Written evidence submitted by the Police
Central e-Crime Unit (Malware 14)|
1. This report complements the Home Office submission
to the Science & Technology Committee.
2. This Police Central e-Crime Unit submission
addresses matters 1-3 as outlined in the Science & Technology
Committee's Terms of Reference for Malware and Cyber crime.
3. For operational reasons the nature of the
evidence provided has been restricted to a limited number of completed
4. For the purposes of this submission, the Home
Office "United Kingdom Threat Assessment of Organised Crime"
definition of malware has been adopted: Malicious software consists
of programming (code, scripts, active content, and other software)
designed to disrupt or deny operation, gather information that
leads to loss of privacy or exploitation, gain unauthorised access
to system resources, and other abusive behaviour.
1. What proportion of cyber crime is associated
Remit of Police Central e-Crime Unit
5. The MPS's Police Central e-Crime Unit (PCeU)
is the national lead for e-Crime. The PCeU remit is to tackle
those responsible for the most serious incidents of:
of malicious code;
of service (DDoS) attack; and
6. The PCeU proactively targets individuals involved
in the high level authoring, distribution and criminal use of
malware. These individuals are key enablers for cybercrime causing
substantial harm to the UK and global economy.
7. Just over half (55%) of PCeU's current investigations
involve the authoring, distribution or utilisation of malware.
8. In the context of PCeU investigations, malware
is primarily utilised in the commission of fraud offences against
the financial sector.
9. A recent and growing area of concern for law
enforcement is the use of Distributed Denial of Service (DDoS)
attacks against organisations in the wake of the wikileaks scandal.
For the purposes of this submission, only the criminal use of
Low Orbit Ion Cannon DDoS utility
2. Where does the malware come from? Who is
creating it and why?
10. Malicious software is predominantly created,
distributed and used for financial gain and DDoS attacks.
Attacks Against the Banking Sector
11. Organised Criminal Groups (OCGs) utilise
malware to attack the banking sector. This form of e-crime can
be extremely profitable, over a relatively short period of time,
when compared to more traditional crime types.
12. Financial institutions invest heavily in
Information Assurance. Criminals attack banking systems through
the most vulnerable point, the on-line banking user.
13. OCGs investigated by PCeU are primarily using
Trojan malware, typically SpyEye and Zeus, to create Botnets which
are controlled by a server which can access bank accounts and
transfer money out.
14. Malware infects victims' personal computers,
waits for them to log onto a list of specifically targeted banks
and financial institutions and then steals their personal credentials,
forwarding the data to a server controlled by criminals. It can
also manipulate web browsing sessions including creating an additional
page requesting the victim to reveal more personal information,
such as payment card number, PIN, and passwords. Users have no
idea they are being defrauded.
15. Unbeknown to the owner, computers infected
with Zeus or SpyEye become part of a network where they fall under
the remote control of computer criminals.
16. PCeU operational findings reveal that OCGs
demonstrate a highly systematic approach to this form of criminality.
Investigations have highlighted the use of technical expertise
by OCGs in the form of malware authors, who provide the essential
IT support for this criminality.
17. PCeU's Virtual Task Force (VTF) approach
has gone some way to mitigate against the risk of successful large
scale attacks against the financial sector in the future through
encouraging intelligence sharing.
18. While the threat of DDoS attacks can be used
to extort money from commercial organisations. The recent cases
dealt with by the PCeU have involved the use of DDoS tools to
attack organisations based on ideological grounds or simply to
prove technical prowess amongst peers.
19. There has been a growing recent trend in
"Hacktivism" encountered by the PCeU which has involved
groups or individuals targeting the websites of companies and
organisations, motivated by political or ideological goals. This
has been particularly highlighted by recent activity around Wikileaks
supporters such as "Anonymous". This has demonstrated
that, facilitated by social networking sites, large numbers of
individuals globally are able to voluntarily use their computers
to launch DDoS attacks against organisations, with a low degree
of central organisation or leadership utilising user friendly
software such as LOIC (Low Orbit Ion Cannon DDoS utility).
20. There are individuals who author without
affiliation to political groups or desire for money but who are
motivated by factors such as the personal challenge of testing
their IT skills. These individuals will carry out a range of attacks
from DDoS to hacking and defacing websites. These individuals
are more akin to the stereotypical lone, male hacker or "script
The Authoring and Distribution of Malware
21. PCeU operational intelligence suggests that
there are a relatively small number of individuals with the technical
skills required to produce the code involved in distribution of
22. Some individuals provide bespoke malware
services to OCGs while at the same time working on their own criminality.
Lower tier individuals appear to be "testers", checking
for bugs in the scripts which are used to move money into mule
accounts and making adjustments to the code as required. Identified
OCG's have members each using core skills which are distinct ie
infrastructure, cash out and code development.
