You may have already gotten yourself familiar with how eCrime works from our past research and field presence, but here is one more great example of this fascinating business: This article at the Washington Post covers the drop in prices of stolen credit cards. It talks about how a surge of “fresh merchandise” has hit the market and commoditized these credit cards to a level where you’d get change from a single dollar… It’s a great example of how eCrime works just like any other business in an economical ecosystem, and adapts to the supply and demand.

Just to complement the article, another contributing factor to the surge in availability is also attributed to the fact that there has been a surge in the availability of FTP credentials leading to legitimate sites. How does these two connect? Simple: FTP sites storing web content, get accessed by eCriminals (through an automated process of course), and the content associated with the website is modified to deliver a MalWeb attack that yields additional Trojan/Botnet infections. This leads to more credentials (both for FTP, as well as for financial services), which get to the market, get sold, and so on… This vicious cycle is feeding itself with more credentials, more access to financial resources, more infected systems in order to enhance the revenues from the eCrime business.

Simply put, the whole picture is what counts, rather than specific incidents. Protection on the other hand, is regarded to as “I have an AV”… leaving virtually millions of systems in the hands of MalWeb and other web threats that have proven to be more effective than thou.

Point in case – get better protection. For the sake of all of us… make sure that you can get protection from as far as your ISP, to as close as your home router, and of course PC. For enterprises it’s been easy with SWG (Secure Web Gateway) products providing that much needed layered protection, but for consumers we have usually smirked and had to dodge the questions of “so what do I do”. Start looking for ISPs that can provide that protection – beyond the “I’ll throw in an AntiVirus and an inkjet printer if you sign a 2 year contract”.

I was just reviewing the latest FBI report from the Internet Crime Complaint Center (IC3) here (PDF), and although I’m sure that a lot of security vendors out there are going to jump on the “33% increase in internet fraud last year” statements, looking into the actual numbers, it’s important to realize how “off” they are. As “Non-delivery” and “Auction fraud” top the charts (with 32.9% and 25.5% respectively), this means that the report only sees the tip of the iceberg. These are just the money mule schemes that are intended for laundering all of the profits actually made by eCrime. And it makes sense – most of the focus for law enforcement is on the lowest hanging fruit, and in the eCrime business model this means money laundering.

Another insight on how eCrime actually works can be learned from the amounts reported (average) per complaint type – the “non-delivery” types (of merchandise or money) ranges around $800 per complaint, while check and confidence fraud are at the $2000-$3000 loss per complaint. This makes sense as when an eCrime “transaction” starts, it is usually based on banking/financial institution account directly, harvesting large sums of money that are later split to smaller amounts (to lower visibility) and laundered through the “field operatives” (i.e. money mules). Bottom line – we still don’t have the full picture and (unfortunately) still cannot amass the true impact of eCrime in economic terms.

The bright side is that there is more awareness in the public (hence the rising numbers – remember that these are based on REPORTED cases…). Although the main focus as I mentioned is still on the perimeter of the business model, hopefully the continued cooperation between law enforcement and the industry (kudos again to the e-Crime congress which I had the pleasure to be part of last month) will get us all to the phase of handling the actual core of the business model and deal with it properly. We’ll keep doing our job in investigating both the technical aspects of the attacks associated with eCrime, as well as the back-office operations, and hope to get everyone lined up to deal with this growing threat. 

As the social networking threats angle is picking up a lot of traction lately <pat_on_own_back>,  the folks at Netragard have posted a great write-up on using social networks as an attack tool – involving both social engineering as well as technical exploits. The post can be found here, and I just want to quote a couple of sections that I feel very strongly about:

“The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn't read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile” … “After the payload was created and tested we started the process of building an easy to trust facebook profile. Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles.”

Needless to say that the newly created fake profile, which could just as well have been hijacked, went a long way in terms of enabling the attackers (who were commissioned to perform a penetration test this time) to gain access to internal company resources quite easily.

I have just read a couple of excellent posts (on SquaredPeg, and InsideFacebook) that talk about something I have been preaching for a while – your online identity and how easily it can be manipulated (or falsely created). The posts talk about Facebook groups and accounts that have been created for the class of 2013 for quite a few colleges in the US. While in fact none appeared to be legitimately affiliated with the incoming class at any of the colleges

Motive? In this incident, it’s mostly marketing – getting ahead start on the right audience can go a long way nowadays.

This is not the last of it. In what may have been the first more publicly exposed online identity “squatting” (remember the domain name cyber squatters of the 90s…) I do expect a lot more to come on that front. So , if you haven’t got a Facebook/LinkedIn/MySpace/ Bebo account yet,  you probably want to make sure you get one soon enough. You’d never know who may be creating an online persona of yourself now. The implications are grave; just thinking of what kind of damage someone could do if he was to create an account for me, connect to my friends and business partners, and start communicating on my behalf is mind-boggling.

So don’t just be safe out there. Be out there!, that is to say, knowing what’s out there under your name is the first step in protecting your online identity.

Update (12/24/08): As noted to me by my colleague Andrew Lindell, this is also true for your real identity as it is manifested online in other means. For example - online banking, bill payments, and online credit card management. If you do not have an account for these - get one now! It's overly simple to obtain a bank statement or a bill, and use it to set up online banking on your behalf. Even if you don't plan to use online banking - get an account, put a decent passowrd on it and tuck it away. That way you can be sure that noone can create that account for you using some old banking statement!

In a somewhat below-the-radar report, the anti-phishing working group (APWG) Q1 report is for the first time in its report showing a decrease in the number of phishing reports towards the end of the quarter.

In a startling (although expected) contrast – reports on crimeware, malware, Trojans and other malicious code (all delivered by Malweb!) is on the rise as the attack vector that uses Malweb is proving to be the most efficient ROI-wise.

Our view on this – obvious!. Phishing is a one-off that targets a single institution. It may be efficient for a short time, as these sites are being detected and brought down rather quickly. Malweb on the other hand is a long term investment. It brings in the ability to install more persistent rootkit/Trojan on the victim’s system, which would provide a more configurable platform for financial fraud than a phishing scam would.

The report is available at http://apwg.org/reports/apwg_report_Q1_2008.pdf.