Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by the Police Central e-Crime Unit (Malware 14)


1.  This report complements the Home Office submission to the Science & Technology Committee.

2.  This Police Central e-Crime Unit submission addresses matters 1-3 as outlined in the Science & Technology Committee's Terms of Reference for Malware and Cyber crime.

3.  For operational reasons the nature of the evidence provided has been restricted to a limited number of completed cases.

4.  For the purposes of this submission, the Home Office "United Kingdom Threat Assessment of Organised Crime" definition of malware has been adopted: Malicious software consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorised access to system resources, and other abusive behaviour.

1.  What proportion of cyber crime is associated with malware?

Remit of Police Central e-Crime Unit

5.  The MPS's Police Central e-Crime Unit (PCeU) is the national lead for e-Crime. The PCeU remit is to tackle those responsible for the most serious incidents of:

—  Computer intrusion;

—  Distribution of malicious code;

—  Denial of service (DDoS) attack; and

—  Internet-enabled fraud.

6.  The PCeU proactively targets individuals involved in the high level authoring, distribution and criminal use of malware. These individuals are key enablers for cybercrime causing substantial harm to the UK and global economy.

7.  Just over half (55%) of PCeU's current investigations involve the authoring, distribution or utilisation of malware.

8.  In the context of PCeU investigations, malware is primarily utilised in the commission of fraud offences against the financial sector.

9.  A recent and growing area of concern for law enforcement is the use of Distributed Denial of Service (DDoS) attacks against organisations in the wake of the wikileaks scandal. For the purposes of this submission, only the criminal use of Low Orbit Ion Cannon DDoS utility[23] is included.

2.  Where does the malware come from? Who is creating it and why?

10.  Malicious software is predominantly created, distributed and used for financial gain and DDoS attacks.

Attacks Against the Banking Sector

11.  Organised Criminal Groups (OCGs) utilise malware to attack the banking sector. This form of e-crime can be extremely profitable, over a relatively short period of time, when compared to more traditional crime types.

12.  Financial institutions invest heavily in Information Assurance. Criminals attack banking systems through the most vulnerable point, the on-line banking user.

13.  OCGs investigated by PCeU are primarily using Trojan malware, typically SpyEye and Zeus, to create Botnets which are controlled by a server which can access bank accounts and transfer money out.

14.  Malware infects victims' personal computers, waits for them to log onto a list of specifically targeted banks and financial institutions and then steals their personal credentials, forwarding the data to a server controlled by criminals. It can also manipulate web browsing sessions including creating an additional page requesting the victim to reveal more personal information, such as payment card number, PIN, and passwords. Users have no idea they are being defrauded.

15.  Unbeknown to the owner, computers infected with Zeus or SpyEye become part of a network where they fall under the remote control of computer criminals.

16.  PCeU operational findings reveal that OCGs demonstrate a highly systematic approach to this form of criminality. Investigations have highlighted the use of technical expertise by OCGs in the form of malware authors, who provide the essential IT support for this criminality.

17.  PCeU's Virtual Task Force (VTF) approach has gone some way to mitigate against the risk of successful large scale attacks against the financial sector in the future through encouraging intelligence sharing.

DDoS Attacks

18.  While the threat of DDoS attacks can be used to extort money from commercial organisations. The recent cases dealt with by the PCeU have involved the use of DDoS tools to attack organisations based on ideological grounds or simply to prove technical prowess amongst peers.

19.  There has been a growing recent trend in "Hacktivism" encountered by the PCeU which has involved groups or individuals targeting the websites of companies and organisations, motivated by political or ideological goals. This has been particularly highlighted by recent activity around Wikileaks supporters such as "Anonymous". This has demonstrated that, facilitated by social networking sites, large numbers of individuals globally are able to voluntarily use their computers to launch DDoS attacks against organisations, with a low degree of central organisation or leadership utilising user friendly software such as LOIC (Low Orbit Ion Cannon DDoS utility).

20.  There are individuals who author without affiliation to political groups or desire for money but who are motivated by factors such as the personal challenge of testing their IT skills. These individuals will carry out a range of attacks from DDoS to hacking and defacing websites. These individuals are more akin to the stereotypical lone, male hacker or "script kiddy".

The Authoring and Distribution of Malware

21.  PCeU operational intelligence suggests that there are a relatively small number of individuals with the technical skills required to produce the code involved in distribution of malware.

22.  Some individuals provide bespoke malware services to OCGs while at the same time working on their own criminality. Lower tier individuals appear to be "testers", checking for bugs in the scripts which are used to move money into mule accounts and making adjustments to the code as required. Identified OCG's have members each using core skills which are distinct ie infrastructure, cash out and code development.

