacking among other illegal means to install the software on victim’s computers, for which they were paid as little as $.10 USD per computer, while the company made up to $5 USD form each infection. In addition, IMI bought legitimate ad space from MyGeek (now known as AdOn) with over $3 million USD between October 2004 and November 2006. The ads were displayed more than 680 million times. By 2007, the malware was also distributed using fake codec scams and Trojans. Users were targeted by false positives, fake alerts and warnings of infection on their computers. The most common attack vector used was outdated versions of the Sun Java platform. After MyGeek refused to run IMI’s ads, the company set out to create their own fake advertising groups, known as Burn Ads, Preved Marketing, AdTraff, NetMediaGroup, UniqAds, Infyte and ForceUp in total at least seven different fake advertising agencies. These companies were not only used to service IMI’s own internal needs but advertising services were sold to other websites like CareerBuilder.com, Travelocity.com and Priceline.com. However these ads were embedded with malicious code which was used to spread IMI’s various adware programs. MyGeek was not the only company that refused to service IMI and accept profits from its Ukrainian-made scareware. In 2005, the Bank of Bahrain and Kuwait stopped servicing IMI due to complaints from victims of its scareware. At the time, IMI had the highest volume of credit card processing of any entity in Bahrain due to its high chargeback rates. It took five months for IMI to find a bank that was willing to handle its transactions. Ultimately, DBS bank form Singapore took up IMI’s accounts unaware of the company’s illegal business that was being funneled through front companies, such as BillPlanet PTE Ltd., Globedat and Revenue Response, and numerous merchant accounts in order to hide it all came from IMI. In order to reduce the number of chargebacks, IMI had opened call centers in the US, Ukraine and India. They were responsible for taking calls from angry victims and convincing them that the program was authentic and was working as intended. Sometimes this involved disabling all legitimate antivirus software on the victim’s computer in order to silence the flood of warning messages as legitimate AV programs identified that the computer had been infected with IMI’s scareware. Before IMI’s disbandment, the company boasted having multiple offices all around the world, numerous call centers, shell companies for payment handling and at least seven advertising companies. Its Ukrainian office had at least three locations in Kiev employing between 400-500 people, mostly students and recent graduates, who were likely aware of the company’s illegal doings, but were willing to look the other way because of the job market.

Disbanding Innovative Marketing As a result of a US Federal Trade Commission’s lawsuit, IMI was disbanded in 2008. However, its owners have to this date avoided the law and are believed to live in Sweden and Ukraine. Following the FTC’s lawsuit, in April 2009, a joint investigation by the FBI and the Security Service of Ukraine (SSU) seized hundreds of servers and computers from three places in Kiev. It is believed that soon after the seizure, the SSU received a bribe from IMU’s Ukrainian owners in exchange for 2-3 hour access to the servers, which were in the possession of the SSU and were being stored until FBI forensic team could examine them for evidence. In December 2009, it was decided that the criminal case in Ukraine would be closed and by January 2010 the servers and computers were returned to IMU after no evidence was found on their hard disks. To date, nobody has been arrested or charged with a crime in Ukraine, while some evidence suggests that IMU continues to operate in smaller capacity under another name. However, so far no new fraud scheme can be connected to these companies, of which one seems to be developing at least semi-legitimate AV products. The future prospect being that the next innovation in rogue AV development is selling not fake but bad software with hidden malicious functionalities.

Conclusion Innovative Marketing Inc. is one of the largest illegal operations that we have seen and it was highly organised with numerous front companies and business units. It also demonstrates how slow and ineffective our legal system is to respond to international organised cybercrime, especially when its critical assets are located in Central and Eastern Europe. It is not only expensive and time consuming to pursue these entities across the globe but the effects of such actions can be easily undermined by corruption or inadequate legislation. The fight against cybercrime will be long and arduous in which the law enforcement and private companies need to prepare to be the underdogs until cooperation and new legislation will catch up with the criminals’ innovation.

Innovative cybercrime: made in Ukraine? by Oksana Prykhodko

Today the website of Innovative Marketing Ukraine (http://innovativemarketing.com.ua) looks harmless: it offers various T-shirts with company logo and IT symbolic. In spite of the welcome page states “company offers huge spectrum of services in the domain of IT, I-commerce, marketing and advertising”.

