Cybercrime: How online crooks put us all at risk

Somewhere in St. Petersburg, Russia's second largest city, a tiny startup has struck Internet gold. Its dozen-odd employees are barely old enough to recall the demise of the Soviet Union, but industry analysts believe they're raking in well over $100 million a year from the world's largest banks, including Wells Fargo and Washington Mutual.

Their two-year rise might be the greatest success story of the former Eastern Bloc's high-tech boom — if only it weren't so illegal. But the cash may be coming from your bank account, and they could be using the computer in your den to commit their crimes.

The enigmatic company, which the security community has dubbed "Rock Phish," has rapidly grown into a giant of the Internet underground by perfecting a common form of Internet crime known as "phishing." The thieves capture people's personal computers, then use them to send phony e-mails that trick other users into revealing private financial information.

"Rock is the standard. They're the Microsoft. Everyone else is a bit player," said Jose Nazario, a researcher at security company Arbor Networks.

As big as Rock Phish has become, though, it is a sliver of a much larger problem.

During the past few years, a professional class bent on stealthy online fraud has transformed Internet crime, rendering obsolete the hobbyist hackers who sought fun and fame. These Al Capones of the information age are like ghosts in our Web browsers, silently taking over our computers, stealing digital bits, and turning our data into cash.

They've created a sophisticated, cyberspace shadow economy, which government and research firms estimate costs us tens of billions of dollars annually. The crimes themselves, and their staggering effect on our wallets, are disturbing. Yet the greater concern is the failure of corporate executives, government leaders and average citizens to comprehend the mounting threat and fight back.

"People talk about a 'Digital Pearl Harbor,' but that's already happened," said Rick Wesson, chief executive of Support Intelligence, one of many Silicon Valley companies battling these cybercriminals.

Organized online crime didn't appear out of nowhere — security experts have been tracking its growth for years — and it's exploding: The number of new pieces of malicious software, or malware, tripled in the first half of this year vs. the previous six months, according to computer-security company Symantec. And the number of phishing Web sites spotted in the first three months of 2007 by security-software maker McAfee skyrocketed 784 percent compared with the year before.

These attacks cost real people real money — individual Americans lost at least $200 million last year to online fraud — and that's just the people who took the time to report their misfortune to the FBI's Internet Crime Complaint Center. Those 200,000 cyberfraud victims said they were swindled out of an average of $724 — an amount small enough to discourage individual reporting and to help keep Rock Phish relatively hidden.

Businesses are hit even harder: Average annual losses from security incidents doubled to $345,000 per company in the 2007 Computer Security Institute survey. A 2006 FBI estimate pegged the total cost of cybercrime to businesses above $67 billion.

"The volume in absolute numbers is going through the roof," said Mark Harris, global director of SophosLabs, the research unit of British security vendor Sophos. "We've simply stopped counting."

Phishing raised into art

Rock Phish has raised phishing — the scam in which phony e-mail tricks people into revealing passwords and other financial information — into an art. What the group lacks in technical wizardry, it makes up for with cunning, to bait even wary computer users and avoid detection in the process:

• The e-mails look professional, in part, because even the early campaigns were sent in perfect English. Recently Rock Phish has expanded its target audience by conducting campaigns in French, German and even Dutch.

• Fancy marketing logos and fonts help Rock Phish e-mails mimic the legitimate messages sent by targeted banks.

• Rock Phish was one of the first to fool antispam programs by hiding the phish inside an image, instead of typing it in as text.

• Rock Phish wrote software that created a series of Web sites with slightly altered names, avoiding detection by spam-blockers on the lookout for one single link showing up repeatedly in e-mails.

The scale of the operation is enormous: Rock Phish is responsible for as many as half of all phishing sites worldwide, according to a University of Cambridge study. More people see Rock Phish messages, click on their links, and give up valuable banking information than in any other phishing campaign. If frauds are measured by their number of victims, Rock Phish is one of the most successful in history.