23. Methods of malware distribution continue
to evolve. A recent PCeU operation has shown that malware propagation
is moving onto compromised legitimate websites, which may indicate
that spam delivery and fake websites are no longer the primary
mechanisms. Also this operation has found a number of Command
and Control Servers used to both store the stolen data and control
the malware. These servers are hosted in Russia, China and the
Online Criminal Forums & Malware "Kits"
24. Online Criminal Forums allow all types of
criminals to interact with each other across large geographical
areas, to plan, organise and commit crimes, without having to
personally know each other. These types of forums enable criminals
with different skill sets to advertise their services and thus
create virtual OCGs that would not have formed in off-line environments.
Disturbingly, they also act as an educational forum to the benefit
of new members.
25. PCeU has gathered intelligence and investigated
the use of online criminal forums by a range of different individuals
and groups including hacktivists, OCGs and individual hackers
to share knowledge and organise offences.
26. Online criminal forums facilitate the purchasing
of "malware kits" which enable individuals to carry
out "ready made" attacks with less technical knowledge
or experience. Intelligence gleaned from PCeU investigations indicates
that individuals with little prior knowledge of IT can develop
the capabilities to carry out a malware attack within a very short
period of time.
27. Online criminal forums and "malware
kits" regularly come to the attention of PCeU staff investigating
banking Trojans and DDoS attacks.
28. Availability via criminal forums, the relative
ease of use and sometimes low cost of Zeus and SpyEye malware
in particular, has led to its popularity and extensive proliferation
Case StudiesThe Authoring and Distribution
29. A PCeU investigation into an individual who
was running a Zeus Botnet, in addition to hosting an online global
crime forum called GhostMarket.net. GhostMarket was the largest
English speaking criminal forum with over 8,000 members which
promoted and facilitated the electronic theft of personal information.
In addition to allowing users to trade compromised credit cards,
the forum facilitated the creation and exchange of malware, the
establishment and maintenance of networks of infected personal
computers (Botnets) and the exchange of information about cyber
and other criminality. Five individuals were arrested and charged,
with all submitting guilty pleas after charging included Intentionally
/ Encouraging an Offence under the Serious Crime Act 2007. Though
loses through criminal activity linked to the forum are still
be calculated, the estimated value is currently in excess of £20
30. A PCeU investigation into an OCG utlilising
"Drive by Download" methodology. "Drive by Download"
is where malware is inserted into a website thus allowing the
infection of any computers visiting those domains. This investigation
has identified that the subjects have been involved in the compromise
of UK and global bank accounts using SpyEye and Zeus for financial
gain. Over 100 malicious domains were identified in this investigation.
31. A PCeU investigation into an individual who
is administrating a server, hosting both botnets and malicious
software. Intelligence suggests that these are being used to commit
criminality by stealing financial credentials from UK victims.
Case StudiesUtilisation of Malware
32. PCeU's operations have shown the significant
criminal gains that can be achieved through organised, malware-facilitated,
banking fraud. Alongside the financial sector Virtual Task Force
(VTF) the PCeU dismantled the international OCG utilising a Zeus
33. Over a 90 day period, the OCG was able to
redirect funds from compromised UK bank accounts to the evidential
value of £2.66 million from the 285 accounts. Intelligence
suggests that there were significantly more accounts affected
and therefore potentially much greater losses. These figures only
consider losses to UK banks. The OCG involved was also targeting
banks in the USA, other Western European countries and Australia.
Total criminal gains may never be calculated. In the USA alone,
this OCG stole $70 million.
34. The PCeU arrested three men in April 2011
in connection with an investigation into the use of toolkit SpyEye
malware to steal online banking details. The international investigation
revolved around the group's use of variations of the SpyEye malware.
This malware has the capability to harvest personal banking details
from internet users and send the results to remote servers under
the control of criminals.
35. More recently, the PCeU investigated a case
where Trojan malware was hidden within bogus job advertisements
posted on Gumtree. When individuals downloaded the application
form for a job their computer was then infected with a virus.
The virus being a Trojan, designed to capture the recipients banking
details. The PCeU have made two arrests to date.
3. What level of resources are associated with
36. The remit of the PCeU set out in paragraph
5 includes combating malware and as such the full resources of
the unit are available to those areas of cyber crime.
37. The additional funding of £30 million
over four years has provided the scope to significantly increase
the number of cyber crime operations that the PCeU can conduct,
by increasing their capacity. The principal aim of which is to
provide a level of £504 million of harm or potential harm
reduction, experienced by UK society through cyber crime.
38. The following paragraphs explain the different
teams within the PCeU that collectively provide the national response
to tackling cyber crime, including malware attacks.