Section “Contacts” provides only two options, ICQ number and e-mail address. In Internet cellarage, you can find telephone number, but it does not exist anymore. Physical address has been changed many times. Actually, two years ago this site also did not arouse suspicion. Company’s activity looked very similar to its description: “successful multiple discipline”, up to 600 employees, call centre, high salaries, corporative culture. And highly demanded products – FREE scan for computer viruses. But such activity of this company was blocked in December 2008 by the decision of US federal judge, resulted from a lawsuit filed by the US Federal Trade Commission (FTC), the nation’s consumer protection agency. Visitors of the world's most popular sites, such as Major League Baseball, the National Hockey League, The Economist, E-Harmony, and Zillow.com, clicked on ads of such free scan (unaware to be redirected to bogus antivirus websites), and revealed a lot of problems with their own computers. According to the information from FTC, more than million of Internet users, after receiving acknowledgement that their PC was infected with pornography or malware, paid from 40 to 100 USD to clean their machines. Some hundreds users, with more sophisticated computer skills, applied to law enforcement authorities. As it turned out, both ads, acknowledgements and cleaners were faked – only to collect money and to make credulous users unprotected against real computer viruses (purchased scareware removed real antivirus protection). According to FTC, main defendants in this case are: • Innovative Marketing (IM) Inc, a company incorporated in Belize (country in Central America) that maintains offices in Kiev, Ukraine; • ByteHosting Internet Services, LLC – operate using a variety of aliases and maintain offices in various countries. ByteHosting Internet Services is based in Cincinnati, Ohio. From the press-release of FTC: «The complaint alleges that these two companies, along with individuals Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno, violated the FTC Act by misrepresenting that they conducted scans of consumers’ computers and detected a variety of security or privacy issues, including viruses, , system errors, and pornography. On December 2, 2008 the FTC requested and received a temporary restraining order from the U.S. District Court for the District of Maryland. Under its terms, the defendants are barred from falsely representing that they have run any type of computer analysis, or that they have detected security or privacy problems on a consumer’s computer. They also are barred from using domain names obtained with false or incomplete information, placing advertisements purportedly on behalf of a third party without that party’s consent, or otherwise attempting to conceal their own identities. The order also mandates that companies hosting the defendants’ Web sites and providing domain-registration services take the necessary steps to keep consumers from accessing these websites». According to FTC materials Innovative Marketing Inc. was registered in Belize in 2002 by Internet entrepreneur Daniel Sundin (he also opened an office in Kiev, Ukraine). But in Uanet it is possible to find information that Innovative Marketing Ukraine was set up in 1999. On February 24, 2010 US District Court for the District of Maryland issued default judgment as to Daniel Sundin. Supposedly he is now in Sweden (his parents live there). Thanks to the NewScientist, we know his American and Canadian partners. For example, Sam Jain, Internet enterpriser, which received in a 2005 lawsuit from the company Symantec alleged that his company ran adverts mimicking update alerts from Symantec and other legitimate security firms, but directed users to software sold by Jain. The case cost Jain USD 3 million in damages. And now an international warrant has been put out for his arrest. Former Canadian partners - Marc and Maurice D’Souza, father and son – received law enforcement attention in 2007, when IM filed suit against them in Canada, claiming that the D’Souzas had allegedly siphoned off USD 48 million of IM money. During this hearing it was revealed, that revenues of the company climbed from USD 11 million in 2004 to USD 53 million in 2006 – and it was based, as Marc stated, «on deceptive practices, including selling antivirus programs that did not detect common threats and registering websites under false names». Marc hit back in August that year with his own suit alleging that, among other things, Jain had conspired to force him out of IM and that he should receive USD 5 million in damages. Besides, Jain had another partner, Kristy Ross of Maryland. According to the suit, she spent more than USD 3.3m during a 25-month period starting in October 2004 to advertise products including WinFixer, WinAntivirus, DriveCleaner and ErrorSafe. She is known also for spending USD 30,000 at Harrods in London and USD 