Read Fatal System Error Online
Authors: Joseph Menn
Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology
Fatal System Error (17 page)
THE STELLAR WORK OF STEWART and the lead SoBig investigator was doubly futile. While they managed to name suspects, neither was arrested, strongly suggesting a lack of interest by Russian authorities. Second, identifying and stopping a virus author would never again be as important, because soon anyone would be able to cobble one together. In February 2004, the latest version of the MyDoom virus included a copy of the source code for the virus. In July, well after Stewart began his dealings with Oboron, a new Bagle release followed suit. Why would the authors allow their work to escape their control, empowering potential competitors? Researchers weren’t sure, but a popular guess was that they were covering themselves in case the original code were found on their computers. If the same code were on tens of thousands of machines, that otherwise critical evidence against them would be worthless.
Whatever the motivation, the mass distribution of high-end virus code meant that hordes of people with lesser skills could take and modify code for ensnaring enormous numbers of computers. At Prolexic, Barrett initially kept track of which computers attacking his clients had been corrupted by which viruses. Then he realized that it didn’t matter. So much code was on the loose and readily available that tracking it did little good. By 2004, the eruption in virus code and zombie botnets brought the boom to a community of thousands of hackers and criminals. Many offered spamming services, while others offered the almost equally straightforward denial-of-service attacks for hire.
An awkward German teenager probably did more than anyone else to put botnets in the mainstream. Axel Gembe, aka Ago, dropped out of school in ninth grade and lived with his father and brother in a small Black Forest village. He taught himself to program and developed a worm, called Agobot, to see if he could. Agobot had a lot going for it. It worked well and it was modular, making it easy for him or others with the code to add in new exploits as they became available.
Two related innovations were still more important for the history of online criminality, although neither was Gembe’s idea. Both stemmed from the small group of online contacts that helped Gembe in spots, some of whom had ambitions that helped propel hacking into the commercial world. At their urging, Gembe set up a website in 2003 where people could buy modified and improved versions of the program for as little as $50. One of Gembe’s associates distributed the Agobot code online, where others could use it, “we suppose to raise his profile,” said Frank Eissmann, the lead German police officer on the case. Agobot-derived worms were still spreading five years later, and the move might have inspired the MyDoom authors to release their own code.
The other big innovation was contributed by a British associate of Gembe’s, Lee Walker. Walker cut a deal with American Paul Ashley, who hosted e-commerce sites and was looking for help launching denial-of-service attacks for a client. Walker and others provided the Agobot code, expertise, and drone computer networks, and Ashley crippled competitive websites for his client, Saad “Jay” Echouafni, who sold satellite television services. It was the deal that brought DDoS-for-hire into the Western marketplace.
The direct victims in the case included online retailer Weaknees .com of Los Angeles, which was essentially shut down for two weeks in October, costing it $200,000. Attacks on another target, Rapid
Satellite.com
, battered the systems of the company hosting the site, Speedera Networks of Mountain View, California, so badly that the websites of all Speedera customers—including
Amazon.com
and the U.S. Department of Homeland Security—couldn’t be accessed for nearly an hour. Speedera estimated its losses at $1 million. The Echouafni case was the first U.S. prosecution of a financially motivated denial-of-service attack. It took months of investigation by experts in several states and England before charges could be filed, although the hackers failed to cover all their tracks. The FBI also had an unusual advantage in that Echouafni was immediately suspected because of a business dispute with Weaknees, which sold TiVo and other digital video recorders. The case did help the German police catch Gembe, who was apprehended in May 2004. Even so, the man with the money got away. Echouafni jumped bail, earning his way onto the FBI’s list of Ten Most Wanted fugitives.
Satellite.com
, battered the systems of the company hosting the site, Speedera Networks of Mountain View, California, so badly that the websites of all Speedera customers—including
Amazon.com
and the U.S. Department of Homeland Security—couldn’t be accessed for nearly an hour. Speedera estimated its losses at $1 million. The Echouafni case was the first U.S. prosecution of a financially motivated denial-of-service attack. It took months of investigation by experts in several states and England before charges could be filed, although the hackers failed to cover all their tracks. The FBI also had an unusual advantage in that Echouafni was immediately suspected because of a business dispute with Weaknees, which sold TiVo and other digital video recorders. The case did help the German police catch Gembe, who was apprehended in May 2004. Even so, the man with the money got away. Echouafni jumped bail, earning his way onto the FBI’s list of Ten Most Wanted fugitives.
