Proceedings of the 7th Australian Digital Forensics Conference
By Stephen McCombie1
Josef Pieprzyk2
Paul Watters3
Macquarie University
Abstract
Phishing and related cybercrime is responsible for billions of dollars in losses annually. Gartner reported more than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008 (Gartner 2009). This paper asks whether the majority of organised phishing and related cybercrime originates in Eastern Europe rather than elsewhere such as China or the USA. The Russian “Mafiya” in particular has been popularised by the media and entertainment industries to the point where it can be hard to separate fact from fiction but we have endeavoured to look critically at the information available on this area to produce a survey. We take a particular focus on cybercrime from an Australian perspective, as Australia was one of the first places where Phishing attacks against Internet banks were seen. It is suspected these attacks came from Ukrainian spammers. The survey is built from case studies both where individuals from Eastern Europe have been charged with related crimes or unsolved cases where there is some nexus to
Eastern Europe. It also uses some earlier work done looking at those early Phishing attacks, archival analysis of Phishing attacks in July 2006 and new work looking at correlation between the Corruption Perception Index, Internet penetration and tertiary education in Russia and the Ukraine. The value of this work is to inform and educate those charged with responding to cybercrime where a large part of the problem originates and try to understand why.
INTRODUCTION
Phishing and related cybercrime is responsible for annual losses of billions of US dollars. Gartner reported more than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008. They have estimated the losses in the US alone were over USD$7.5 Billion between September 2005 and September 2008 (Gartner 2009).
While the claims by a US treasury official that global cybercrime is more lucrative than illegal drugs and was estimating at USD$105 Billion in 2004 are rather difficult to assess (Reuters 2005) there is clearly a large illegal and successful criminal industry online. The United States Government’s October 2007 International Organized Crime Threat Assessment (US Department of Justice 2008) saying, “International organized criminals use cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.”
This paper looks at the part in this that individuals and groups based out of Eastern Europe play and whether the majority of organised phishing and related cybercrime indeed originates in Eastern Europe rather than elsewhere and why. With the end of communism, Eastern Europe has seen massive changes and with the resulting power vacuum in many countries organised crime have gained prominence. The Russian Mafiya in particular has been popularised by the media and entertainment industries to the point where it can be hard to separate fact from fiction. While hard data is limited on this phenomenon, there is considerable anecdotal evidence to suggest that transnational organised crime groups from Eastern Europe are significantly involved in Phishing and related cybercrime. Their alleged involvement in these attacks has received extensive coverage in the press with headlines like “Dutch Botnet Trio Reportedly Connected To Russian Mob” (Kreizer 2005), “Return of the Web Mob” (Naraine 2006). However a leading security researcher and vendor Eugene Kaspersky (from Russia himself) charged that the view of the Russian Mafiya and Russians more generally being behind cybercrime was a “myth” (Sturgeon 2006) and that most attacks came from China and the US. While the authors agree there is a degree of mythology around the issue there is some solid information pointing to the significant role Eastern Europeans’ particularly Russians and Ukrainians play in the cybercrime world. This paper consists of a survey of information available on this area build from case studies where there is some nexus to Eastern Europe including Proceedings of the 7th Australian Digital Forensics Conference looking at the first phishing attacks on Internet Banks in 2003 (McCombie 2008). We also look at other indicators including the identity of leading spammers who are key part of the cybercrime business and other information such as the views of law enforcement, which also seems to support this thesis. We then re-examine some archival data on 77 phishing attacks on one Australian institution in July 2006 used in work published in 2008 (McCombie 2008). Lastly we examine the correlation of a low corruption perception index, high Internet penetration, high tertiary education levels and Eastern European cybercrime. In this work we take a particular focus on cybercrime from an Australian perspective and
a lot of our data relates to the Australian experience. While this is convenient for Australia based researchers it also is relevant to understand that Australia was one of the first places where Phishing attacks against Internet banks were seen.
This attack as we will discuss was, rather than a home grown problem, suspected to have originated from the Ukraine by a known spammer. To date there has been little research into the individuals and groups behind Phishing and related cybercrime. To effectively combat this problem we need to understand the disposition and nature of these criminals.
This paper aims to be one step in delivering this important analysis to help government and industry address this problem.