23,000 at the fashion house Louis Vuitton in 2008, and, for example, over USD 500 for meal. Both Jain and Ross are currently inaccessible. The only one “whipping boy” in this case at this moment is James Reno, the sole owner of ByteHosting, who settled on 17 June 2009 the agreement with FTC. It does not mean that Reno admitted his guilt. In a statement e-mailed to the Business Courier Reno said he denied any connection with Innovative Marketing other than as a provider of call center services and network infrastructure management services. But he settled for the USD 1.9 million judgement, which will be suspended if ByteHosting pays a tax bill of USD 17,827 to the IRS (The Internal Revenue Service, US tax collection agency) and the funds in four bank accounts, totaling around USD 100,000, are forfeited to the FTC. In e mail Reno said his company's assets were frozen by the court, “leaving him stuck without a single USD 1 to my name and unable to hire a lawyer or travel to Maryland to make court-ordered filings”. The total amount of damage in this case is USD 163,167,539.95, according to FTC. What about Ukraine? Security Service of Ukraine (SBU – successor of Soviet KGB, analogue of US CIA) does hold investigation on this case and until its completion rejects to give any comments. It is known only that up to 400 programmers worked for this company, writing parts of viruses, and some dozens of translators translated materials into 20 languages, for example, for other countries of Eastern Europe. And, of course, there was a highly effective call centre, and the main task of its operators was to persuade doubting clients to purchase cleaners. Ukraine is often named as main source of cybercrime in Europe. Is it true or not? Representatives of foreign firms in Ukraine such as doubt such statements. But Ukrainian government does not object to such accusations and does not require to prove or to disprove them. It uses these accusations as excuses for enactment of bills, which do not strengthen security in Internet, but do restrict the freedom of speech. It is really easy to hire Ukrainian students to write fake antivirus programs, or to convince consumers to purchase unsafe products. Yes, Ukraine is very poor state (average salary is about USD 200). Yes, Ukraine is very rich with technical skills. Unfortunately, Ukrainian government does nothing to use such skills in proper manner. And it does nothing to enhance Internet and computer literacy of Ukrainian citizens. Instead it spends a lot of money on National Evaluation Commission of Ukraine of the Protection of Public Morals – state authority with enormous large powers, which was declared by the Council of Europe a tool of censorship. This Commission is known for its clumsy struggle with pornography, especially in Internet. The brightest “achievement” of this Commission is the banning of The Simpsons and Borat. On the other hand, international nature of cybercrime demands international cooperation of law enforcement authorities. For example, SBU investigates the case of Innovating Marketing Ukraine in close cooperation with FBI and CIA. The special department dealing with cybercrime exists in SBU from 2004, and the amount of detected crimes is over 550. Last year the same department was created at the Ministry of Internal Affairs, and it already has 130 cleared cases. But black holes in Ukrainian legislation remain very big problem. Yuliya Morenets from TaC (Together against Cybercrime) comments this situation: « Ukraine signed and ratified in March 2006 the Council of Europe’s Convention on Cybercrime. But now it is important to see how it is implemented and, speaking about the implementation, we could say that a number of amendments and articles are inactive». Nobody knows how to apply these articles and the existing lacks in a number of arcticles make things more difficult for the criminalisation of criminal acts, for the judgments and of course for the international cooperation. If we take the example of art.361-1 of Penal Code of Ukraine, here we speak about «...the production of harmful software or technical devices...», do we have the clear definition of what the harmful software is? Could we say that the is the part of it, legaly speaking? But, after it is also the problem of Criminal procedural law, how Ukraine implemented the procedural part of the Convention? And of course there is the question of jurisdiction, the question of place of criminal act, in our case is it USA or Ukraine or the place where the computer was scanned (so where the person clicked on the button?). All these legal issues pose some problems and the question of the reactivity and the applicability of the Ukrainian legal framework on cybercrime. The case of IM is expected to be unexampled, and not only on Ukrainian scale, and may be it can help to solve such system problems. Thanks to Internews Ukraine for the assistance in writing this article.

