As cybercrime rises, so does a new – and successful – breed of cybercops

Cybercrime is increasing, but one new study finds that cybercops have become a lot more effective at discovering data breaches and informing the often unaware victims.

February 8, 2012

Amid the flurry of cybercrime news that dominated headlines last year, from rampaging hacktivists and cyberspies to rising sabotage threats to infrastructure control systems – there was something else: the cybercops on the beat did a better job, too.

While most studies and surveys found cybercrime was increasing and spawning more serious threats to society, one new study also finds that cybercops are doing a lot better at discovering criminal data breaches on their own – and then alerting the victim companies that frequently often had no idea of the financial and other data being stolen from their networks.

“The good news for organizations is that the effectiveness of law enforcement to detect breaches increased almost five-fold in 2011,” according to the Trustwave 2012 Global Security Report, published by a Chicago-based cybersecurity company that tracks cybercrime trends.

Howard University hoped to make history. Now it’s ready for a different role.

Of the approximately 3,000 organizations that reported a cybersecurity breach to Trustwave last year, 33 percent had been notified by law enforcement. That's compared with just seven percent in 2010, the report said.

That nearly five-fold jump is mainly thanks to an increased focus on the problem, including more resources devoted by national crime units like the US Secret Service, Australian Federal Police, and the UK’s Serious Organized Crime Agency, as well as international groups like Interpol.

“Law enforcement groups are just a lot more focused now on cybercrime than they were before,” says Nicholas J. Percoco, senior vice president of Trustwave SpiderLabs. “We know that they really started stepping up their efforts in 2010, seizing more criminal systems, making more arrests, finding more victims – and doing a lot more victim notification.”

Typically, agents invading botnet servers and other criminal computer networks discover stolen data – and they go tell the victim companies.

One might be forgiven for having missed that improvement, it was so overshadowed by bad news.

Ukraine’s Pokrovsk was about to fall to Russia 2 months ago. It’s hanging on.

At least 58 highly publicized hacking attacks occurred in 2011, with victim organizations around the world ranging from law enforcement agencies, Fortune 500 companies, and governments, to defense agencies and military contractors, according to a Monitor tally of several studies.

Meanwhile, a global survey of 200 computer security professionals working in critical infrastructure industries warned that cyberexploits and cyberattacks on vital infrastructure are now widespread – and that the perpetrators range from cybercriminals engaged in theft or extortion to foreign governments preparing sophisticated attacks, the report says. The Stuxnet worm was last year's key example – a cyberweapon that targeted Iran's nuclear program and damaged it, and which experts say could be modified to damage other systems.

“Hacking has become a normal business practice for some countries, because there are no penalties and no consequences for bad behavior,” James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington told the Monitor in an e-mail interview last fall. “This is a golden age for espionage.”

Still, the feds were on the case. A January 2010 Monitor investigative report found that cyberespionage attacks believed to come from China had infiltrated computer networks belonging to at least three global oil giants. But neither Marathon Oil, ExxonMobil, nor ConocoPhillips realized the extent of cyberespionage attacks that hit them in 2008, until the FBI alerted them that year and in early 2009, the Monitor reported in early 2010. Some key oil company data were detected flowing from one oil company computer to a computer in China, according to documents obtained by the Monitor.

Yet amid the criminal debris of 2011 were hints of good news that indicated improvements by the cybercops. Botnets – those networks of enslaved computers forced to send out spam and malicious software that can steal passwords and banking information – were targeted by the good guys, who nailed a bunch of them.

The Federal Bureau of Investigation took down just such a “robot network,” dubbed the “Coreflood botnet.” That worldwide network, created by a Russian cybercrime gang, had taken control of 2.3 million personal computers and sucked up vast amounts of US financial and government data for almost a decade before being targeted for extermination.

Relief also came in the form of a drop in e-mail spam from around 50 percent of all e-mail messages over a three year span to only about 37 percent last year, the Trustwave report notes. The reason? Federal authorities working with Microsoft joined with university researchers and other security companies to nail the “Rustock botnet,” which was responsible for up to 40 percent of Internet spam.

Meanwhile, the US Secret Service tracked down cybercriminals, including one that went by the hacker alias “f1ex.” Agents, assigned to the New York Electronic Crimes Task Force, learned that f1ex, an overseas hacker with a long cybercriminal track record, was selling stolen credit card account numbers in the US that he had gotten through online forums.

Agents discovered during their investigation that “f1ex” was really Lin Mun Poo, a Malaysian citizen. So in October 2010, an undercover agent met with Poo at a diner in Queens and bought $1,000 worth of stolen credit card numbers. In a second meeting, undercover agents discussed with Mr. Poo setting up a “long term relationship.” Poo was arrested and his laptop hard drive was found to hold 413,000 credit card account numbers with an estimated value of $206 million, according to Hugh Dunleavy, a Secret Service special agent, in an account in the Trustwave report.

On April 13, 2011, Poo pleaded guilty to “Access Device Fraud” and was sentenced last November to serve 10 years in a federal prison.

“There’s no reason why law enforcement won’t get better at what they’re doing,” Mr. Percoco says. “They’re increasing their efforts and we’ll being seeing more of these arrests – which is a good thing.”