Subscribe

Cyber breaches kept secret

By Reuters
Washington, 25 Nov 2009

Cybercriminals regularly breach computer security systems, stealing millions of dollars and credit card numbers in cases that companies keep secret, said the FBI's top Internet crimes investigator.

For every break-in like the highly publicised attacks against TJX and Heartland Payment, where hacker rings stole millions of credit card numbers, there are many more that never make the news.

"Of the thousands of cases that we've investigated, the public knows about a handful," said Shawn Henry, assistant director for the Federal Bureau of Investigation's Cyber Division. "There are million-dollar cases that nobody knows about."

Companies that are victims of cybercrime are reluctant to come forward out of fear the publicity will hurt their reputations, scare away customers and hurt profits. Sometimes they don't report the crimes to the FBI at all. In other cases they wait so long that it is tough to track down evidence.

"Keeping your head in the sand on filing a report means the bad guys are out there hitting the next guy, and the next guy after that," Henry said.

He said the cybercrime problem has gotten bigger over the past three years because hackers have changed their attack methods as companies have tightened up security.

"It's absolutely gotten bigger, yes, absolutely," he said.

That is because the Internet is rapidly growing as a tool for commerce. As it does, consumers and companies alike are exposing valuable data such as business plans, credit card numbers, banking information and Social Security numbers.

"There are hundreds of billions of dollars that traverse the Internet," he said.

Seeking easier targets

Cybercriminals are now looking beyond large companies, which in the past 10 years have bolstered security on their networks using products from software companies including Symantec, McAfee and Trend Micro. Cisco Systems, International Business Machines and Websense also sell products to protect computer networks.

Instead, criminals are attacking small and medium-sized companies that don't have the inclination, money or expertise to prevent cybercrime.

They also target corporate executives and other wealthy public figures who it is relatively easy to pursue using public records. The FBI pursues such cases, though they are rarely made public.

On 4 November, the FBI warned of major fraud cases involving the theft of online banking credentials belonging to small and medium-sized businesses, local governments and school districts.

In this case, as in others, people hired through work-at-home schemes were used to move the money overseas.

A similar approach was used in a scheme that defrauded the Royal Bank of Scotland's RBS WorldPay of more than $9 million. A group, which included people from Estonia, Russia and Moldova, has been indicted for compromising the data encryption used by RBS WorldPay, one of the leading payment processing businesses globally.

The ring was accused of hacking data for payroll debit cards, which enable employees to withdraw their salaries from automated teller machines. More than $9 million was withdrawn in less than 12 hours from more than 2 100 ATMs around the world, the Justice Department has said.

Henry said it was relatively inexpensive to pull together a cybercrime organisation.

Some groups consist of a core of just about a dozen people, including strategists, hackers and programmers, who can get started with a budget of a few thousand dollars to set themselves up with computers and broadband access.

When they are ready to launch an attack, they might hire hundreds more people who help them launder the money. Known as "money mules", these people are often found through "work-at-home" schemes, where they are hired to cash cheques for a few thousand dollars, keep a percentage and send the rest back to the core group.

"I think there are people who are ignorant completely and others who have their head in the sand," said Henry.

Share