UNICRI : knowledge and information on emerging threats by Francesca Bosco

Since its foundation in 1968, UNICRI (United Nations Interregional Crime and Justice Research Institute) has carried on several projects to better understand and analyse the role of transnational organised crime on civil society.

With the development of new technologies and the boom of the World Wide Web, UNCRI has made important efforts to share knowledge and information on emerging crimes and related trends. This is particularly true as far as cybercrime is concerned. We have asked some questions to Francesca Bosco, Project Officer at UNICRI Emerging Crimes Unit, in order to better understand cyber phenomenon from an international and institutional point of view.

How long has UNICRI been involved in research and analysis on cybercrime?

UNICRI has been involved in the field of cybercrime since 2004, with the goal of formulating ad hoc prevention policies, security methodologies, and to assist member states in keeping up with the ever-shifting trends of cybercrime as, too often, high-level policies fail to keep the pace with the rapid technological growth spurts occurring every day. The Emerging Crimes Unit, under which our cybercrime research operates, seeks to formulate prevention policies, develop methodologies and techniques, and to strengthen the capacities of those involved in investigating and prosecuting cybercrimes.

What are currently the main trends in cybercrime?

The daily proliferation of new ICTs makes it a difficult to predict what medium cyber criminals will employ next. But it is safe to say that consumers and end-users will continue to be the favourite victims of low to middle level cybercriminals, who see them as the low-hanging fruit and specifically target them in an attempt to steal and monetize their PII (Personal Identifiable Information), to push spam to them via social networks, or to add their infected machines to a botnet for further crimes. Miscreants will accomplish this by deploying sophisticated blended-threats delivered to web and e-mail clients, and will further appropriate social networking for both their open-ended (such as phishing) and targeted attacks (information gathering). These latter attacks are conducted by highly skilled attackers and will become more virulent in nature, with all the hallmarks of an APT (Advanced Persistent Threat) such as the one that Google and dozens of other IT companies had fallen prey to at the turn of 2010 in what is now dubbed “”. A very dangerous trend may concern the actors actually committing cybercrime rather than the methods applied. There is growing suspicion that traditional organised crime is adapting the Internet to supplement their illicit enterprises; obviously this aspect vastly increases the threat posed by cybercrime at the national and international level.

What are the strategies is UNICRI carrying out to counteract cybercrime? What are the projects UNICRI is working on as far as cybercrime is concerned?

Over the years, we have been focusing on the issue of training and applied research. Past and ongoing projects on cybercrime include:

• European Certificate on Cybercrime and Electronic Evidence: UNICRI, in collaboration with Cybex, developed the European Certificate on Cybercrime and Electronic Evidence (ECCE); this tool was intended for judges, lawyers and prosecutors with the goal of providing them with technical training on cybercrime, a way to manage electronic evidence and the corresponding legal framework • The Hackers Profiling Project (HPP): in 2004, UNICRI embarked in an ambitious research project applying traditional criminal profiling techniques to the hacker subculture to identify their varied backgrounds, motives and attitudes in order to better understand upcoming hacking trends and to develop effective deterrents for the criminal elements involved. So far, over 1,200 individuals have participated in this phase and have submitted their questionnaires. A noteworthy output of this research project was the book "Profiling Hackers. The Science of Criminal Profiling as Applied to the World of Hacking,” published in December 2008. Through a better understanding of hackers, their psychology and the techniques they employ, HPP will facilitate the prevention and countering of ICT crimes, and will improve the operational methods that may lead to the identification of computer intruders • Child Online Protection (COP): an initiative created and led by the International Telecommunications Union (ITU) aimed at protecting children online. UNICRI was responsible for developing the Guidelines for Policy Makers • ICT Security Training Program: in the Spring of 2010, UNICRI deployed its first ICT Security Training Program, a series of 2-5 day courses held at the UN Campus in Turin on the topics of , Hackers Profiling, Digital Forensics, SCADA and National Critical Infrastructure Security • World Summit on the Information Society 2010 (WSIS): the 2010 Forum was held on 10-14 May 2010 at the ITU Headquarters in Geneva, Switzerland. This event offered participants a series of diverse interactions in multi-stakeholder set-ups, ranging from high level plenary sessions and debates, to interactive thematic workshops and meetings addressing critical issues to the WSIS implementation, follow-up, and new initiatives, providing an opportunity to exchange knowledge and facilitate networking among the participants. UNICRI played an active role in the following four workshops: ◦ Cybercrime: Behind The Cyber Threats: Overall Picture and the Underground Economy (organized by UNICRI, Team Cymru and ITU) ◦ Cybercrime: Strategic Reaction for Member States (organised by UNICRI, Team Cymru and ITU) ◦ Cybercrime Risk Assessment and Threat Mitigation (organized by UNICRI, Team Cymru and ITU) ◦ Child Online Protection (organized by UNICRI, GSM Association, eNASCO, Save the Children and EBU) ◦ Moreover, UNICRI also actively participated to the IFM Action Line C5: Building confidence and security in the use of ICTs. • Digital Trust Symposium: UNICRI, in partnership with VeriSign Inc., hosted the first European Digital Trust Symposium in Rome, on 21-22 June 2010. This event was intended to serve as a neutral venue where participants spanning across many sectors (e-commerce, financial institutions, law enforcement, governmental bodies, and the security industry) could share their experiences and develop ad-hoc solutions to the risks inherent in allowing criminals to erode economic and social trust in this technology.