Complete Report: http://igneous.scis.ecu.edu.au/proceedings/2009/forensics/McCombie_Pieprzyk_Watters.pdf
By Stephen McCombie1
Josef Pieprzyk2
Paul Watters3
Macquarie University
Abstract
Phishing and related cybercrime is responsible for billions of dollars in losses annually. Gartner reported more than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008 (Gartner 2009). This paper asks whether the majority of organised phishing and related cybercrime originates in Eastern Europe rather than elsewhere such as China or the USA. The Russian “Mafiya” in particular has been popularised by the media and entertainment industries to the point where it can be hard to separate fact from fiction but we have endeavoured to look critically at the information available on this area to produce a survey. We take a particular focus on cybercrime from an Australian perspective, as Australia was one of the first places where Phishing attacks against Internet banks were seen. It is suspected these attacks came from Ukrainian spammers. The survey is built from case studies both where individuals from Eastern Europe have been charged with related crimes or unsolved cases where there is some nexus to
Eastern Europe. It also uses some earlier work done looking at those early Phishing attacks, archival analysis of Phishing attacks in July 2006 and new work looking at correlation between the Corruption Perception Index, Internet penetration and tertiary education in Russia and the Ukraine. The value of this work is to inform and educate those charged with responding to cybercrime where a large part of the problem originates and try to understand why.
INTRODUCTION
Phishing and related cybercrime is responsible for annual losses of billions of US dollars. Gartner reported more than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008. They have estimated the losses in the US alone were over USD$7.5 Billion between September 2005 and September 2008 (Gartner 2009).
While the claims by a US treasury official that global cybercrime is more lucrative than illegal drugs and was estimating at USD$105 Billion in 2004 are rather difficult to assess (Reuters 2005) there is clearly a large illegal and successful criminal industry online. The United States Government’s October 2007 International Organized Crime Threat Assessment (US Department of Justice 2008) saying, “International organized criminals use cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.”
This paper looks at the part in this that individuals and groups based out of Eastern Europe play and whether the majority of organised phishing and related cybercrime indeed originates in Eastern Europe rather than elsewhere and why. With the end of communism, Eastern Europe has seen massive changes and with the resulting power vacuum in many countries organised crime have gained prominence. The Russian Mafiya in particular has been popularised by the media and entertainment industries to the point where it can be hard to separate fact from fiction. While hard data is limited on this phenomenon, there is considerable anecdotal evidence to suggest that transnational organised crime groups from Eastern Europe are significantly involved in Phishing and related cybercrime. Their alleged involvement in these attacks has received extensive coverage in the press with headlines like “Dutch Botnet Trio Reportedly Connected To Russian Mob” (Kreizer 2005), “Return of the Web Mob” (Naraine 2006). However a leading security researcher and vendor Eugene Kaspersky (from Russia himself) charged that the view of the Russian Mafiya and Russians more generally being behind cybercrime was a “myth” (Sturgeon 2006) and that most attacks came from China and the US. While the authors agree there is a degree of mythology around the issue there is some solid information pointing to the significant role Eastern Europeans’ particularly Russians and Ukrainians play in the cybercrime world. This paper consists of a survey of information available on this area build from case studies where there is some nexus to Eastern Europe including Proceedings of the 7th Australian Digital Forensics Conference looking at the first phishing attacks on Internet Banks in 2003 (McCombie 2008). We also look at other indicators including the identity of leading spammers who are key part of the cybercrime business and other information such as the views of law enforcement, which also seems to support this thesis. We then re-examine some archival data on 77 phishing attacks on one Australian institution in July 2006 used in work published in 2008 (McCombie 2008). Lastly we examine the correlation of a low corruption perception index, high Internet penetration, high tertiary education levels and Eastern European cybercrime. In this work we take a particular focus on cybercrime from an Australian perspective and
a lot of our data relates to the Australian experience. While this is convenient for Australia based researchers it also is relevant to understand that Australia was one of the first places where Phishing attacks against Internet banks were seen.
This attack as we will discuss was, rather than a home grown problem, suspected to have originated from the Ukraine by a known spammer. To date there has been little research into the individuals and groups behind Phishing and related cybercrime. To effectively combat this problem we need to understand the disposition and nature of these criminals.
This paper aims to be one step in delivering this important analysis to help government and industry address this problem.
Complete Report: http://igneous.scis.ecu.edu.au/proceedings/2009/forensics/McCombie_Pieprzyk_Watters.pdf