Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by the Serious Organised Crime Agency (Malware 13)


1.  This submission sets out the Serious Organised Crime Agency's (SOCA) written evidence to the Science and Technology Select Committee's inquiry into malware and cyber-crime.

2.  SOCA works with its partners, under the UK Control Strategy for Organised Crime, to address the threat of organised cyber crime, which it defines as:

—  Offences in which computers, networks or the data held within them are specifically targeted by an Organised Crime Group (OCG) including the design, sale or use of tools and techniques needed to mount such attacks, and the use of virtual payment systems to launder the proceeds of crime.

—  The use of ICT by OCGs to enhance operational security or effectiveness which includes alternative communication methods and evidence denial.

Malware is an umbrella term for malicious software and it is therefore used to describe any piece of software that is designed for a malicious purpose. As such, malware describes the collection of tools that can be used by individuals for a malicious or criminal purpose. It is not one single group or type of software that executes one particular type of crime. SOCA's operational focus, where malware is concerned, is on the individuals behind the creation and deployment of those systems which represent the biggest threat to the UK.

3.  The submission outlines the current level of knowledge within the organisation on malware and cyber-crime. This submission has been written in coordination with the Home Office, and should be considered supplementary to its submission which addresses the full range of questions the inquiry is set to explore.

What proportion of cyber-crime is associated with malware?

4.  Malware is a key enabler of internet-enabled fraud. Cyber criminals use the internet as an opportunity to gather personal information or data, with the aim of exploiting it for financial gain. SOCA sees a continuous development of methodology as both criminals and those opposing them react and counter-react to an ever changing landscape. Developments in both technology and public take-up have meant that the tactics used by cyber criminals evolve at a rapid rate. The use of malware within cyber crime has also risen in conjunction with improved public awareness of scams such as phishing.[19]

5.  A significant proportion of cyber-crime uses malware to perform some part of the crime. Even spamming[20] now involves the use of malware, as the majority of spam messages are now delivered using Botnets.[21] Criminality has had to evolve and develop increasingly sophisticated ways of capturing data and that increasingly means the use of malware, in one form or another. The UK is a relatively developed market for internet use and so the awareness of simple spam emails is perhaps greater than in countries where the internet is new. For this reason, criminals need to employ increasingly more sophisticated methods to achieve their aims as the user's defence becomes similarly more sophisticated.

Where does the malware come from? Who is creating it and why?

6.  Historically, malware was created by small numbers of people who had the necessary technical skills. Deployment of malware (and the consequent profit to be made) was similarly restricted to a small number of individuals. However, as cyber-crime has evolved, a complex marketplace has developed, allowing specialists (such as malware writers) to sell their products to others with little or no technical ability.

7.  Organised crime groups have been known to commission malware creators to produce the tools they require, and malware writers have also been known to produce "off-the-shelf" items; an example being the Zeus financial malware that was openly available for purchase for approximately US$700. In addition to the market for generic malware families (eg Zeus, SpyEye, Gozi etc) a new market has emerged for bespoke attack modules targeting specific financial institutions / corporate victims. This means that relatively dated malware families can still employ state-of-the-art attack tools, maintaining their effectiveness. Malware (such as Zeus) is also available with technical support, including a 24-hour telephone helpline. Criminal fora where such transactions are made have been in existence for at least a decade. These fora are frequently hosted in jurisdictions where UK Law Enforcement have little influence, and have stringent membership policies.

8.  The main geographical source for the creation of malware targeting UK financial institutions is Eastern Europe, from former Soviet States. The socio-political conditions in some of these countries are ideal: education and internet development is reasonably good, employment and salary potential low, law enforcement deterrent is not prohibitive and organised crime groups exist. Past emphases on scientific or technical education has led to a highly able workforce with few legitimate prospects that can equal the criminal market in terms of financial reward.

9.  This financial reward is the main driver behind malware creation. The early days of cyber-crime saw criminals developing attacks for kudos and peer recognition. This has dissipated and now status only accounts for a small amount of the activity for which SOCA has the remit to investigate. State-sponsored threats and "hacktivism" (both significant sources of new malware) fall outside the scope of SOCA's focus, but information is shared with its UK partners where necessary.

What level of resources is associated with combating malware?

