Transnational Organized Crime and Internet Fraud

30 07 2012

Over the past decade the internet has accelerated as a prime tool for transnational organized crime (TOC) to commit fraud.  The internet is a great haven for TOC to commit crime against a great number of victims, from just about any point on the globe,  with limited chance of prosecution (Cukier).  It is user demand for online financial account access which has fueled organized crime to aggressively invest in technological tools and relationships, to intercept this financial data for their own gain (Smith), all the while building a most efficient business machine.

Following we discuss the technical tools, business strategies, and current trends, as they relate to fraudulent activity within the boundaries of the world wide web.

Technical Tools

It follows that organized crime has driven malware development and distribution to infect computer systems worldwide.  While our focus here is on fraudulent activity, malware is indeed used for a greater number of purposes.

Malware is ‘any malicious software, script or code developed or used for the purpose of compromising or harming information assets without the owner’s informed consent’ (Verizon).  It’s popularity is likely due to an attacker’s desire to stay in control of a system after gaining access, and it’s successful use in high volume automated attacks. (Verizon).

We define ‘crimeware’, a subcategory of malware, as ‘software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software’ (Smith).  Hence, crimeware used for fraudulent purposes involves the acquisition of personal private information for one’s own use, or the resale of personal information or access to a computer system to a second party (Smith).

Crimeware is distributed via many techniques, including social engineering exploits, content injection attacks, software vulnerabilities, and software downloads.  Two basic types of crimeware are utilized for data information theft (Smith):

1.  System reconfiguration crimeware

Here the code runs one time and alters a system configuration, leading the user system to send off data to a server without requiring software to remain on the system.

2.  Resident crimeware

Here the code remains on the system while collecting user information and sending it to a site accessible to the attacker.  Two components are typical: A sending component on the user’s computer and a receiving component on an external server used for data collection.  The sending component assembles data from the execution of crimeware (via web Trojan, key or screenlogger) and sends data outbound.  Transmission occurs via different systems: Email to a fixed location (typically a free email account set up by the attacker); data sent over a chat channel, such as an IRC channel, which the attacker monitors; data sent over a TCP/IP to a data collection server, or servers, accessible to the attacker.

Malware is a vital tool used to gain, and potentially maintain access to a computer system, with the possible objective to accumulate confidential, personal data. In addition, we can add that the way in which malware is deployed can assist attackers to avoid detection, and maintain their presence on a system.  For instance, multiple variants of one specific malware code may be used, and each in limited applications.  A ‘long tail approach’ can be used  (Liston).  Instead of infiltrating a large number of systems with small amounts of code, a large number of malware variants are used to hide evidence of a malware ‘outbreak’.  Additionally, malware communication may be limited to ways that follow typical user behavior, and system resources can be used sparingly so as not to raise any flags.

One last item here: the sheer number of malware code in existence today is considered ‘the ultimate weapon’ (Liston).  Antivirus analysts cannot keep up with the number of signatures needed to keep systems free and clear of known malware code, not to mention worry about the malicious code still unknown, running undetected.

Business Model

The TOC business model is one which takes advantage of the strengths of technology such as malware, as well as the weaknesses of system users.

1.  Cartel-like business structure.  The TOC model has been compared to a cartel-like model (Berinato).  A shift to a layered service organization disseminates risk of all involved. Services are doled out to various players, from malware developer, malware distributor, and middlemen who sell temporary ‘access’ to infected systems.  The buyers who ultimately intercept and withdraw personal data from a system are far removed from the initial players.

2. Keeping it under wraps.  The goal of organized crime on the internet is to retain a low profile.  Hence the focus on deploying malware code in a manner which ensures its longevity.  Another method to successfully maintain the operation: taking small bites. Those who purchase access to infected systems and reap the rewards of coming across personal financial data use that information wisely.  Best to charge $10 per compromised credit card, on 1,000 cards, versus a charge of $1,000 on 10 cards.  The odds that credit card holders will notice or care is minimized.  Also, this model distributes risk among multiple banks, who are thus better able to write off the loss.  Law enforcement remains uninvolved, with no complaints issued.

3. Location, location, location.  TOCs tend to base their operations in countries with no legal ties to the U.S., often remaining in areas with ‘weak legal and policing systems’ (Verizon).  This is supported by the fact that in 2011, Eastern Europe (specifically Russia and Turkey) accounted for 67% of all originating data theft attacks against organizations (Verizon).

Recent Data

We have a come a long way over the past decade.  Malware development has increased dramatically.  Sophos reported seeing approximately 95,000 unique samples of malware per day in 2011.  Two years prior, the number was under 5,000 per day (Ragan).

Malware was a tool utilized in more than two thirds of the data breach caseload covered in Verizon’s 2012 Data Breach Investigation Report, and was a definite tool in 95% of all cases involving stolen data.  External agents accounted for 98% of all data breaches. Organized criminals were behind the majority of these breaches, at 83%, and money was the motivating factor in 96% of these particular cases.  Small organizations with less than 100 employees represent the majority of the victims.  Investigators believe this is related to the ease at which their internet facing point-of-sale systems can be breached (Verizon).

The Future

There are definite steps which can be taken to help mitigate threats and attacks from TOC or other potential external (and internal) attackers.  The recent Verizon data breach report does highlight how well external attackers have taken advantage of small business system vulnerabilities.  Special care should be taken to educate and assist these organizations with mitigation strategies, specifically ensuring that they attain and maintain PCI compliancy.

Additionally, we need adequate law enforcement to deter, investigate and prosecute crimes.  We need to continue work internationally, and encourage minimum standards and cooperation in regard to cyber crime (Cukier).


Berinato, S. (2007, September 1). Inside the Global Hacker Service Economy. Retrieved July 19, 2012, from‌article/‌456863/‌inside-the-global-hacker-service-economy

Cukier, W., & Levin, A. (2009). Internet Fraud and Cybercrime. In Crimes of the Internet. Upper Saddle River, NJ: Prentice Hall. (Reprinted from Crimes of the Internet, 251-279, 2009)

Liston, T. (2011, March). Malware War: How Malicious Code Authors Battle to Evade Detection (Publication). Retrieved from Information Week website:‌abstract/‌21/‌5854/‌security/‌strategy-malware-war.html

Ragan, S. (2011, February 15). RSAC 2011: Malware and Cyber Crime Evolved. Retrieved from‌articles/‌RSAC-2011-Malware-and-cyber-crime-evolved/‌12807/

Smith, A. (2006, October). The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond (Report). Retrieved from‌reports/‌APWG_CrimewareReport.pdf

2012 Data Breach Investigation Report (Research Report). (2012). Retrieved from Verizon website:‌us/‌about/‌events/‌2012dbir/




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: