The FBI’s Internet Crime Complaint Center received nearly 300,000 cases in 2016, and only 15 percent of victims even report crimes in the first place. “The threat is now coming at us from all sides,” says FBI Director Christopher Wray.
Hundreds of thousands of Americans are victims of cybercrime every year. Only 15 percent of cyber fraud victims ever report the crimes to law enforcement, the FBI says. Many victims,feel they have nowhere to turn, McClatchy Newspapers reports. Often do not. Most local and state law enforcement agencies are not equipped to track down cyber crooks. The FBI is swamped and must prioritize big cases. “It’s a huge problem,” said Nick Selby, a Texas police detective and information security consultant. “It’s difficult for local law enforcement because we don’t have the training.”
International cyber gangs prey upon U.S. victims by hacking their computers to obtain credit card and Social Security numbers to defraud banks and retail outlets. “They are things like, ‘My ex is tracking me with spyware on my phone,’ or ‘My neighbor has hijacked my wireless and is doing illegal things.’ There’s nobody to tell about this,” said Michael Hamilton of Critical Informatics, an information security firm based in Bremerton, Wa. Local and state law enforcement agencies often are ill-equipped to investigate digital crimes, which can originate across state lines or outside of the U.S. entirely. Prosecutors sometimes hesitate to take on complicated cases with low conviction rates. At the national level, a rise in cases inundates the FBI, the lead federal agency on cyberattacks and crimes. “This threat is now coming at us from all sides,” FBI Director Christopher Wray said last week. “We’re worried — at the FBI and with our partners — about a wider range of threat actors, from multinational cyber syndicates and insider threats to hacktivists. And we’re concerned about a wider gamut of methods…” The bureau’s Internet Crime Complaint Center received nearly 300,000 complaints with total losses in excess of $1.3 billion in 2016.
Many offenses are not counted when major crimes are tallied, such as identity theft, sexual exploitation, ransomware attacks; fentanyl purchases over the dark web; human trafficking for sex or labor; revenge porn; credit card fraud; child exploitation; and gift or credit card schemes that gangs use to raise cash for their traditional operations or vendettas.
The tools used to fight crime and measure U.S. crime trends are outdated. Even as certain kinds of crimes are declining, others are increasing, yet because so many occur online and have no geographic borders, local police departments face new challenges not only fighting them, but also keeping track of them, the New York Times reports. Politicians often promote crime declines without acknowledging the rise of cybercrimes. Keith Squires, Utah’s public safety commissioner, was deep in the fight against opioids when he realized that a lack of data on internet sales of fentanyl was hindering investigations. So he created a team of analysts to track online distribution patterns of the drug. In Philadelphia, hidebound ways of confronting iPhone thefts let illicit networks to distribute stolen cellphones thrive. Detectives treated each robbery as an unrelated street crime — known as “apple picking” — rather than a vast scheme with connected channels used by thieves to sell the stolen phones.
Nashville investigators had no meaningful statistics on the “cheating husband” email scheme. Anonymous extortionists mass-email large numbers of men, threatening to unmask their infidelities. The extortionists have no idea if the men have done anything wrong, but enough of them are guilty that some pay up, sometimes with Bitcoin. “Suspects take advantage, knowing that ‘Hey, I’m basically committing crimes blindly,’ without the fear of prosecution,” said Capt. Jason Reinbold of the Metropolitan Nashville Police Department’s criminal investigations division. “And I can’t analyze something if I don’t have data.” Many offenses are not counted when major crimes are tallied, such as identity theft, sexual exploitation, ransomware attacks; fentanyl purchases over the dark web; human trafficking for sex or labor; revenge porn; credit card fraud; child exploitation; and gift or credit card schemes that gangs use to raise cash for their traditional operations or vendettas.
It’s really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I’ve seen at trying to put a number on this. The results are, well, all over the map: "Estimating the Global Cost of Cyber Risk: Methodology and Examples": Abstract: There is marked variability from…
It's really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I've seen at trying to put a number on this. The results are, well, all over the map:
"Estimating the Global Cost of Cyber Risk: Methodology and Examples":
Abstract: There is marked variability from study to study in the estimated direct and systemic costs of cyber incidents, which is further complicated by the considerable variation in cyber risk in different countries and industry sectors. This report shares a transparent and adaptable methodology for estimating present and future global costs of cyber risk that acknowledges the considerable uncertainty in the frequencies and costs of cyber incidents. Specifically, this methodology (1) identifies the value at risk by country and industry sector; (2) computes direct costs by considering multiple financial exposures for each industry sector and the fraction of each exposure that is potentially at risk to cyber incidents; and (3) computes the systemic costs of cyber risk between industry sectors using Organisation for Economic Co-operation and Development input, output, and value-added data across sectors in more than 60 countries. The report has a companion Excel-based modeling and simulation platform that allows users to alter assumptions and investigate a wide variety of research questions. The authors used a literature review and data to create multiple sample sets of parameters. They then ran a set of case studies to show the model's functionality and to compare the results against those in the existing literature. The resulting values are highly sensitive to input parameters; for instance, the global cost of cyber crime has direct gross domestic product (GDP) costs of $275 billion to $6.6 trillion and total GDP costs (direct plus systemic) of $799 billion to $22.5 trillion (1.1 to 32.4 percent of GDP).