One of a new breed

Rock Phish, of course, is only one of a highly successful new breed of cybercriminals. Other organizations have developed completely different schemes with the same goal: Steal cash from unsuspecting Internet users.

Some people are lured to visiting Web pages containing malware, either by inadvertently visiting infected sites or by clicking on an e-mailed link. There, a pixel-size frame, invisible to the user, stealthily installs code onto the computers of visitors lacking the latest Web browser security updates. Most users have no idea such a "drive-by download" has taken place, even as these Trojan horses surreptitiously log their banking passwords or other private information.

Criminals are increasingly hiding this malware within apparently safe sites. Last year, Circuit City acknowledged that its customer-support site had been hacked and was serving up dangerous code, allowing hackers to take control of visitors' PCs.

In an April research paper called "The Ghost In The Browser," a Google security team led by Niels Provos described a digital hunt through billions of Web pages searching for malicious sites. Using a process Provos calls "conservative," the team identified more than 450,000 Web pages that included malicious code, and 700,000 that "seemed" dangerous. Google says the numbers are now much larger.

Even the least technical crooks can launch phishing campaigns or control a network of millions of hacked computers at the touch of a button, by purchasing do-it-yourself cybercrime kits.

For about $1,000 on underground sites, you can buy MPack, a full-service malware attack and distribution kit, which lets you host a Web page that infects any user who visits. Owners can even monitor the number, type and location of infections from MPack's handy console page.

Security experts' struggle

Despite intense scrutiny, security experts are still struggling to understand much about these criminal organizations and the scams they carry out.

Some researchers, for example, believe many attacks attributed to Rock Phish are actually launched by copycats who have purchased a Rock Phish kit. Experts who've tracked the group for years toss out conflicting names of its suspected kingpins and lieutenants, none of whom has been apprehended.

"They're incredibly elusive, and a bunch of theories are going on about them — many are well-informed, many aren't," said Arbor Networks' Nazario.

This much seems known:

Rock Phish takes advantage of a division of labor that didn't exist among hacker groups even a few years ago.

"It's got to run as a well-oiled machine to do what they do," with one member planning attacks while others schedule the work or oversee operations, said Arjen de Landgraaf, who has spent two years investigating Rock Phish on behalf of his New Zealand security-consulting firm, E-Secure-IT.

Rock Phish's e-mail campaigns — like much of the underground online economy — rely heavily on botnets, short for "robot networks," to confuse victims and evade cybercops. Each botnet is an army of zombie PCs, some in corporations, some in your neighbors' living rooms, under remote control of Internet crooks, launching new rounds of malicious attacks.

Armed with information from computer users who respond to the group's phishing scams, Rock Phish logs in to their online bank accounts. It then transfers money from victims' accounts to the accounts of money mules. These unsuspecting assistants have been hired by phony Rock Phish companies that sport innocuous names.

The assistants get e-mail notices that money has been deposited into their personal bank accounts. They are instructed to withdraw the cash and wire the money, less a commission, back to their employers — who are supposedly international consulting firms.

Monitoring attacks

Dave DeWalt stood beneath the massive mounted television screen in April, staring at thousands of dots as they flickered across the continents of a digital world map. Each represented a real-time cyberspace attack: green for dozens of spam e-mails spewed out in the past six hours, amber for hundreds and red for more than 500 sent.

DeWalt was inside a corporate laboratory in Aylesbury, England, roughly 5,000 miles from the headquarters of McAfee, which he had recently joined as chief executive. McAfee researchers had narrowed down to a one-mile radius the locations of computers hurling out e-mails to swindle, scam or make life miserable for Internet users.

Dots appeared inside university dorms, popped up across the Middle East, swarmed through Eastern Europe. In more than 20 years in the tech industry, DeWalt had never seen anything like it. He began to understand something few Americans — even at the highest levels of government, business and academia — are able to grasp: the complex reality of the omnipresent cybercrime crisis, spreading from Silicon Valley to Southeast Asia.

"I came into McAfee not knowing what was going to hit me," DeWalt said.