23.  Methods of malware distribution continue to evolve. A recent PCeU operation has shown that malware propagation is moving onto compromised legitimate websites, which may indicate that spam delivery and fake websites are no longer the primary mechanisms. Also this operation has found a number of Command and Control Servers used to both store the stolen data and control the malware. These servers are hosted in Russia, China and the UK.

Online Criminal Forums & Malware "Kits"

24.  Online Criminal Forums allow all types of criminals to interact with each other across large geographical areas, to plan, organise and commit crimes, without having to personally know each other. These types of forums enable criminals with different skill sets to advertise their services and thus create virtual OCGs that would not have formed in off-line environments. Disturbingly, they also act as an educational forum to the benefit of new members.

25.  PCeU has gathered intelligence and investigated the use of online criminal forums by a range of different individuals and groups including hacktivists, OCGs and individual hackers to share knowledge and organise offences.

26.  Online criminal forums facilitate the purchasing of "malware kits" which enable individuals to carry out "ready made" attacks with less technical knowledge or experience. Intelligence gleaned from PCeU investigations indicates that individuals with little prior knowledge of IT can develop the capabilities to carry out a malware attack within a very short period of time.

27.  Online criminal forums and "malware kits" regularly come to the attention of PCeU staff investigating banking Trojans and DDoS attacks.

28.  Availability via criminal forums, the relative ease of use and sometimes low cost of Zeus and SpyEye malware in particular, has led to its popularity and extensive proliferation globally.

Case Studies—The Authoring and Distribution of Malware

29.  A PCeU investigation into an individual who was running a Zeus Botnet, in addition to hosting an online global crime forum called GhostMarket was the largest English speaking criminal forum with over 8,000 members which promoted and facilitated the electronic theft of personal information. In addition to allowing users to trade compromised credit cards, the forum facilitated the creation and exchange of malware, the establishment and maintenance of networks of infected personal computers (Botnets) and the exchange of information about cyber and other criminality. Five individuals were arrested and charged, with all submitting guilty pleas after charging included Intentionally / Encouraging an Offence under the Serious Crime Act 2007. Though loses through criminal activity linked to the forum are still be calculated, the estimated value is currently in excess of £20 million.

30.  A PCeU investigation into an OCG utlilising "Drive by Download" methodology. "Drive by Download" is where malware is inserted into a website thus allowing the infection of any computers visiting those domains. This investigation has identified that the subjects have been involved in the compromise of UK and global bank accounts using SpyEye and Zeus for financial gain. Over 100 malicious domains were identified in this investigation.

31.  A PCeU investigation into an individual who is administrating a server, hosting both botnets and malicious software. Intelligence suggests that these are being used to commit criminality by stealing financial credentials from UK victims.

Case Studies—Utilisation of Malware

32.  PCeU's operations have shown the significant criminal gains that can be achieved through organised, malware-facilitated, banking fraud. Alongside the financial sector Virtual Task Force (VTF) the PCeU dismantled the international OCG utilising a Zeus Trojan.

33.  Over a 90 day period, the OCG was able to redirect funds from compromised UK bank accounts to the evidential value of £2.66 million from the 285 accounts. Intelligence suggests that there were significantly more accounts affected and therefore potentially much greater losses. These figures only consider losses to UK banks. The OCG involved was also targeting banks in the USA, other Western European countries and Australia. Total criminal gains may never be calculated. In the USA alone, this OCG stole $70 million.

34.  The PCeU arrested three men in April 2011 in connection with an investigation into the use of toolkit SpyEye malware to steal online banking details. The international investigation revolved around the group's use of variations of the SpyEye malware. This malware has the capability to harvest personal banking details from internet users and send the results to remote servers under the control of criminals.

35.  More recently, the PCeU investigated a case where Trojan malware was hidden within bogus job advertisements posted on Gumtree. When individuals downloaded the application form for a job their computer was then infected with a virus. The virus being a Trojan, designed to capture the recipients banking details. The PCeU have made two arrests to date.

3.  What level of resources are associated with combating malware?

36.  The remit of the PCeU set out in paragraph 5 includes combating malware and as such the full resources of the unit are available to those areas of cyber crime.

37.  The additional funding of £30 million over four years has provided the scope to significantly increase the number of cyber crime operations that the PCeU can conduct, by increasing their capacity. The principal aim of which is to provide a level of £504 million of harm or potential harm reduction, experienced by UK society through cyber crime.

38.  The following paragraphs explain the different teams within the PCeU that collectively provide the national response to tackling cyber crime, including malware attacks.