Here's Rand's risk calculator, if you want to play with the parameters yourself.
Note: I was an advisor to the project.
Separately, Symantec has published a new cybercrime report with their own statistics.
The ride-hailing service faces lawsuits, state investigations and a federal criminal probe over a $100,000 payment to a hacker in a case that put the information of 57 driver and rider accounts at risk.
The email resembled other messages that Joe Sullivan, Uber’s chief security officer, received in the company’s “bug bounty” program, which pays hackers for reporting holes in the ride-hailing service’s systems. Yet the note and Uber’s $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have turned into a public relations debacle for the company, the New York Times reports. In November, when Uber disclosed the 2016 incident and how the information of 57 million driver and rider accounts had been at risk, chief executive Dara Khosrowshahi, called it a “failure” that it had not notified people earlier. Sullivan and a security lawyer were fired.
Not only did Uber pay an outsize amount to the hacker, but it also did not disclose for a year that it had briefly lost control of so much consumer and driver data. The behavior raised questions of a cover-up and a lack of transparency, as well as whether the payment really was just a ransom paid by a security operation that had acted on its own for too long. The hacking is the subject of at least four lawsuits, with attorneys general in five states investigating whether Uber broke laws on data-breach notifications. In addition, the U.S. Attorney in San Francisco has begun a criminal investigation. The hacking and Uber’s response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law.
The Commerce and Homeland Security departments issue a report outlining ways of reducing cyberattacks. “Botnets represent a systemwide threat that no single stakeholder, not even the federal government, can address alone,” said one official.
Two federal departments issued a report with recommendations aimed at reducing the threat of cyberattacks, says Mission Critical Communications/Radio Resource International. The draft report comes from the Department of Commerce and the Department of Homeland Security. “Cybersecurity is perhaps one of the most serious threats we face,” said Secretary of Commerce Wilbur Ross. “President Trump understands the necessity of strengthening our networks and this administration is doing everything in its power to prevent bad actors from infiltrating our critical cyber infrastructure.”
The report lists five goals: Identify a clear pathway toward an adaptable, sustainable and secure technology marketplace; promote innovation to respond to to evolving threats; promote innovation to prevent, detect and mitigate bad behavior; build coalitions between the security, infrastructure and operational technology communities domestically and around the world, and “increase awareness and education across the ecosystem.” Officials focused on “botnets”–robotic networks committing cybercrime–as particularly dangerous. “Botnets represent a systemwide threat that no single stakeholder, not even the federal government, can address alone,” said Walter Copan of the National Institute of Standards and Technology. “The report recommends a comprehensive way for the public and private sectors, as well as our international partners, to work together and strengthen our defenses.”
A week before Trump was sworn in, Romanian ransomware hackers took over 123 of the Washington police department’s outdoor surveillance cameras. Two men are charged in the case. Federal prosecutors said there was no threat to public safety.
Romanian ransomware hackers took over most of Washington, D.C.’s outdoor surveillance cameras just before President Trump’s inauguration, reports the Washington Post. A federal criminal complaint unsealed Thursday said the January attack affected 123 of the D.C. police department’s 187 outdoor surveillance cameras, leaving them unable to record for several days. Two Romanians, whom law enforcement officials describe as part of a larger extortionist hacking group, are being charged in D.C. federal court with fraud and computer crimes. Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, were arrested in Romania earlier this month, along with three other Romanian hackers who will face prosecution in Europe.
Prosecutors plan to seek extradition. They face up to 20 years in prison if convicted.
On Jan. 12, D.C. police noticed several surveillance cameras were not functioning properly. Secret Service Agent Brian Kaiser investigated and found that they had been taken over by non-police users. Those people were sending spam messages infected with ransomware to a long list of email addresses. The city resolved the problem by taking the devices offline, removing all software and restarting the system at each site, a process that took about two days, according to police. From Jan. 12 to Jan. 15, none of the cameras were able to record video. No ransom was paid. There is no evidence the disruption threatened or harmed anyone’s safety, according to the U.S. Attorney’s Office.
A new strain of ransomware called LockCrypt, possibly from from Iran or Ukraine, disables some government computers in Mecklenburg County, N.C. Officials will rebuild its files from backups.