Such unchecked innovations transformed hacking from a guild-like activity to a modern industry. For Send-Safe and others who sent billions of pieces of spam, the entry of additional players increased competition and drove down profit. Virus-ruled botnets would continue to spew spam for years, offering services to the highest bidders, and Spamhaus’s list of the worst offenders would continue to feature many Russians. But the bigger opportunity lay in emerging fields, especially identity theft. The federal anti-spam law that took effect in 2004, known as the CAN-SPAM Act, only hastened that trend. The law legalized commercial email that wasn’t deceptive. But many spammers who were deceptive, and therefore newly at risk, decided they might as well go all the way and start “phishing,” or sending spam designed to trick people into revealing their credit card and banking numbers and passwords, their eBay and PayPal logins, and anything else that could be converted into cash.
Phishing began simply as spam with spoofed “from” addresses, messages appearing to come from eBay or Citibank and sent to everyone in the spammer’s lists. Most recipients wouldn’t be clients of any given financial company, but it didn’t take many for the math to work. Even if only one person in a hundred was a customer, millions would get the bait and several thousand of them would bite. As word spread about what was happening and the fraud market grew saturated, phishers moved downstream, even sending mass emails purporting to come from obscure local credit unions in search of new victims. Otherwise, the scams got better and better. The crooks polished their laughable English. Some not only used the wording and images of the real sites they imitated, they linked back to them in case anyone clicked there. They also became adept at faking Web addresses so that even professionals couldn’t tell they weren’t about to go to a legitimate site to enter their financial information. When it seemed everyone in the world must have been warned about phishing attacks, the bad guys sent fake emails from financial institutions alerting users that they had been phished—and that they would need to reenter security information to reactivate their accounts. Yet many targeted companies continued to send emails with Web links themselves. Small wonder so many millions of Americans failed to internalize the warnings never to click on any Web address contained in an email.
As competition among phishers increased, the innovators invested in efforts to hack into corporate databases, stealing everyone’s financial information at once, or getting the same files with “social engineering,” more familiarly known as trickery. The number of disclosed hacks into companies soared to 656 a year by 2008, with more than 35 million identities at risk just that year, according to a tally from before the discovery of the biggest breaches. That didn’t count phishing victims or those stung by hackers who used security holes and viruses to enslave computers or to install “keyloggers,” as Barrett’s Russian criminals were doing in 2006. Those programs sent off anything typed, including credit card information, or lay dormant and unobservable until the consumer visited any of a long list of financial websites. U.S. residents were natural targets because they used credit cards far more than Europeans and had higher credit limits.
Competitive forces weren’t the only thing driving identity theft into the stratosphere. Free-speech laws meant that writing viruses and other malicious programs—even publishing and selling such programs—was generally protected behavior. Worse, the U.S. courts had held that lousy commercial software—the sort with obvious security holes that allow all manner of attacks—were immune from product-liability suits, on the grounds that they technically aren’t sold to customers but licensed, or loaned under strict conditions.
The U.S. banks, however, bear a large part of the blame. They didn’t make their cards as secure as European banks did, and they continued such inherently unsafe practices as sending unsolicited credit card applications through the mail and approving credit with minimal identification. The financial institutions were in no hurry to tighten standards because of a little-known fact: retailers, not banks, generally absorbed losses caused by identity thieves wielding pilfered credit card numbers. Many identity theft victims didn’t have to pay for the charges or loans made in their names. Visa and MasterCard covered the expenses, then passed them back to the businesses where goods were sold to the wrong person. That setup ensured that the credit card companies, which were often thought to be absorbing losses, actually earned money from many instances of fraud. The merchants couldn’t afford to stop accepting credit cards, and they had nowhere near enough muscle in Washington to change the system. Financial institutions spent more than ten times as much on lobbying as retailers did. The federal government might have gotten more serious if there had been a public hue and cry. But it was generally the poorest victims who suffered the most—a third reported being harassed by debt collectors after such fraud—and they had the least power.
Yet in a sense, the credit card industry was leveraging itself too deeply. Because it played down concerns about identity theft, nothing changed. As the first decade of the millennium waned, the crime kingpins shifted focus again, going after ATM and debit cards and stealing directly from online bank accounts. In those cases, the banks were frequently on the hook, and they had to eat a growing, if still undisclosed, amount of losses. The criminals had reinvested their loot and gotten much better in the interim, while U.S. banks by then lagged farther behind their global peers in security. By this point, two things could go seriously wrong with electronic commerce. The first was that as fraud burned more consumers, enough would pull back that they shrank the system. Caution is already slowing growth. The second was that the banks themselves, already half-wrecked by the economic crisis that exploded in late 2008, would be so desperate to reduce their burgeoning fraud write-downs that they pulled back from e-commerce on their own.
