Written evidence submitted by the Serious
Organised Crime Agency (Malware 13)
INTRODUCTION
1. This submission sets out the Serious Organised
Crime Agency's (SOCA) written evidence to the Science and Technology
Select Committee's inquiry into malware and cyber-crime.
2. SOCA works with its partners, under the UK
Control Strategy for Organised Crime, to address the threat of
organised cyber crime, which it defines as:
Offences
in which computers, networks or the data held within them are
specifically targeted by an Organised Crime Group (OCG) including
the design, sale or use of tools and techniques needed to mount
such attacks, and the use of virtual payment systems to launder
the proceeds of crime.
The
use of ICT by OCGs to enhance operational security or effectiveness
which includes alternative communication methods and evidence
denial.
Malware is an umbrella term for malicious software
and it is therefore used to describe any piece of software that
is designed for a malicious purpose. As such, malware describes
the collection of tools that can be used by individuals for a
malicious or criminal purpose. It is not one single group or type
of software that executes one particular type of crime. SOCA's
operational focus, where malware is concerned, is on the individuals
behind the creation and deployment of those systems which represent
the biggest threat to the UK.
3. The submission outlines the current level
of knowledge within the organisation on malware and cyber-crime.
This submission has been written in coordination with the Home
Office, and should be considered supplementary to its submission
which addresses the full range of questions the inquiry is set
to explore.
What proportion of cyber-crime is associated with
malware?
4. Malware is a key enabler of internet-enabled
fraud. Cyber criminals use the internet as an opportunity to gather
personal information or data, with the aim of exploiting it for
financial gain. SOCA sees a continuous development of methodology
as both criminals and those opposing them react and counter-react
to an ever changing landscape. Developments in both technology
and public take-up have meant that the tactics used by cyber criminals
evolve at a rapid rate. The use of malware within cyber crime
has also risen in conjunction with improved public awareness of
scams such as phishing.[19]
5. A significant proportion of cyber-crime uses
malware to perform some part of the crime. Even spamming[20]
now involves the use of malware, as the majority of spam messages
are now delivered using Botnets.[21]
Criminality has had to evolve and develop increasingly sophisticated
ways of capturing data and that increasingly means the use of
malware, in one form or another. The UK is a relatively developed
market for internet use and so the awareness of simple spam emails
is perhaps greater than in countries where the internet is new.
For this reason, criminals need to employ increasingly more sophisticated
methods to achieve their aims as the user's defence becomes similarly
more sophisticated.
Where does the malware come from? Who is creating
it and why?
6. Historically, malware was created by small
numbers of people who had the necessary technical skills. Deployment
of malware (and the consequent profit to be made) was similarly
restricted to a small number of individuals. However, as cyber-crime
has evolved, a complex marketplace has developed, allowing specialists
(such as malware writers) to sell their products to others with
little or no technical ability.
7. Organised crime groups have been known to
commission malware creators to produce the tools they require,
and malware writers have also been known to produce "off-the-shelf"
items; an example being the Zeus financial malware that was openly
available for purchase for approximately US$700. In addition to
the market for generic malware families (eg Zeus, SpyEye, Gozi
etc) a new market has emerged for bespoke attack modules targeting
specific financial institutions / corporate victims. This means
that relatively dated malware families can still employ state-of-the-art
attack tools, maintaining their effectiveness. Malware (such as
Zeus) is also available with technical support, including a 24-hour
telephone helpline. Criminal fora where such transactions are
made have been in existence for at least a decade. These fora
are frequently hosted in jurisdictions where UK Law Enforcement
have little influence, and have stringent membership policies.
8. The main geographical source for the creation
of malware targeting UK financial institutions is Eastern Europe,
from former Soviet States. The socio-political conditions in some
of these countries are ideal: education and internet development
is reasonably good, employment and salary potential low, law enforcement
deterrent is not prohibitive and organised crime groups exist.
Past emphases on scientific or technical education has led to
a highly able workforce with few legitimate prospects that can
equal the criminal market in terms of financial reward.
9. This financial reward is the main driver behind
malware creation. The early days of cyber-crime saw criminals
developing attacks for kudos and peer recognition. This has dissipated
and now status only accounts for a small amount of the activity
for which SOCA has the remit to investigate. State-sponsored threats
and "hacktivism" (both significant sources of new malware)
fall outside the scope of SOCA's focus, but information is shared
with its UK partners where necessary.
What level of resources is associated with combating
malware?