Cyber criminals took a second swing at Mecklenburg County, N.C., government on Thursday after officials rejected a demand for money after a ransomware attack, the Charlotte Observer reports. The follow-up attempts to hold the county hostage over illegally encrypted data came just hours after County Manager Dena Diorio said she’d decided against paying a hacker ransom. Instead of agreeing to pay criminals, she said the county will rebuild its system applications and restore files and data from backups.
As the county’s IT staff worked to recover from the first cyberattack, Diorio said, they discovered more attempts to compromise computers and data on Thursday. The county blocked employees from being able to open attachments generated by DropBox and Google Document. “The best advice for now is to limit your use of emails containing attachments, and try to conduct as much business as possible by phone or in person,” she said. The county learned of the problem this week after an employee opened a malicious “phishing” email and accessed an attached file that unleashed a widespread problem inside the county’s network of computers and information technology. Information was encrypted or locked, keeping employees at the county from accessing operating systems and files. The person or people responsible for the infiltration then demanded the county pay two bitcoins, or about $23,000, in exchange for a release of the locked data. The county refused to pay. Experts attributed the attack to a new strain of ransomware called LockCrypt originated from Iran or Ukraine.
Roman Valeryevich Seleznev (alias “Track2,” “Bulba” and “Ncux”) was sentenced by federal judges in the Northern District of Georgia and in the District of Nevada for his role in an online marketplace that traded in identity theft and credit card fraud. He pled guilty to racketeering and conspiracy to commit bank fraud.
A Russian national was sentenced on Thursday for his role in an online marketplace that traded in identity theft and credit card fraud, costing its victims over $50 million in damages. Roman Valeryevich Seleznev (alias “Track2,” “Bulba” and “Ncux”) was sentenced by federal judges in the Northern District of Georgia and in the District of Nevada after pleading guilty to racketeering and conspiracy to commit bank fraud, according to a statement by the Department of Justice. He was ordered to pay a restitution of over $53 million.
Selznev admitted to being involved in an online criminal marketplace Carder.su, which in his own admission, was an “Internet-based, international criminal enterprise whose members trafficked in compromised credit card account data and counterfeit identifications and committed identity theft, bank fraud, and computer crimes,” according to the DOJ. Selznev also ran his own automated website where he sold compromised credit card account data and counterfeit I.D.s. The website did so much business that customers could “search for the particular type of credit card information they wanted to buy, add the number of accounts they wished to purchase to their “shopping cart” and upon check out, download the purchased credit card information.” Payments were deducted from an account funded through L.R., an online digital currency payment system. Last year, Selznev was sentenced to 27 years for his role in a scheme to “hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld.”
The FBI didn’t tell scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the Kremlin had targeted them, the Associated Press reports. Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up.
The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the Kremlin had targeted them, the Associated Press reports. Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting. “It’s utterly confounding,” said Philip Reiner, a former director at the National Security Council, who was told by the AP that he was targeted in 2015. “You’ve got to tell your people. You’ve got to protect your people.” The FBI declined to discuss its investigation into Fancy Bear’s spying campaign, but said, “The FBI routinely notifies individuals and organizations of potential threat information.”
Three people familiar with the matter said the FBI has known for more than a year the details of Fancy Bear’s attempts to break into Gmail inboxes. A senior FBI official said that the bureau was overwhelmed by the sheer number of attempted hacks. “It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said. AP reporters spent two months going through a hit list of Fancy Bear targets provided by the cybersecurity firm Secureworks. The AP has reported on how Fancy Bear worked in close alignment with the Kremlin’s interests to steal tens of thousands of emails from the Democratic Party . The hacking campaign disrupted the 2016 U.S. election and cast a shadow over the presidency of Donald Trump, whom U.S. intelligence agencies say the hackers were trying to help . The Russian government has denied interfering in the election.
Company fires its chief security officer, says it will notify owners of the affected accounts. The New York State Attorney General is investigating.
Uber Technologies Inc. said it paid hackers $100,000 in an effort to conceal a data breach affecting 57 million accounts a year ago, a disclosure that adds to a string of scandals and legal problems for the world’s most highly valued startup, the Wall Street Journal reports. The ride-hailing firm fired its chief security officer and his deputy for their roles in the breach and for covering it up. In addition to the names, emails and phone numbers of millions of riders, about 600,000 drivers’ license numbers were accessed. Uber said financial information such as credit cards and Social Security numbers weren’t taken. Uber said it identified the hackers and “obtained assurances” they had destroyed the stolen data.
The San Francisco company said it would notify owners of the affected accounts in the coming days. While the scale of the breach pales in comparison with disclosures from Yahoo Inc. and Equifax Inc., Uber’s attempts to keep it quiet raise questions about whether officers still at the company were part of the effort. The New York State Attorney General’s office has opened an investigation into the breach. “None of this should have happened, and I will not make excuses for it,” said Chief Executive Dara Khosrowshahi. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” Valued at $68 billion, Uber has a reputation for pushing the limits of the law in its pursuit of dominating the ride-hailing market.