Cybersecurity and Cyberwar (15 page)

Soon the group made bigger news with “Project Chanology” in 2008. As with all great world events, this started with a Tom Cruise video. A somewhat embarrassing interview of the actor gushing about Scientology (including claims that Scientologists are the only people who can help after a car accident) leaked onto YouTube. The Church of Scientology then threatened the online video-sharing site with legal action if it didn't take the video down. Members of Anonymous were angered by what they viewed as a heavy-handed attempt at controlling online information. So they organized a systematic effort instead to knock Scientology websites offline, with members assembling to launch a wave of denial-of-service attacks, akin to building a voluntary botnet.

In 2010, the group made more serious waves when an active node called AnonOps undertook a series of actions with names like “Operation Payback (is a Bitch),” “Operation Avenge Assange,” and “Operation Tunisia.” The first started as a battle over Internet copyright issues, with Anonymous targeting various organizations the hactivists saw as being too stringent or abusive in trying to restrict Internet piracy. Groups like the Motion Picture Association of America, the Recording Industry Association of America, copyright law firms, and even Gene Simmons, the lead singer of the band KISS (targeted because he had threatened to “sue everybody” who had downloaded his music without permission and “take their homes”), saw their
websites knocked offline
repeatedly and/or had their files opened to the world.

Eventually, this effort to battle what Anonymous saw as growing restrictions on Internet freedom connected to broader political issues. Companies like PayPal, Bank of America, MasterCard, and Visa were targeted because they stopped processing payments to the whistle-blowing website WikiLeaks, following its controversial publication of US diplomatic cables. The Zimbabwe government's websites were targeted after its president's wife sued a newspaper for US$15 million for publishing a WikiLeaks cable that linked her to the blood diamond trade. The Tunisian government was targeted for censoring the WikiLeaks documents as well as news about uprisings in the country (in a poignant twist, a noted local blogger, Slim Amamou, who had supported Anonymous in the effort, was arrested by the old regime and then became a minister in the new regime that the effort helped put into power). The British government was
threatened with similar attacks if it extradited WikiLeaks founder Julian Assange.

As Anonymous went after bigger and more powerful targets, the group garnered more and more attention. This notoriety, however, has ironically rendered Anonymous less anonymous, bringing real costs in the process. Law enforcement agencies became motivated to identify and arrest members involved in the operations, especially any that connected to government agencies. Police raids sent members in places like the United States, the UK, and the Netherlands to jail. By 2011, the challenge grew more complex, when dangerous foes emerged outside of traditional states. As a US Army War College report explored, “
Two clandestine non-state groups
—a hacktivist collective and a Mexican drug cartel—stared each other down in the digital domain, with potentially fatal real world consequences for both sides.”

The episode started when the Los Zetas, a drug cartel founded by former Mexican army commandos, kidnapped a member of Anonymous. The hacktivists then threatened to post an extensive array of information about Los Zetas and its partners online unless their member was released. This “doxing,” however, wouldn't just be embarrassing to the Zetas, but deadly, as the revelations would open them up to arrest and likely assassination by their rivals. In response, the cartel hired experts to help it “reverse hack” Anonymous, seeking to uncover some of its members, and threaten them with death. Ultimately, they came to a shaky ceasefire. The kidnap victim was released but with an accompanying online threat from the Zetas that they would kill ten people for every name Anonymous publicized.

The ultimate question for Anonymous, as well as for other hactivists, is the same as for earlier generations of activists and agitators: can the power of the crowd actually have a lasting impact? Some argue that the group is “all bark, no bite,” a new form of a “
noisy political demonstration
.” Others argue that such critique misses the point: a handful of anonymous computer hackers have garnered worldwide attention for their personal causes, simply by putting forward a new model for mobilization on a global scale. As Electronic Frontier Foundation cofounder John Perry Barlow described, it may well be the new “shot heard round the world—
this is Lexington
.”

When we were kids, you could visit a strange, wonderful place known as a “library.” There you could check out an encyclopedia (for you youngsters, imagine a paper Wikipedia) entitled the
World of Tomorrow
. As this guidebook to the future was published in 1981, “Tomorrow” was, of course, the far-off land of the twenty-first century. It was a wonderful world, but one of the chapters in the book did warn children that the future might not be perfect. Alongside the picture of a shady man, who is obviously guilty of something heinous (because he is wearing a Members Only jacket), the book explained:

There is one kind of
crime which may exist in the future
—computer crime. Instead of mugging people in the streets or robbing houses, tomorrow's criminal may try to steal money from banks and other organizations by using a computer. The computer criminal works from home, using his own computer to gain access to the memories of the computers used by the banks and companies. The criminal tries to interfere with the computers in order to get them to transfer money to his computer without the bank or company knowing that it has been robbed.

It's a scary future we now live in.

Cybercrime, as we now think of computer crime, is most often defined as the use of digital tools by criminals to steal or otherwise carry out illegal activities. As information technology grows more pervasive, however, it becomes harder to find crimes that
don't
have a digital component. The European Commission, for instance, has tried to sharpen the definition in its laws by distinguishing between traditional crimes that may use cyber tools and cybercrimes as being
unique to electronic networks
in both the ends and means.

The most pervasive type of cybercrime is “credential fraud,” or the misuse of account details to defraud financial and payment systems. Such systems include credit cards, ATM accounts, and online banking accounts. In order to access these accounts, criminals can obtain security credentials like passwords and other data wholesale
by attacking computers that store account details for the merchants, banks, and processors in charge of the whole system. Or they go directly after the individual account owner by tricking him or taking over his computer. A common tool is the “phishing” e-mail, which poses as a communication from a financial institution and presents a link where the victim is prompted to enter his credentials.

