Thievery 2.0

A few years ago, I got a call from a Chicago police officer who said he was in the midst of organizing a conference for law enforcement officials on the growing problem of the mob's

By Lew McCreary

May 01, 2005 — CSO — Involvement in cybercrime. He wanted to know whether I would be interested in publicizing the event, attending it, writing about itwhatever. Sure, I said, happy to help. In truth, I was fascinated. I hadn't heard about organized crime going virtual, but it made plenty of sense. The old Willie Sutton wisecrack rattled around in my head: He robbed banks, he said, because "that's where they keep the money." The officer promised he would keep me informed as the details got ironed out. But I never heard from him again and assumed that his conference didn't pan out.

I thought of this again a few weeks ago when I saw a Wall Street Journal article about organized rings of identity thieves. The meteoric rate of growth in phishing attacks suggests that there are a lot of eager little Willie Suttons out there, stealing and trafficking in personal data. And now, there are also obliging, professionally styled websites operating as virtual fences where the stolen data can be retailed, according to the WSJ article by Cassell Bryan-Low. One such website, known as Shadowcrew, writes Bryan-Low, "served as the backbone of an extensive criminal organization that traded at least 1.5 million stolen credit card numbers and caused total losses in excess of $4 million" before U.S. agents shut it down. The Journal reports that Shadowcrew offered customer-friendly features and administrative controls of the kind most online retailers provide.

The same upscaling of methods, motives and organizational acumen appears to be occurring in denial-of-service attacks, with hackers assembling vast armies of zombie networks for sale or rent as weaponry to criminals. This issue of CSO includes a gripping tale of extortion by Senior Editor Scott Berinato (see "How a Bookmaker and a Whiz Kid Took On an Extortionistand Won," Page 38). Berinato tells the story of BetCris, an online gaming website based in Costa Rica, enduring a bruising siege of massive denial-of-service attacks after refusing to pay an extortionist's ransom. (The attacks were timed to coincide with the year's heaviest betting season.) As Berinato recounts, through the uncommon courage of its proprietors, and with the help of a gifted IT consultant named Barrett Lyon, BetCris eventually beat back the attacks. This at a time when most targeted sites simply paid the protection money, thus making the crime pay handsomely and keeping the extortionists coming back for more.

While the BetCris attacker and others like him cut their teeth on gaming sites, the story makes it clear that any business whose revenue stream depends heavily on the integrity of its networks would make an attractive victim. And as the tools for mounting attacks improve and the risks of detection and apprehension remain low, cybercrime will attract the rightful heirs of those who once saw waste hauling as a step up from loan-sharking and knee-breaking.

I think we're ready for that conference now.

Read more about data protection in CSOonline's Data Protection section.

Other stories by Lew McCreary

• Print