What are the main threats of cybercrime for the civil society?

On the Report of the Secretary General’s High Level Panel on Threats, Challenges and Change (2004), “A more secure world. Our shared responsibility,” it is clearly highlighted that we live in world of new and evolving threats, which could not have been anticipated when the UN was founded in 1945. Threats like environmental degradation, states collapse, terrorism and transnational organised crime. All of them can undermine societies as well as the international system. Collective security today depends on accepting that the threats which each region of the world perceives as most urgent are in fact equally so for all. Personal and financial information is at the core of business transaction records and financial data that identifies customers. The volume and value of personal and financial information makes it very attractive to those with criminal intentions. Keeping sensitive information away from those with malicious intent is a growing problem for many organisations and government agencies and a genuine concern for consumers, who may lose faith in e-commerce, e-government or online banking initiatives while online miscreants pilfer and abuse their PII to commit identity theft, theft of service or financial fraud with little to no concerted oversight from governments, law enforcement agencies or private enterprises. Together, technology and the computer infrastructure play an essential role in identifying solutions to cybercrime, including fraud management, logical security issues, and maintaining compliance with a growing number of regulations addressing cybercrime. In addition, cyber attacks, or breaches of information security, appear to be increasing in frequency, and few are willing to ignore the possibility that the severity of future attacks could be much greater than what has been observed to date. The current wave of malware attacks is no longer perceived as a technical problem, but as a major business one. The outcome of today’s successful cybercrime attacks can result in a wide range of business damages, including: loss of existing customers; difficulties in acquiring new ones; loss of intellectual property; loss of R&D data, product designs, and road maps; brand name and corporate image damage; negative impact on competitive position; loss of market share; potential lawsuits and class actions; non-compliance with rules and regulations. Other damages include loss of productivity due to downtime, investigations, and damage control.

What are the geographic areas where the cybercrime phenomenon is more active?

Cybercrime is, to a large degree, transnational in nature. The Internet was originally designed as a military network that was based on decentralised network architecture. As a consequence of its underlying structure and the global availability of services, cybercrime often has an international dimension. E-mails with illegal contents are easily sent to recipients in a number of countries, regardless of whether the original sender and the final recipient are both in the same country or if they use an e-mail service operated by a provider abroad. Some of the popular free e-mail service providers have millions of users worldwide, further highlighting the transnational dimension of cybercrime. In 2005, the number of Internet users in developing countries surpassed the number in industrial countries. If these new users were no more likely than those in developed countries to be predators, the overall number of predators should continue to expand apace. But the number of high-value victims, largely located in richer areas, will remain more or less the same. As a result, the intensity of the attacks on this unchanging victim pool is likely to grow. What are and what could be the legal instruments to counteract cybercrime?