39. It should be noted that the specific resources
and staff numbers deployed within the PCeU have delivered significant
success in responding to cyber attacks invlolving malware as the
unit has established a unique concept of operations whereby it
has the relationships and protocols in place to call upon the
wider policing resources and external industry partners to work
operationally with the team thereby enhancing the units expertise
and resource capability.
Intelligence Development Team
40. The PCeU Intelligence Development Team (IDT)
is staffed by one Detective Inspector (DI) two Detective Sergeants
(DS), five constables and four police staff.
41. The role of the IDT is to receive and analyse
intelligence which the team then develop by working with the source
to produce actionable operational products from which a decision
is made whether to progress investigations to the unit's Enforcement
42. In a number of cases attacks are aimed at
financial institutions and it is the teams' responsibility to
act as the point of contact with these organisations. In addition,
the team receives tasking requests from both within the MPS and
from outside partners. These requests are filtered against the
case acceptance criteria for the unit which focuses resources
on the most serious cyber crime incidents. There is a process
for the prioritisation of tasks, which is undertaken through a
formal weekly meeting that determines and then prioritises operations
against threats, risks and the capacity of the unit.
The Enforcement Team
43. The PCeU Enforcement Team provides the investigative
and arrest capability of the PCeU and is currently staffed by
two DI's, four DS's and 20 DC's (Detective Constables). The team
is evenly divided into four pods, each headed by a DS. Operations
The PCeU Intelligence Development
Fast-time, in direct response
to an attack on a financial institution.
In support of national
In support of other foreign
law enforcement agency investigations (eg FBI).
44. The PCeU currently works with national, European
and international partners in order to call upon and coordinate
45. The PCeU works closely with the IT security
industry, utilising partnership relationships where possible to
identify malware-related cyber crime and the subsequent reverse
engineering to evidence and attribute the criminal nature, culpability
and mitigation techniques.
46. Cooperation between European countries with
regards to e-crime has improved significantly in the last three
years. This is as a result of extensive operational engagement
with countries willing to undertake proactive tasking at the behest
of other nations. PCeU facilitates joint meetings to discuss cross
border issues, ensure de-confliction and post operational sharing
of learning and to improve working practices.
The Technical Team
47. The PCeU Technical Team provides the PCeU
with the ability to interrogate digital media and technology with
an increasing need for live forensic capability to respond to
multi-layered technology and techniques used to commit criminality.
48. The team obtains intelligence and evidence
of cyber crime, together with the facility to dismantle Botnets
and undertake live network investigative functions.
49. Current staffing levels for the Technical
Team are one DI, three DS's, seven DC's and four members of police
50. The PCeU Technical Team's current roles and
To conduct computer forensic
examinations / investigations, data recovery and electronic discovery.
To gather and disseminate
relevant and quality intelligence.
To provide technical advice
and assistance to officers engaged in the investigation.
To produce evidence in
a form which is admissible in court.
To provide advice to industry
and law enforcement colleagues.
51. The Technical Team's expertise is a crucial
element to PCeU investigations and in order to maintain their
abilities to combat the range of cyber crime methods, ongoing
training and the retention of expertise are key to its success.
The Internet Governance Team
52. The Internet Governance Team comprises of
one PS (Police Sergeant), one PC (Police Constable) and a member
of police staff. A Detective Inspector also has portfolio responsibility
for strategic engagement to identify and establish best practise
and changes to national and international protocols within law
enforcement and industry.
53. The responsibility of the team is to identify
and take action against websites which cause harm to the UK economy
through fraud, identity/brand theft and the infringement of property
54. The team has forged links with internet governance
bodies both domestically and internationally, as much of the illicit
activity is committed outside the boundaries of the UK. Through
these relationships the team has been able to remove elements
of the criminal infrastructure to reduce the ability of criminal
networks to cause significant financial loss. For example, by
utilising the assistance of IP providers and domain name registrars
sites have been taken down swiftly and to long-term effect.
55. The team is in the process of providing a
Standard Operating Procedure for the internet governance position
to roll out within policing and other UK Law Enforcement Agencies.
This will increase policing capability, assist in the dissemination
of best practice and help standardise activities.
56. In addition to those teams outlined, the
PCeU also incorporates Cyber Industry Liaison, a Strategy, Performance
and Communication Unit and supports the National e-Crime Programme
through a National Delivery Office to deliver a regional capability
with three hubs supported by the PCeU.
23 Low Orbit Ion Cannon DDoS utility (LOIC) Originally
originally developed for network stress-testing, but later released
into the public domain where, years later, it became a weapon
of choice for hacktivists. Floods a targeted site with TCP or
UDP packets, a relatively unsophisticated yet effective approach,
especially when thousands of users use the tool to join voluntary
botnets. By default does nothing to hide a user's identity Back