10. In April 2011 as part of the Strategic Defence and Security Review (SDSR) outcomes, SOCA was allocated £19 million over four years to support the delivery of a wider National Cyber Security Programme (NCSP).[22] SOCA will use this funding to support the Government's priorities on cyber crime in the following ways:

—  by increasing the capability and capacity to collect, analyse and disseminate intelligence on cyber-crime and cyber criminals;

—  by providing an effective criminal justice response to cyber-crime through the enhancement of capabilities and the delivery of high-end operational outcomes. It will also provide additional legal services to deliver expert tactical and strategic support;

—  by working with law enforcement, intelligence agency, private sector and academic partners to maximise use of technical and other capabilities for the benefit of all parties;

—  by focusing dedicated resource to the delivery of high volume interventions to disrupt criminal cyber activity;

—  by increasing private sector and public awareness through enhanced dissemination of timely intelligence and warnings via diverse media channels and Alerts; and

—  by establishing a dedicated overseas resource to tackle cyber criminality in partnership with local law enforcement and other agencies and provide additional legal services to deliver expert tactical and strategic support to enhance international law and improve international co-operation.

11.  Significant successes achieved against cyber crime in recent years include:

—  Working with, SOCA identified a highly organised criminal operation employing "scareware" to trick web users into revealing their financial information to cybercriminals. Potential victims received messages on screen or a call from an IT "help centre" claiming that their computer might be infected by a virus or other malicious software. A fake scan of their computer was then used to convince the victims that they needed to download new security software. In reality, victims were paying cybercriminals for the privilege of installing useless or malicious software onto their computer. Get Safe Online adopted this threat as the main theme for their 2010 campaign and SOCA provided advice to members of the public on how to spot "scareware" and how to avoid becoming victims of this type of crime;

—  SOCA is systematically targeting the criminal trade in stolen financial information. In 2010-11, SOCA seized 1.4 million items of compromised payment card data from cybercriminals and passed these details to UK Payments via its Alerts system. This data has subsequently been used to prevent fraud and identify theft where security breaches have occurred. The success of this approach has encouraged law enforcement colleagues in the US, Europe and Australia to participate in the initiative;

—  Following a SOCA investigation, Virgin Media earlier this year wrote to about 1500 customers to inform them of a compromise. This was the first time that SOCA has partnered with an ISP to proactively contact its customers and is seen as a positive step in the corporate / law enforcement partnership; and

—  SOCA led the UK end of a long-term FBI undercover operation against the online criminal forum DarkMarket. Before the forum was closed down in October 2008, it had been regarded as one of the most significant internet sites dedicated to the theft and sale of compromised personal information. It dealt in large quantities of stolen payment card and online banking data, and the tools and techniques needed for criminals to commit offences using them. Alongside two SOCA operations against DarkMarket subjects, SOCA provided intelligence and forensic support in this work to the City of London, Greater Manchester, South Yorkshire and Humberside Police. Follow up work continued, with suspects arrested in Turkey, Germany, the US and the UK, of whom 12 were arrested here.

12.  Going forward, the National Crime Agency (NCA) offers an outstanding opportunity to achieve a further step change in the response to organised crime, including through more effective national tasking and coordination arrangements. The NCA also presents the UK with the opportunity to improve its national law enforcement response to crime perpetrated in cyber space or enabled by the internet, through the national centre of excellence on cyber crime which it will host.

What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

13.  At a superficial level, individual citizens may feel little direct financial impact from malware. Financial institutions will often cover the cost of a loss. It is assumed that these costs are covered by higher charges elsewhere, but the detail of this is not known to SOCA. Crime such as identity theft may not result in a financial cost but it could have a traumatic effect nevertheless.

14.  General information on the financial impact of malware is inconsistent. At a corporate level for example, a large financial institution may not wish to disclose malware costs for fear of reputation damage. There is a better understanding of the threat in the US due to mandatory requirements to report data breaches in most US states. In the UK there is no obligation to disclose, and estimates of the costs of malware are difficult to assess.

15.  Trade on and use of the internet has grown. In the future, it is likely that every age group will use the internet extensively. Attitudes to sharing personal data online have already undergone a marked change. Confidence in using the internet is therefore important and malware undermines that confidence, resulting in opportunity cost. Industry measures to protect their customers vary, and SOCA is committed to working closely with companies to mitigate the threat posed.

7 September 2011

19   Phishing is when an individual receives an unsolicited email purporting to be from their financial services provider, asking for "account verification"-usually including a link to a fake website-from which criminals will harvest the financial data for fraudulent activity. Back

20   Spam: Using electronic messaging systems to send unsolicited bulk messages indiscriminately. Back

21   A Botnet is a collection of compromised computers connected to the Internet, termed Bots that are used for malicious purposes and controlled by a single source. Back

22   Led by the Office of Cyber Security and Information Assurance (OCSIA) in the Cabinet Office. Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012