39.  It should be noted that the specific resources and staff numbers deployed within the PCeU have delivered significant success in responding to cyber attacks invlolving malware as the unit has established a unique concept of operations whereby it has the relationships and protocols in place to call upon the wider policing resources and external industry partners to work operationally with the team thereby enhancing the units expertise and resource capability.

Intelligence Development Team

40.  The PCeU Intelligence Development Team (IDT) is staffed by one Detective Inspector (DI) two Detective Sergeants (DS), five constables and four police staff.

41.  The role of the IDT is to receive and analyse intelligence which the team then develop by working with the source to produce actionable operational products from which a decision is made whether to progress investigations to the unit's Enforcement teams.

42.  In a number of cases attacks are aimed at financial institutions and it is the teams' responsibility to act as the point of contact with these organisations. In addition, the team receives tasking requests from both within the MPS and from outside partners. These requests are filtered against the case acceptance criteria for the unit which focuses resources on the most serious cyber crime incidents. There is a process for the prioritisation of tasks, which is undertaken through a formal weekly meeting that determines and then prioritises operations against threats, risks and the capacity of the unit.

The Enforcement Team

43.  The PCeU Enforcement Team provides the investigative and arrest capability of the PCeU and is currently staffed by two DI's, four DS's and 20 DC's (Detective Constables). The team is evenly divided into four pods, each headed by a DS. Operations are allocated:

—  The PCeU Intelligence Development Team.

—  Fast-time, in direct response to an attack on a financial institution.

—  In support of national security operations.

—  In support of other foreign law enforcement agency investigations (eg FBI).

44.  The PCeU currently works with national, European and international partners in order to call upon and coordinate enforcement activity.

45.  The PCeU works closely with the IT security industry, utilising partnership relationships where possible to identify malware-related cyber crime and the subsequent reverse engineering to evidence and attribute the criminal nature, culpability and mitigation techniques.

46.  Cooperation between European countries with regards to e-crime has improved significantly in the last three years. This is as a result of extensive operational engagement with countries willing to undertake proactive tasking at the behest of other nations. PCeU facilitates joint meetings to discuss cross border issues, ensure de-confliction and post operational sharing of learning and to improve working practices.

The Technical Team

47.  The PCeU Technical Team provides the PCeU with the ability to interrogate digital media and technology with an increasing need for live forensic capability to respond to multi-layered technology and techniques used to commit criminality.

48.  The team obtains intelligence and evidence of cyber crime, together with the facility to dismantle Botnets and undertake live network investigative functions.

49.  Current staffing levels for the Technical Team are one DI, three DS's, seven DC's and four members of police staff.

50.  The PCeU Technical Team's current roles and responsibilities are:

—  To conduct computer forensic examinations / investigations, data recovery and electronic discovery.

—  To gather and disseminate relevant and quality intelligence.

—  To provide technical advice and assistance to officers engaged in the investigation.

—  To produce evidence in a form which is admissible in court.

—  To provide advice to industry and law enforcement colleagues.

51.  The Technical Team's expertise is a crucial element to PCeU investigations and in order to maintain their abilities to combat the range of cyber crime methods, ongoing training and the retention of expertise are key to its success.

The Internet Governance Team

52.  The Internet Governance Team comprises of one PS (Police Sergeant), one PC (Police Constable) and a member of police staff. A Detective Inspector also has portfolio responsibility for strategic engagement to identify and establish best practise and changes to national and international protocols within law enforcement and industry.

53.  The responsibility of the team is to identify and take action against websites which cause harm to the UK economy through fraud, identity/brand theft and the infringement of property rights.

54.  The team has forged links with internet governance bodies both domestically and internationally, as much of the illicit activity is committed outside the boundaries of the UK. Through these relationships the team has been able to remove elements of the criminal infrastructure to reduce the ability of criminal networks to cause significant financial loss. For example, by utilising the assistance of IP providers and domain name registrars sites have been taken down swiftly and to long-term effect.

55.  The team is in the process of providing a Standard Operating Procedure for the internet governance position to roll out within policing and other UK Law Enforcement Agencies. This will increase policing capability, assist in the dissemination of best practice and help standardise activities.

56.  In addition to those teams outlined, the PCeU also incorporates Cyber Industry Liaison, a Strategy, Performance and Communication Unit and supports the National e-Crime Programme through a National Delivery Office to deliver a regional capability with three hubs supported by the PCeU.

September 2011

23   Low Orbit Ion Cannon DDoS utility (LOIC) Originally originally developed for network stress-testing, but later released into the public domain where, years later, it became a weapon of choice for hacktivists. Floods a targeted site with TCP or UDP packets, a relatively unsophisticated yet effective approach, especially when thousands of users use the tool to join voluntary botnets. By default does nothing to hide a user's identity Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012