Visa, MasterCard, and the banks that collectively controlled those card associations didn’t just keep quiet about the epidemic of identity theft: they actively worked to distort the public discourse. In 2005, for example, Visa, banker Wells Fargo, and online payment firm CheckFree Services Corp., all of which profited from Internet finance, paid for a purportedly independent research report following up on a landmark Federal Trade Commission study two years earlier that certified the pandemic of identity theft. The Better Business Bureau and the FTC were listed as advisors on the 2005 report.
The most startling finding: according to the study’s author, Javelin Strategy and Research, “Although there has been much recent public concern over electronic methods of obtaining information, most thieves still obtain personal information through traditional channels rather than through the Internet.”The report said 72 percent of identity theft crimes occurred the old-school way, such as via a stolen purse or pilfered mail. Javelin even advised consumers to do more online banking, because those who bank online check their records more frequently and therefore tend to detect improper billing sooner. Top federal prosecutors had a different take. Not only should consumers avoid online banking, authorities said, they shouldn’t store any financial information on computers hooked up to the Net.
The problem with the Javelin study’s conclusions, reported uncritically in the
New York Times,
the
Wall StreetJournal,
and elsewhere, is that they were almost certainly false. According to the details in the report, only 54 percent of the victims surveyed knew how their information had leaked. So only 72 percent of 54 percent of the cases were reasonably believed to spring from traditional theft—or 39 percent. Javelin founder James Van Dyke claimed that the majority of unsolved cases were likely to be offline crimes as well. He went on, improbably, to describe phishing fraud as “the biggest non-event.... There’s scant evidence within the merchants of any large-scale phishing attack. These crimes are under control.”
New York Times,
the
Wall StreetJournal,
and elsewhere, is that they were almost certainly false. According to the details in the report, only 54 percent of the victims surveyed knew how their information had leaked. So only 72 percent of 54 percent of the cases were reasonably believed to spring from traditional theft—or 39 percent. Javelin founder James Van Dyke claimed that the majority of unsolved cases were likely to be offline crimes as well. He went on, improbably, to describe phishing fraud as “the biggest non-event.... There’s scant evidence within the merchants of any large-scale phishing attack. These crimes are under control.”
FTC Associate Director Lois Greisman begged to differ. “We have concerns with putting out, frankly, numbers like that,” Greisman said, adding that extrapolating from the 54 percent who knew what happened didn’t make sense. “I know if I’ve lost my purse,” she said. “A big problem with phishing is that people have no idea they’ve been phished.” Beyond that logical flaw, the vast majority of business was still conducted offline: for that reason, one would expect most theft to occur there. The fact that Javelin’s study failed to show that it did reinforced the belief of technology experts that online commerce was already riskier than traditional business and getting more so.
Each year from 2004 on, Internet crime grew dramatically more effective, increasingly organized, and disproportionately led by groups overseas. But the problem was exacerbated by the inaction and dissembling of major U.S. industries and an inadequate government response. CheckFree Services, which played a role in nurturing consumer complacency, eventually would have a direct hand in punishing them for that stance. In December 2008, hackers obtained the company’s login credentials at Web registrar Network Solutions and sent anyone coming to CheckFree’s site over a four-hour period to a bogus page hosted in Ukraine. That page attempted to install password-stealing programs on the computers of thousands of CheckFree clients.
Barrett Lyon had become the leading defender against a particularly brutal aspect of cybercrime. He had saved dozens of companies. He had taken down a few bad guys and taught the authorities how to catch more. DDoS attacks continued, and would soon find new types of targets, but Barrett realized he was largely fighting yesterday’s battle. He couldn’t defend millions of people at once. The new war, against mass identity theft and the underground economy itself, couldn’t be waged without at least the concerted effort of many governments—and perhaps a rebooting of the Internet’s essential architecture.
Other books
The Heat Islands: A Doc Ford Novel by Randy Wayne White
The Border Lord and the Lady by Bertrice Small
Summer Unplugged by Sparling, Amy
Lord of Ice by Gaelen Foley
Agnes Among the Gargoyles by Patrick Flynn
Zap by Paul Fleischman
The Kill Artist by Daniel Silva
So Over You by Gwen Hayes
Oasis by Imari Jade
Other Earths by edited by Nick Gevers, Jay Lake
