Threat Intelligence

2013 - The Impact of Cybercrime

Pierluigi Paganini
November 1, 2013 by
Pierluigi Paganini

Introduction

Recent studies published on the evolution of principal cyber threats in the security landscape. They present concerning scenarios, characterized by the constant growth of cyber criminal activities.

Even though the level of awareness of cyber threats has increased, and law enforcement acts globabally to combat them, illegal profits have reached amazing figures. The impact to society has become unsustainable, considering the global economic crisis.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

It's necessary to work together to avoid the costs the global community suffers, which we can no longer sustain. The risk of business collapse is concrete, due to the high cost for enterprises in mitigating counter measures, and the damage caused by countless attacks.

In this article, we'll quantify the economic impact of cybercrime in 2013, by highlighting the main trends in the criminal ecosystem that concerns the security community.

Current scenario

Principal security firms which observe and analyze the incidents occurred to their clients have provided estimates of the annual loss suffered by enterprises. Dozens of billion dollars tare eroding their profits. If we extend the effects of cybercrime to government circles, public industry and the entire population, it's easy to assume that the amount of damage reaches several hundred billion dollars.

In many cases, that estimate can be misleading. That's because there were still too many companies that fail to quantify the losses related to cybercrime. In some cases, they totally ignore that they're victims of attacks. The majority of estimates relied on a survey, and loss estimates are based on raw assumptions about the magnitude and effect of cyber attacks to provide an economic evaluation.

Cyber criminal activities are increasing by incidence in a scenario made worse by the economic crisis. We also face tightened spending by the private sector, and reduced financial liquidity.

Nearly 80% of cybercrime acts are estimated to originate in some form of organized activity. The diffusion of the model of fraud-as-service and the diversification of the offerings of the underground market is also attracting new actors with modest skills. Cybercrime is becoming a business opportunity open to everybody driven by profit and personal gain.

According to experts at RSA security, cybercrime continues to improve its techniques and the way it organizes and targets victims. The RSA Anti-Fraud Command Center (AFCC) has developed the following list of the top cybercrime trends it expects to see evolve:

  • As the world goes mobile, cybercrime will follow
  • The privatization of banking, trojans and other malware
  • Hacktivism and the ever-targeted enterprise
  • Account takeover and increased use of manually-assisted cyber attacks
  • Cybercriminals will leverage Big Data principles to increase the effectiveness of attacks

Cybercrime activities are globally diffused, financially-driven acts. Such computer-related fraud is prevalent, and makes up around one third of acts around the world.

Another conspicuous portion of cybercrime acts are represented by computer content, including child pornography, content related to terrorism offenses, and piracy. Another significant portion of crime relates to acts against confidentiality, integrity and accessibility of computer systems. That includes illegal access to a computer system, which accounts for another one third of all acts.

It's clear that cyber crime is influenced by national laws and by the pressure and efficiency of local law enforcement.

Figure - Most common cybercrime acts encountered by national police (UNODC)

When assessing the effect of cybercrime, it's necessary to evaluate a series of factors:

  • The loss of intellectual property and sensitive data.
  • Opportunity costs, including service and employment disruptions.
  • Damage to the brand image and company reputation.
  • Penalties and compensatory payments to customers (for inconvenience or consequential loss), or contractual compensation (for delays, etc.)
  • Cost of countermeasures and insurance.
  • Cost of mitigation strategies and recovery from cyber attacks.
  • The loss of trade and competitiveness.
  • Distortion of trade.
  • Job loss.

Figure - Estimated cost of cybercrime (TrendMicro)

2013 - Cybercrime statistics

To better understand the effect of cybercrime on a global scale, I decided to introduce the results announced by the last study of Ponemon Institute. The study, titled The 2013 Cost of Cyber Crime Study, provides an estimation of the economic impact of cybercrime. It's sponsored by HP for the fourth consecutive year. It reveals that the cost of cybercrime in 2013 escalated 78 percent, while the time necessary to resolve problems has increased by nearly 130 percent in four years. Meanwhile, the average cost to resolve a single attack totalled more than $1 million.