10. In April 2011 as part of the Strategic Defence
and Security Review (SDSR) outcomes, SOCA was allocated £19
million over four years to support the delivery of a wider National
Cyber Security Programme (NCSP).[22]
SOCA will use this funding to support the Government's priorities
on cyber crime in the following ways:
by
increasing the capability and capacity to collect, analyse and
disseminate intelligence on cyber-crime and cyber criminals;
by
providing an effective criminal justice response to cyber-crime
through the enhancement of capabilities and the delivery of high-end
operational outcomes. It will also provide additional legal services
to deliver expert tactical and strategic support;
by
working with law enforcement, intelligence agency, private sector
and academic partners to maximise use of technical and other capabilities
for the benefit of all parties;
by
focusing dedicated resource to the delivery of high volume interventions
to disrupt criminal cyber activity;
by
increasing private sector and public awareness through enhanced
dissemination of timely intelligence and warnings via diverse
media channels and Alerts; and
by
establishing a dedicated overseas resource to tackle cyber criminality
in partnership with local law enforcement and other agencies and
provide additional legal services to deliver expert tactical and
strategic support to enhance international law and improve international
co-operation.
11. Significant successes achieved against cyber
crime in recent years include:
Working
with GetSafeOnline.org, SOCA identified a highly organised criminal
operation employing "scareware" to trick web users into
revealing their financial information to cybercriminals. Potential
victims received messages on screen or a call from an IT "help
centre" claiming that their computer might be infected by
a virus or other malicious software. A fake scan of their computer
was then used to convince the victims that they needed to download
new security software. In reality, victims were paying cybercriminals
for the privilege of installing useless or malicious software
onto their computer. Get Safe Online adopted this threat as the
main theme for their 2010 campaign and SOCA provided advice to
members of the public on how to spot "scareware" and
how to avoid becoming victims of this type of crime;
SOCA
is systematically targeting the criminal trade in stolen financial
information. In 2010-11, SOCA seized 1.4 million items of compromised
payment card data from cybercriminals and passed these details
to UK Payments via its Alerts system. This data has subsequently
been used to prevent fraud and identify theft where security breaches
have occurred. The success of this approach has encouraged law
enforcement colleagues in the US, Europe and Australia to participate
in the initiative;
Following
a SOCA investigation, Virgin Media earlier this year wrote to
about 1500 customers to inform them of a compromise. This was
the first time that SOCA has partnered with an ISP to proactively
contact its customers and is seen as a positive step in the corporate
/ law enforcement partnership; and
SOCA
led the UK end of a long-term FBI undercover operation against
the online criminal forum DarkMarket. Before the forum was closed
down in October 2008, it had been regarded as one of the most
significant internet sites dedicated to the theft and sale of
compromised personal information. It dealt in large quantities
of stolen payment card and online banking data, and the tools
and techniques needed for criminals to commit offences using them.
Alongside two SOCA operations against DarkMarket subjects, SOCA
provided intelligence and forensic support in this work to the
City of London, Greater Manchester, South Yorkshire and Humberside
Police. Follow up work continued, with suspects arrested in Turkey,
Germany, the US and the UK, of whom 12 were arrested here.
12. Going forward, the National Crime Agency
(NCA) offers an outstanding opportunity to achieve a further step
change in the response to organised crime, including through more
effective national tasking and coordination arrangements. The
NCA also presents the UK with the opportunity to improve its national
law enforcement response to crime perpetrated in cyber space or
enabled by the internet, through the national centre of excellence
on cyber crime which it will host.
What is the cost of malware to individuals and
how effective is the industry in providing protection to computer
users?
13. At a superficial level, individual citizens
may feel little direct financial impact from malware. Financial
institutions will often cover the cost of a loss. It is assumed
that these costs are covered by higher charges elsewhere, but
the detail of this is not known to SOCA. Crime such as identity
theft may not result in a financial cost but it could have a traumatic
effect nevertheless.
14. General information on the financial impact
of malware is inconsistent. At a corporate level for example,
a large financial institution may not wish to disclose malware
costs for fear of reputation damage. There is a better understanding
of the threat in the US due to mandatory requirements to report
data breaches in most US states. In the UK there is no obligation
to disclose, and estimates of the costs of malware are difficult
to assess.
15. Trade on and use of the internet has grown.
In the future, it is likely that every age group will use the
internet extensively. Attitudes to sharing personal data online
have already undergone a marked change. Confidence in using the
internet is therefore important and malware undermines that confidence,
resulting in opportunity cost. Industry measures to protect their
customers vary, and SOCA is committed to working closely with
companies to mitigate the threat posed.
7 September 2011
19 Phishing is when an individual receives an unsolicited
email purporting to be from their financial services provider,
asking for "account verification"-usually including
a link to a fake website-from which criminals will harvest the
financial data for fraudulent activity. Back
20
Spam: Using electronic messaging systems to send unsolicited bulk
messages indiscriminately. Back
21
A Botnet is a collection of compromised computers connected to
the Internet, termed Bots that are used for malicious purposes
and controlled by a single source. Back
22
Led by the Office of Cyber Security and Information Assurance
(OCSIA) in the Cabinet Office. Back
|