In the end, a credential's worth depends on the criminal's ability to extract value. A credit card number, for instance, is only useful if the attacker can turn it into desired goods and services. This might be easy to do with one stolen credit card, but what about ten thousand? In the case of online banking fraud, a thief can't just transfer money to her personal account since the banks can easily track that. The result is that effective credential fraud requires a large organizational infrastructure of sellers, resellers, patsies, and “money mules,” who act as intermediate steps in the transfer of money or goods. It's similar to more traditional money laundering, but in reverse. Rather than washing criminal profits into a wider legitimate pool, the goal is to create a series of seemingly legitimate transactions to get the money into the hands of criminals.

Another kind of cybercrime attacks intermediaries more directly, by identifying sources of value in the advertising mechanisms that drive the free Web we know and love. When advertisers pay by the click, scammers develop automated click-fraud to drive up the profits of hosting advertisements (and cost to the marketer). Criminals take advantage of advertising revenue by registering web domains just a few letters different from popular websites, or “typosquatting,” and collect ad revenue from the page visits by those with
clumsy fingers
. Enterprising scammers even take advantage of “trending” topics on the Web by quickly registering websites in the hopes of being seen by users searching for newly popular stories, again extracting advertising revenue. These attacks reduce the efficacy of online advertising, which is the lifeblood of freely available content. This technique isn't easy, however, and requires infrastructure and an understanding of the internal mechanics of advertising financing.

Internet scammers employ trickery of a different sort. Their goal is to persuade the victim to deliver his or her money willingly. These efforts target our most basic human emotions: greed, fear, and love. An example from the greed category is the notorious “Letter from
Nigeria” scam, which offers the victim huge potential wealth for just a token deposit.

Scams built around fear often hype threats and then target the supposedly security-conscious. While we explore the policy side of this later in the section on the “cyber industrial complex,” at the individual level these scams often involve fake antivirus software. Sometimes appearing as fake pop-up “warnings” on websites, the victim thinks he is gaining added protection from the scary online world, but he is really downloading malware. And once their genuine antivirus software is disabled, the victim is repeatedly prompted for payments to update the fake software. One study estimated that this is a
$100 million business
.

Finally, online cons also prey on the love we have for one another, whether for someone we know or for the wider world. In the “Stranded Traveler” scam, criminals take over a victim's e-mail, social network account, or both, and issue a plaintive call for help, claiming to be stuck in a remote location without their wallet or passport. The victim's friends and family are encouraged to send money to help the (safe at home) victim. Broader efforts include fake charity websites, which pop up after natural disasters and sadly siphon off money from those truly in need.

What makes scams so hard to combat systematically is that, unlike credential fraud, the victims are willing participants, at least until they learn of the scam. Related to this is another type of crime, fraud. The Internet has enabled the widespread sale of counterfeit or illegitimate goods, whether knock-off luxury handbags or Hollywood blockbusters. Here, even when they're aware, many users are still eager to participate, as they see the true victims as being someone else.

As anyone who has waded through an inbox full of erectile dysfunction drug ads can attest, fake pharmaceuticals are also particularly popular. Contrary to popular belief, many criminals make good on their illegal offers, delivering real drugs from offshore pharmaceutical plants. These organizations use an affiliate program to coordinate advertising, product sourcing, payments, and the technical infrastructure of botnets to coordinate their activity. Interestingly, the reasons there are more erectile dysfunction and diet ads is that such programs tend to eschew offering drugs that might attract particular attention from law enforcement, such as
opiate painkillers
.

All of these illegitimate offerings violate intellectual property controls as well as laws governing medical safety and supervision. Harm can occur through unscrupulous manufacturing or tainted products, especially when it comes to pharmaceuticals. Most losses, however, are indirect, through missed sales and diluted brand value for the companies that followed the rules.

Many cybercrimes target businesses more directly. We explore one particularly widespread type, trade secret and intellectual property theft, later. But companies can also be harmed directly through extortion attacks. This is the category that uses the type of ransomware attacks we read about earlier. The victim has to weigh the potential cost of fighting a well-organized attack versus paying off the potential attacker. Websites with time-dependent business models, such as seasonal sales, are particularly vulnerable. One study reported that, “In 2008, online casinos were threatened with just such an [extortion] attack, timed to disrupt their accepting
wagers for the Super Bowl
unless the attackers were paid 40,000 dollars.”

Of course, gambling itself is illegal in many jurisdictions, making it just one of many illicit activities that have extended into cyberspace. What makes these activities relevant to cybersecurity is their virtualization challenges territorial definitions. Some activities, such as the distribution of pedophilic images, are widely condemned around the world whether in a physical magazine or a website. Other behaviors, such as gambling, enjoy the legal protection of some jurisdictions in both the physical and the online worlds. The extended scope of online wagering may have even contributed to the 2013 football match-fixing scandal in Asia, in which gangsters were accused of “reverse-engineering the safeguards of
online betting houses
.” Another sticky area is hate speech. The EU's resolve to condemn “incitement to racial hatred” online in European criminal codes is contrary to
American free speech protections
, both on- and offline.

So how big is cyber crime? These varying attack types illustrate how it is difficult to put any single exact, meaningful figure on the size of the problem. There's also a scarcity of reliable data; criminals don't tend to share their information or statistics with academics. As Cambridge University's Ross Anderson lays out, “There are over
one hundred different sources of data
on cybercrime, yet the available statistics are still insufficient and fragmented; they suffer from
under- and over-reporting, depending on who collected them, and the errors may be both intentional (e.g., vendors and security agencies playing up threats) and unintentional (e.g., response effects or sampling bias).”