How cybercrime works and why gangs are drawn to this lucrative trade

‘Some cybercrime gangs will even offer consultants to help you set it up, hire money mules, and give you a target to attack'

Yahoo! News 
  • Cybercrime is big business worldwide - with a cost to users of
    $388billion in the past 12 months, cybercrime is almost as damaging as
    the entire world trade in illegal drugs.

    Press Association - Cybercrime is big business worldwide - with a cost to users of $388billion in the past 12 months, cybercrime is almost as damaging as the entire world trade in illegal drugs.

When your computer is infected with malicious software, people around the world swing into motion.The attacker who sneaked the software onto your PC - perhaps via a spam email saying a pizza delivery is on the way to your house, which spurs householders into cancelling the order and visiting a fake website - is just one of a chain of ‘employees’, ranging from unknowing ‘money mules’ up to consultants who can create tailor-made cyber attacks for a price.

Exclusive: Watch the action-packed ‘Cybergeddon’ trailer only on Yahoo!
http://uk.movies.yahoo.com/cybergeddon/ 

Cybercrime is big business worldwide - with a cost to users of $388billion in the past 12 months, cybercrime is almost as damaging as the entire world trade in illegal drugs. A million people are affected every day, and the ‘business’ is growing rapidly. What is surprising, though, is how much like a ‘real’ business it operates. Cyber attacks don’t operate like a simple street mugging. There is management as structured as many a dotcom business.

One person will be paid to breach your computer - turning it into a ‘zombie’, a remote-controlled machine that can be instructed to download new malicious software at any time. Another will be paid to install malicious software - including the package that captures your bank details.

‘For a common criminal, it’s actually a lot safer than grabbing a bag in the street.' Picture: PA
Banking attacks evolve as fast as bank’s defences, and cybercrime gangs will be up to date - the latest versions sit in your browser, assuring you that your balance has not changed, or siphon off money without even needing a password.

The people through whose bank accounts money moves - known as ‘money mules’ - will often not even be aware they are involved in money laundering, and just think they have had the luck to land a very easy job, for which they cream off their percentage.

Related article: Hackers hit 30,000 oil company computers

But most of the money travels upwards, to the ‘managers’ further up the chain, and the ‘creatives’ who craft a novel attack - mirroring the structure of an ‘ordinary’ company. ‘There are different roles for each person,’ says Orla Cox, security operations manager at Symantec Security Response. ‘Some hackers will be paid for every time they install malicious software on someone’s computer. It’s pretty much an industry. There’s a manager sitting up top behind the scenes, and multiple players located in different parts of the world.’ ‘Some hackers will just buy a kit - it will provide everything you need to launch a fairly sophisticated cyber attack,’ says Cox. ‘It will provide tools and instructions to compromise a website to infect computers that visit it, then the attackers will get paid for every time they install this infection on a computer.’ ‘There’s a stereotype,’ says Cal Leeming, a former hacker responsible for a £750,000 theft, who now works in security for Simplicity Media, ‘But you’d be surprised. Really hackers aren’t just one type of person. One person could be sat at home, a 15 year-old kid, but there are others who are 19 or 20 years old, who have jobs, a social life.’ Contrary to the portraits often painted in the press, hackers are largely not elusive computer geniuses. Most are simply competent computer users who’ve been tempted to visit ‘dark’ online markets where banking Trojans and other malicious software can be bought for money.

Others are provided with the software by their employers. The enormous growth in cybercrime is due partly to the spread of computers - but also to the fact that it’s difficult to prosecute shadowy networks of criminals operating out of multiple countries at once. ‘For a common criminal, it’s actually a lot safer than grabbing a bag in the street,’ says Norton’s director of security response, Kevin Haley. ‘Citizens could knock you to the ground, the police could get called. Crooks are cluing into that. You don’t have to be technical. ‘Some cybercrime gangs will even offer consultants to help you set it up, hire money mules, and give you a target to attack. A lot of cybercrime comes from developing countries with a large computer population such as South Africa and Brazil, places with high physical crime rates. 

It’s a whole underground economy.’

Hackers Hit 30,000 Oil Company Computers

Sky News – Fri, Sep 7, 2012

More than 30,000 computer hard drives belonging to the world's biggest oil company have been damaged in a cyber attack, an investigation has revealed.

According to sources, Saudi Arabia's national oil company was hit after at least one insider with high-level access allegedly assisted hackers to wreak havoc on the company's network last month.

The attack, using a computer virus known as Shamoon against Saudi Aramco, is one of the most destructive cyber strikes conducted against a single business.

