The perfect crime

As the evolution of IT delivers new dimensions of speed, capacity and connectivity, cyber villains exploit these developments for their own ends. Just as IT is evolving at an accelerating pace, so too is cyber crime.

Credential exploitation is now the rock-solid foundation for most cyber crime.

Mark Eardley is channel manager at SuperVision Biometric Systems.

A June 2011 report by Cisco Systems' Security Intelligence Operation on the evolving nature of cyber crime says the volume of spray-and-pray malicious mail has declined by more than half in the past year. But at the same time, focused e-mail attacks have tripled. The report suggests a straightforward reason for this development - focused attacks offer far better ROI to the cyber villains.

In just a few years, it seems there has been a move from phishing to spear phishing and on to 'whaling' - the e-mail targeting by cyber villains of individuals who possess significant IT access rights.

And this highlights the fact that a scarcity of development within one area of IT - user authentication - is creating abundant opportunities for the cyber villains.

Sapient cyber villains versus Neanderthal authenticators - the foundations of IT authentication are constructed from flawed materials. The flaws are known because everyone recognises there's nothing complex about somebody else using another person's IT password or PIN or card. Cyber villains do it all the time. In fact, they do it so frequently that credential exploitation is now the rock-solid foundation for most cyber crime.

Before the advent of biometrics, the limited development of user authentication was based on small variations of the same flawed principles. Passwords got longer, more complex and harder to remember. PINs got supplemented with one-time PINs and the addition of so-called smart cards. But they are all still routinely lost, forgotten, shared and stolen.

By mixing these flaws together, conventional IT authentication has created a hallucinogenic potion that induces a powerfully comfortable false sense of security. Perhaps people need to get off this trip and accept that there is precious little security in an IT world founded on cards, PINs and passwords.

In a May 2011 cyber theft, details of over 360 000 credit card holders were stolen from American bank Citigroup. In addition to swallowing the costs of issuing over 217 000 new cards at the beginning of June, the bank has apparently reinforced its IT security and account monitoring measures.

But the reinforcements have not been entirely successful. Citigroup disclosed at the end of June that $2.7 million had already been lost to fraudulent payments on over 3 400 of the affected cards.

And yet when it first announced the cyber theft, the bank said the stolen data was insufficient to enable transactions - customers were not at risk since social security numbers, birth dates, card security codes and expiry dates were not taken.

It now seems that card numbers, addresses, holders' names and e-mail details were an effective starting point for the cyber villains, and that harvesting $2.7 million is sufficient incentive to leverage such 'limited' data.

The message here is clear: give the cyber villains an inch and they will take a mile. For example, was the breached Citigroup info used in a cyber campaign to steal card data that was missed in the initial hack?

Focused attacks produce better ROI than mass attacks. Cisco's report divides focused e-mail campaigns into two categories: spear phishing and targeted attacks. Spear phishing covers activities that are aimed at groups of potential victims who share a common feature - for example, corporate customers of a specific bank.

Cisco estimates that mounting a spear phishing attack costs five times more than a mass attack. The villains' investment might include list acquisition; leasing a distribution botnet; e-mail generation tools; malware purchases; Web site creation; campaign administration tools; order processing and fulfilment infrastructure; and background research on targets.

The report says the return on such an investment can be more than 10 times that of a mass attack. Higher returns would seem to make sense - sending plain vanilla phishing mails to a group of people is probably going to be less successful than targeting them personally. It's the difference between addressing a con mail to 'Dear Jill' rather than 'Dear Valued Citigroup Customer'.

The content and format of both spear phishing mails and of the Web sites to which they commonly direct victims are often sufficiently convincing in their attempt to establish legitimacy.

Cisco estimates that more than 80% of spear phishing attacks contain links to Web sites with malicious content. In an attack on a group of banking customers, the typical objective will be to deceive victims into supplying the site with usernames and passwords, enabling illicit transactions on the victim's account.

Focusing on much lower numbers of victims, targeted attacks are defined by Cisco as being “directed at a specific user or group of users, typically for intellectual property theft”.

The report suggests the key differentiator between spear phishing and targeted attacks: “Targeted attackers often build a dossier of sorts on intended victims - gleaning information from social networks, press releases, and public company correspondence.”

The villains then use their 'dossiers' to craft personalised e-mails and they are very specific about what they want and the people they target to get it.

Allied to such personalised 'whale' mail, Cisco says targeted attacks “generally employ some form of malware in order to gain initial entry to the system and to harvest desired data over a period of time”.

The recent credential-based cyber theft at RSA (EMC) exemplifies this sort of attack, since it began with a whale mail containing a backdoor-loaded Excel file titled: 'Recruitment plan 2011'. Opening the file opened the backdoor, resulting in the theft of secrets about RSA's two-factor authentication product, SecurID.

As to the returns from a targeted attack, these are harder to quantify, because unlike credit card data, corporate secrets don't have a 'book' value on the cyber black market. For example, who knows the going rate for M&A information that might be held by a merchant bank or accountancy practice?

More to the point, who knows the value of the secrets held by Lockheed Martin when the villains attempted a cyber break-in based on exploiting employees' SecurID tokens?

The world of IT security is a game of evolutionary catch-up between the good guys and the bad guys. As long as they can continue their unchallenged exploitation of credentials, the bad guys will always be several points in front.