One of the biggest problems in drafting cybercrime laws is harmonizing definitions. This agreement, however, is essential for extradition as well as for evidence and jurisdiction purposes. This lack of harmonization also affects comparative reporting and statistics; therefore, the full scale and impact of cybercrime cannot be counted. Despite the transnational dimension of cybercrime, the impact in the different regions of the world is differs substantially. This is particularly relevant for developing countries. There is an urgent need for common rules and cooperation between States so that authorities can act effectively across jurisdictions to bring offenders to justice. Many relevant steps have been already taken. However, the current prevalence of cybercrime, the outstanding profitability of its business models, and the low risks involved indicate that the law still has many challenges and issues to face. Existing legislations need to be applied. Law enforcement personnel and business leaders must be more involved in protecting sensitive information since fighting cybercrime is a priority issue. Legal and international cooperation issues include: • Ensuring that all countries have in place strong legal frameworks for cybercrime, whether computers/information systems are used in the execution of a crime (e.g. harassment, fraud, selling illegal goods) or as the object of a crime (e.g. hacking, malware dissemination, denial of service) • As technology evolves and new threats emerge, cybercrime laws should be always modernized to match these threats (e.g. botnets). Regular reviews and updates are needed to ensure that both laws and investigations stay in line with cybercriminal advancements • The global nature of cybercrime makes arresting and prosecuting cybercriminals difficult. Penalties for cybercrime are comparatively weak. There is a strong need to enforce the existent provisions on the topic and to create more specific ones • ISPs should be actively engaged to be part of the dialogue and part of the solution, given their important oversight and responsibility for the traffic which flows through their networks. Both ISPs and other intermediaries (such as money transfer agencies) who can have an enormous impact on the success of global investigations must therefore be engaged in the fight against cybercrime • The cross-border sophistication in tracking and arresting cybercriminals needs to be improved in order to be more effective. The frameworks in place need to be well understood throughout the legal system in each country so that they can be better applied, and law enforcement capacity must improve to deal with cross-border investigations • Governments, service providers, financial service providers, security experts and others who can have an enormous impact on the success of global investigations must be engaged across borders and encouraged to work together One of the main themes of the recent World Crime Congress, which was also echoed in the Salvador Declaration, was that Member States have to adapt their criminal justice systems to changing times. For example, they called for a review of the United Nations standards and norms on crime prevention and criminal justice to consider, if necessary, updating and supplementing them. They focused on using new technologies to fight crime, for example for foiling cyber-crime, money laundering, and human trafficking. They also looked at ways of fighting new forms of crime, like environment-related crimes, identity-related crimes, piracy of digital material and cybercrime.

What is the role of the organised crime groups in cybercrime? What are the future trends concerning the relation between cybercrime and organised crime?

The opportunities granted by the Internet have transformed many legitimate business ventures by streamlining their operations, increasing the range of transactions that can be pursued, and alleviating costs. Unfortunately, criminals have also discovered that the Internet can provide them with new illicit business opportunities and multiplier benefits. The "underside" of the Internet involves not only fraud, theft of service and paedophile rings, but also drug trafficking and traditional criminal organizations who are keen to exploit their new resources. In the virtual world, as in the real world, most criminal activities are initiated by individuals or small groups best understood as "disorganized crime;" yet, organized criminal groups are exploiting the many benefits that the Internet can provide them, and they are actively or passively working with traditional structures to augment their operations. The combination of constantly evolving criminal activities and a lack of reliable information linking traditional organized crime to cybercrime makes it difficult to obtain an accurate picture of the current situation. Nevertheless, it is clear that the volume and profitability of cybercrimes are growing, becoming increasingly sophisticated and internationalized. All of this poses a serious threat, and needs to be recognized by both the public and private sectors. UNICRI is currently developing a research project on the topic to achieve the following goals: • Explain why the Internet is so attractive to criminals in general and to organized criminality in particular by reviewing existing literature and conducting selective interviews to key experts in the information security world • Identify some clearly discernible trends that can provide important clues about the ways in which organized crime and cybercrime are beginning to overlap, such as the use of ICT media in the conduct of more "conventional" crimes as well as the tentative links between online criminals and traditional organized crime enterprises • Identify a series of measures to allow stakeholders to effectively answer to the growing exploitation of the Internet by organized criminals. UNICRI will actively work to increase knowledge among policy makers about the extent and nature of organized crime’s involvement in online abuse and cybercrime; it will keep track of criminals’ adoption level of ICT media in their conventional crimes and how all of this impacts the economies and societies of Member States. UNICRI’s involvement in this issue will culminating in an evidence-based action to empower national and international stakeholders in assessing their own needs and preventing cybercrime.

Top View