Jeremiah Grossman, founder and CTO of WhiteHat Security, demonstrated at the ITWeb Security Summit, in Midrand, this week, how easy it is for almost anyone to commit fraud.
Grossman is the co-founder of the Web Application Security Consortium and prior to working at WhiteHat was an information security officer at Yahoo.
Smooth criminals
He said the general perception is that cyber criminals use sophisticated hacking skills and high-powered tools to exploit a system for financial gain. But this is no longer the case, he pointed out, as just about anybody can commit fraud or steal confidential information to sell to the underground market.
He presented examples of how cyber criminals are getting smarter and the tactics they're using for financial gain.
“A hacker, by the name of 'The Analyzer', allegedly hacked into financial institutions using SQL injection to steal credit and debit card numbers that were then sold onto the black market. This information was used by thieves in several countries to withdraw more than $1 million from ATMs.
“Another example is Tom Berge, who used the aerial photographs from Google Earth to pinpoint museums, churches and schools across south London, which had lead roof tiles. Berge and his accomplices used ladders and abseiling ropes to strip the roofs and steal £100 000 worth of lead to be sold for scrap. He was sentenced to eight months in prison, suspended for two years, after confessing to more than 30 offences.
“According to the US Federal Trade Commission, if a person receives merchandise they didn't order, that person has a legal right to keep it as a free gift. Nicholas Arthur Woodhams, from Michigan, US, abused Apple's advance replacement programme by guessing iPod serial numbers backed with Visa-branded gift cards. He repeated the process 9 075 times, reselling the 'replacements' at the discounted price of $49. He was charged with trademark infringement, fraud and money laundering. All his real estate, as well as $571 000 in cash, was seized from Woodhams.”
Underground market
Criminals are freely selling malware, such as Trojans and botnets, over illicit trading Web sites. A Trojan can be sold on the market for $1 000 or less.
Grossman notes that established companies are recruiting hackers to intercept the systems of their competitors to achieve a competitive edge in the market.
“In 2006, 107 logging companies hired hackers to compromise the systems, falsifying online records to increase the timber transport allocations. An estimate 1.7 million cubic metres of illegal timber had been smuggled out of the Amazon, amounting to a value of $833 000 000.”
He added: “How secure are the online permit systems? KPMG audited 70 air traffic control Web applications and identified 763 high-risk vulnerabilities. Business logical flaws are main targets that hackers are looking for.”
According to a survey conducted by Websense, 75% of Web sites with malicious code are legitimate sites that have been compromised.
Share