Shamoon spread through the company's network and wiped computer hard drives clean.

Saudi Aramco said damage was limited to office computers and did not affect systems software that might harm technical operations.

But the hackers' apparent access to a mole, willing to take personal risk to help, is seen as a concerning development in the ultra-conservative country where open dissent is banned.

"It was someone who had inside knowledge and inside privileges within the company," a source familiar with the ongoing forensic examination told Reuters.

Hackers from a group called The Cutting Sword of Justice claimed responsibility.

They said the computer virus gave them access to documents from Aramco's computers, and have threatened to release secrets, but so far no documents have been published.

Reports of similar attacks on other oil and gas firms in the Middle East, including in neighbouring Qatar, suggest there may be similar activity elsewhere in the region, although the attacks have not been linked.

The company declined to comment on the investigation's evidence.

The hacking group that claimed responsibility for the attack described its motives as political.

In a posting on an online bulletin board the day the files were wiped, the group said Saudi Aramco was the main source of income for the Saudi government, which it blamed for "crimes and atrocities" in several countries, including Syria and Bahrain.

Saudi Arabia sent troops into Bahrain last year to back the Gulf state's rulers, fellow Sunni Muslims, against Shi'ite-led protesters.

Riyadh is also sympathetic to mainly Sunni rebels in Syria and believed to be a main provider of materiel in the civil war against the Shia-backed Assad regime.

Saudi Arabia's economy is heavily dependent on oil and it holds 20% of the world's proven reserves.

According to the CIA, oil export revenues account for 90% of total revenues and 45% of the country's GDP comes from the oil industry.

Exclusive - Insiders suspected in Saudi cyber attack

By Jim Finkle | Reuters – Fri, Sep 7, 2012

(Reuters) - One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia's national oil company last month, sources familiar with the company's investigation say.

The attack using a computer virus known as Shamoon against Saudi Aramco - the world's biggest oil company - is one of the most destructive cyber strikes conducted against a single business.

Shamoon spread through the company's network and wiped computers' hard drives clean. Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations.

The hackers' apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned.

"It was someone who had inside knowledge and inside privileges within the company," said a source familiar with the ongoing forensic examination.

Hackers from a group called "The Cutting Sword of Justice" claimed responsibility for the attack. They say the computer virus gave them access to documents from Aramco's computers, and have threatened to release secrets. No documents have so far been published.

Reports of similar attacks on other oil and gas firms in the Middle East, including in neighbouring Qatar, suggest there may be similar activity elsewhere in the region, although the attacks have not been linked.

Saudi Aramco declined to comment. "Saudi Aramco doesn't comment on rumours and conjectures amidst an ongoing probe," it said.

The hacking group that claimed responsibility for the attack described its motives as political.

In a posting on an online bulletin board the day the files were wiped, the group said Saudi Aramco was the main source of income for the Saudi government, which it blamed for "crimes and atrocities" in several countries, including Syria and Bahrain.

The Saudi interior ministry did not respond to requests for comment. The foreign ministry was not available for comment.

Saudi Arabia sent troops into Bahrain last year to back the Gulf state's rulers, fellow Sunni Muslims, against Shi'ite-led protesters. Riyadh is also sympathetic to mainly Sunni rebels in Syria.

Saudi Arabia's economy is heavily dependent on oil. Oil export revenues have accounted for 80-90 percent of total Saudi revenues and above 40 percent of the country's gross domestic product, according to U.S. data.

DESTRUCTIVE

Saudi Aramco, which supplies about a tenth of the world's oil, has hired at least six firms with expertise in hacking attacks, bringing in dozens of outside experts to investigate the attack and repair computers, the sources say.

According to analysis of Shamoon by computer security firm Symantec, the way the virus gets into networks may vary, but once inside it tries to infect every computer in the local area network before erasing files to render PCs useless.

"We don't normally see threats that are so destructive," Liam O Murchu, who helped lead Symantec's research into the virus, said. "It's probably been 10 years since we saw something so destructive."

The state-run oil company - whose 260 billion barrels of crude oil alone would value it at over 8 trillion dollars, or 14 times the market value of Apple Inc. - was well protected against break-in attempts over the Internet, according to people familiar with its network operations.

Yet those sources say such protections could not prevent an attack by an insider with high-level access.

It is unusual for insiders to be fingered in cyber attacks. Verizon Business, which publishes the most comprehensive annual survey of data breaches, said that insiders were implicated in just 4 percent of cases last year.

The hackers behind the Shamoon attack siphoned off data from a relatively small number of computers, delivering it to a remote server, the sources said. They later threatened to release that information.

Because the virus wiped the hard drives, it is difficult for Saudi Aramco to determine exactly what information the hackers obtained.

An email address and password, which the poster claimed belonged to Aramco CEO Khalid Al-Falih, was posted on a website often used by hackers to show off their achievements, this time signed by the "Angry Internet Lovers". No sensitive Aramco files have been uploaded on that site.

Sources who spoke to Reuters said they were not aware whether the hackers had made specific demands, what they might have been or whether they were met.

The sources would not say whether the suspected mole or moles are Saudi Aramco employees or outside contractors, or whether they accessed a workstation inside Saudi Aramco's offices or accessed the network remotely.

The Saudi interior ministry was unavailable to comment on whether anyone has been arrested as part of the investigation.

VIRUS TARGETS PCS

The Shamoon virus is designed to attack ordinary business computers. It does not belong to the category of sophisticated cyber warfare tools - like the Stuxnet virus that attacked Iran's nuclear programme in 2010 - which target industrial control systems and can paralyse critical infrastructure.

"Based on initial reporting and analysis of the malware, no evidence exists that Shamoon specifically targets industrial control systems components or U.S. government agencies," the Department of Homeland Security's United States Computer Emergency Readiness Team said in an August 29 advisory.

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

"All our core operations continued smoothly," CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

"Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus."

It is standard industry practice to shield plant operating networks from hackers by running them on separate operating systems that are protected from the Internet.

Qatar's natural gas firm Rasgas was also hit by a cyber attack last week, although it has not said how much damage was caused or whether Shamoon was the virus involved. Qatar, also a Sunni Gulf kingdom, has similar foes to Saudi Arabia.

Its parent firm Qatar Petroleum, which also owns Qatar's other main natural gas firm Qatargas, said it was unaffected but implied that other companies had been hit.

"Qatar Petroleum has not been affected by the computer virus that hit several oil and gas firms. All QP operations are continuing as normal," it said in an official tweet on Monday.

(Additional reporting by Daniel Fineren and Humeyra Pamuk in Dubai; Editing by Peter Graff and Janet McBride)

Saudi Aramco says most damage from computer attack fixed

By Daniel Fineren and Amena Bakr | Reuters – Sun, Aug 26, 2

DUBAI (Reuters) - Saudi Aramco, the world's biggest oil producer, has resumed operating its main internal computer networks after a virus infected about 30,000 of its workstations in mid-August, the company said on Sunday.

Immediately after the August 15 cyber attack, the company announced it had cut off its electronic systems off from the outside world to prevent further attacks.

On Sunday, Saudi Aramco said the workstations had now been cleansed of the virus and restored to service. Oil exploration and production were not affected because they operate on isolated systems, it said.

"We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever," CEO Khalid al-Falih said in a statement.

However, one of Saudi Aramco's websites which was taken offline after the attack -- www.aramco.com -- remained down on Sunday. Emails sent by Reuters to people within the company continued to bounce back.

The company said the virus "originated from external sources," and that an investigation into the causes of the incident and those responsible were continuing. It did not elaborate.

Information technology experts have warned that cyber attacks on countries' energy infrastructure, whether conducted by hostile governments, militant groups or private "hacktivists" to make political points, could disrupt energy supplies.

Iran, the target of international economic sanctions on focused on its oil industry over its disputed nuclear program, has been hit by several cyber attacks in the last few years.

In April, a virus targeted the Iranian oil ministry and national oil company networks, forcing Iran to disconnect the control systems of oil facilities including Kharg Island, which handles most of the country's crude exports.

Iran has attributed some of the attacks to the United States, Israel and Britain.

Current and former U.S. officials told Reuters this year that the United States built the complex Stuxnet computer worm to try to prevent Tehran from completing suspected nuclear weapons work.

POSTING

An English-language posting on an online bulletin board on August 15, signed by a group called the "Cutting Sword of Justice," claimed the group had launched the attack to destroy 30,000 computers at Saudi Aramco.

It said the company was the main source of income for the Saudi government, which it blamed for "crimes and atrocities" in several countries, including Syria and Bahrain. Saudi Arabia sent troops into Bahrain last year to back the Gulf state's Sunni Muslim rulers against Shi'ite-led protesters. Riyadh is also supporting Sunni rebels against the Syrian regime of President Bashar al-Assad.

Before this month's attack, the Cutting Sword of Justice was not widely known, and information security experts contacted by Reuters had no information on the group.

Rob Rachwald, director of security for U.S.-based data security firm Imperva, said in a blog posting last week that if the Saudi Aramco attack was carried out by hacktivists, it could be a milestone in computer hacking.

"A group of hobbyists and hacktivists with several very strong-minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish," Rachwald wrote.

Symantec, one of the world's largest internet security companies, said on the day after the Saudi Aramco attack that it had discovered a new virus that was targeting at least one organisation in the global energy sector, although it did not name that organisation.

"It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable," Symantec said in a blog posting about the virus, which it called W32.Disttrack. "Threats with such destructive payloads are unusual and are not typical of targeted attacks."

Saudi Aramco's Al-Falih said in his statement on Sunday: "Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber attack."

(Additional reporting by Reem Shamseddine and Angus McDowall, editing by Andrew Torchia and Anna Willard; desking by Gary Crosse)


Qatar's Jazeera website hacked by Syria's Assad loyalists

Reuters – Tue, Sep 4, 2012

DUBAI (Reuters) - The website of Qatar-based satellite news network Al Jazeera was apparently hacked on Tuesday by Syrian government loyalists for what they said was the television channel's support for the "armed terrorist groups and spreading lies and fabricated news".

A Syrian flag and statement denouncing Al Jazeera's "positions against the Syrian people and government" were posted on the Arabic site of the channel in response to its coverage of the uprising against President Bashar al-Assad which began in March last year.

Al Jazeera took the lead in covering the uprisings across the Arab world, and Qatar, one of the Sunni-led states in the region, publicly backed the predominantly Sunni rebel movement in Syria against Assad's Alawite-led government.

Opposition activists on Twitter blamed the hacking on Assad loyalists.

Jazeera officials were not immediately available for comment.

The hacking attack, claimed by a group calling itself "al-Rashedon", is the latest in a wave of cyber attacks on news agencies and energy companies, carried out by hostile governments, militant groups or private "hacktivists" to make political points.

Last month, Qatar's Rasgas, the world's second-biggest liquefied natural gas (LNG) exporter, found a virus in its office computer network, just two weeks after the world's biggest oil producer, Saudi Aramco, in neighbouring Saudi Arabia was hacked into.

The blogging platform of the Reuters News website was also hacked last month and a false posting saying Saudi Arabian Foreign Minister Prince Saud al-Faisal had died was illegally posted on a Reuters journalist's blog.

Although the identity of those hackers is not known, there is an intensifying conflict in cyberspace between supporters and opponents of Assad. Saudi Arabia has emerged as a staunch opponent of Assad.

(Reporting by Rania El Gamal in Dubai and Erika Soloman in Beirut, editing by Tim Pearce)

Hundreds more cyber attacks linked to 2009 Google breach


BOSTON (Reuters) - The hacker group that attacked Google Inc in 2009 has launched hundreds of other cyber assaults since then, focusing on U.S. defence companies and human rights groups, according to new research from security software maker Symantec Corp.

Google said in January 2010 that it and more than 20 other companies were the victims of a sophisticated cyber attack - later dubbed Operation Aurora - from China-based hackers that resulted in the theft of intellectual property.

Although the hackers were never publicly identified, the incident heightened tensions between Washington and Beijing over growing evidence that a significant number of cyber attacks against U.S. institutions originated from China.

"It was big news at the time, but what people don't realize is that this is happening constantly," said Eric Chien, a manager in Symantec's research group. "They haven't gone away, and we wouldn't expect them to go away."

Symantec said on Friday the hackers behind Operation Aurora have focused on stealing intellectual property, such as design documents from defence contractors and their suppliers, including shipping, aeronautics, arms, energy, manufacturing, engineering and electronics companies.

The hackers used components of a common infrastructure that Symantec termed the "Elderwood Platform," named after a word repeatedly found in the software code used in different attacks.

Over the past year, the Elderwood hackers have focused almost exclusively on stealing data from companies that supply parts to big defence contractors, rather than targeting the firms themselves, Chien said.

The second most common group of targets was non-government organizations involved in Tibetan human rights issues. Financial firms and software companies were also targeted, Symantec said.

The security firm, which sells anti-virus software to corporations and consumers under the Symantec and Norton brands, declined to identify specific victims and noted that it did not have evidence to prove the attacks originated from China.

Cyber security experts widely believe the Google attacks originated from China.

Dmitri Alperovitch, chief technology officer of security startup CrowdStrike, said his firm has linked the culprits to more recent attacks, including ones last year on EMC Corp's RSA Security division and Lockheed Martin Corp.

The hackers infected personal computers by exploiting what were major security flaws in commonly used software from Adobe Systems Inc and Microsoft Corp. Such flaws, known as zero-day vulnerabilities, are rare because they are difficult to find. The flaws have since been fixed.

Last year, security experts uncovered eight zero-day flaws being exploited by various hacking groups, according to Symantec.

Symantec said it believed the Elderwood hackers alone have used eight zero-day vulnerabilities from 2010 to 2012 - the largest number it has seen from a single organization. That suggests the group had the money to hire large teams of skilled software engineers or purchase them.

Some experts estimate that a zero-day vulnerability that enables attackers to hack into highly secured systems can cost hundreds of thousands of dollars, even more than $1 million.

The fact that the Elderwood hackers has used so many zero-day vulnerabilities suggests it is either a very large criminal group, or backed by a nation-state, or a nation-state itself, Chien said.

(Reporting By Jim Finkle; Editing by Tiffany Wu and Jeffrey Benkoe)

Alps Shootings: Police Find Two Phones In Car

Sky News –

Police in France have found two mobile phones inside the car in which three people, including a British couple, were shot dead.

Sky's crime correspondent Martin Brunt, who is in Annecy where the murders took place, said the phones could explain how and why Saad al Hilli and his wife Iqbal died, alongside a Swedish woman and a French cyclist.

"Did they make any calls in the preceding hours or days that might have involved a rendezvous in that remote layby halfway up the mountain to meet someone they knew?" he asked.

Brunt said the phones would also tell the police if calls had been made to the emergency services as the attack happened.

The couple's two daughters survived the attack and are being treated in hospital in France.

French and British police will today conduct further searches of the al Hilli family home in Claygate, Surrey, as they look for a motive for Wednesday's murders.

Officers began a detailed search of the family's mock Tudor property yesterday.

They placed a tent in the driveway of the house and also took evidence-gathering material, including boxes and bags, into the property as well as photographing the exterior.

One forensics officer took various pieces of equipment into the property, including an angle grinder which could be used to access locked cupboards or a safe.

During a news conference in France, prosecutor Eric Maillaud said each of the four people who died was shot twice in the head, and he hoped the authorities would "solve this awful drama as quickly as possible".

French detectives from the Haute-Savoie region widened their investigation by travelling to the UK.

In a joint statement by British and French officers outside Woking police station, Colonel Marc de Tarle said the investigation was "long and complex" but that the cooperation between both countries was going smoothly.

In Surrey, a technician from a local security firm was called to disable the burglar alarm that sounded shortly after detectives went into the detached house.

Former Metropolitan Police detective Peter Bleksley told Sky News: "It was a visit more than a search for the French officers.

"They've left it in the hands of the forensics experts who are in the blue and white overalls and will pick through this house.

"Our homes tell the stories of our lives and there could be all sorts of things that might offer up unknown facts or family secrets."

French investigators also plan to interview Mr al Hilli's brother - who has approached UK police to deny any feud between the siblings over money.

Mr Maillaud said the police would be speaking to all immediate family members about the killings.

Iraqi-born Mr al Hilli, 50, was shot dead in his BMW alongside his dentist wife while on holiday close to Lake Annecy.

An older Swedish woman who was travelling in the car was also killed, along with Sylvain Mollier, 45, a French cyclist who apparently stumbled across the attack in Chevaline, near the borders of Italy and Switzerland.

Around 40 French investigators are working around the clock on the case. Swiss and Italian police are also helping in the hunt for those behind the shootings.

The couple's four-year-old daughter Zeena lay undiscovered under her mother's corpse for eight hours after the murders, while her seven-year-old sister Zainab remains in a medically-induced coma after being shot and beaten.

There has been speculation the Swedish woman is the children's grandmother but this has not been confirmed.

Two close family members of the young girls have arrived in the region with a British social worker. They will be allowed to visit the children, but only under the supervision of detectives.

The two orphans have been in the care of British consular staff and nurses.

Mr Maillaud said Zeena has been looked after by psychiatric teams and had spoken about what he described as the "terror" of what happened, but did not see anything because she was hiding.

Zainab is not yet well enough to be interviewed, but it is hoped she will be able to provide vital details of the attackers.

http://uk.news.yahoo.com/alps-shootings-investigation-moves-uk-044011208.html;_ylt=Asbdi6Vw_vsV17HowWqiR53wfMl_;_ylu=X3oDMTVocHJkcHF2BGNjb2RlA3ZzaGFyZWFnMnVwcmVzdARtaXQDTmV3cyBmb3IgeW91IFJII 




Web Hosting Companies