"Information is a powerful weapon in an organization's cybersecurity arsenal. Based on real-world experiences and in-depth interviews with more than 1,000 security professionals around the globe, the Cost of Cyber Crime research provides valuable insights into the causes and costs of cyber attacks. The research is designed to help organizations make the most cost-effective decisions possible in minimizing the greatest risks to their companies," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

The frequency and cost of the cyber attacks increased in the last 12 months. The average annualized cost of cybercrime incurred by a benchmark sample of US organizations was $11.56 million. That's nearly 78% more than the cost estimated in the first analysis conducted four years ago.

In spite of improvements in defense mechanisms and the increased level of awareness of cyber threats the cyber crime ecosystem is able to adopt even more sophisticated cyber attack techniques. The cybercrime industry has shown great spirit, and the adaptive capacity to respond quickly to countermeasures has been taken by the police.

Key findings include:

  • The average annualized cost of cybercrime incurred per organization was $11.56 million, with a range of $1.3 million to $58 million. This is an increase of 26 percent, or $2.6 million, over the average cost reported in 2012.
  • Organizations in defense, financial services and energy and utilities suffered the highest cybercrime costs.
  • Data theft caused major costs, 43 percent of the total external costs, business disruption or lost productivity accounts for 36% of external costs. While the data theft decreased by 2% in the last year, business disruption increased by 18%.
  • Organizations experienced an average of 122 successful attacks per week, up from 102 attacks per week in 2012.
  • The average time to resolve a cyber attack was 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day—a 55 percent increase over last year's estimated average cost of $591,780 for a 24-day period.
  • Denial-of-service, web-based attacks and insiders account for more than 55% of overall annual cybercrime costs per organization.
  • Smaller organizations incur a significantly higher per-capita cost than larger organizations.
  • Recovery and detection are the most costly internal activities.

Figure - Cybercrime Infograph (Ponemon Institute - HP)

The study also remarked the necessity to adopt defense mechanisms and to build security culture. The security researchers involved in the study found that the organization that deployed systems, such as security information and event management (SIEM), and big data analytics, could help to mitigate the effect of cyber attacks, reducing the cost suffered by enterprises.

"Organizations using security intelligence technologies were more efficient in detecting and containing cyber attacks, experiencing an average cost savings of nearly $4 million per year, and a 21 percent return on investment (ROI) over other technology categories."

In the last report issued by ENISA, titled Threat Landscape Mid year 2013, the organization confirmed the results of the Ponemon Institute. The McAfee security firm estimated that cybercrime and cyber espionage are costing the US economy $100 billion per year, and the global impact is nearly $300 billion annually. Considering that the World Bank estimated that global GDP was about $70,000 billion in 2011, the overall impact of cybercrime is 0.04 percent of global income, an amazing figure!

The security firm sponsored a report titled"Estimating the Cost of Cybercrime and Cyber Espionage", The Center for Strategic and International Studies (CSIS) collaborated.

Another concerning side effect of cyber crime activity is the loss of 508,000 jobs in the US alone. That's mainly caused by theft of intellectual property, which wiped out the technological gap of U.S. Companies against Asian competitors.

"Using figures from the Commerce Department on the ratio of exports to US jobs, we arrived at a high-end estimate of 508,000 US jobs potentially lost from cyberespionage. As with other estimates in the report, however, the raw numbers might tell just part of the story. If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging."

"It begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of continuous losses in cyberspace," states the report.

The cost of malicious cyber activity is mainly related to the theft of intellectual property and the loss of financial assets.

To estimate the overall impact the CSIS employed economists, intellectual property experts and security researchers who used real-world analogies, like figures for car crashes, piracy, pilferage and drugs, to build a model.

Cyber criminals are improving ways to be non-traceable and to be more resistant in their malicious structures to take down operations by law enforcement. Hackers are improving their infrastructure, for example adopting peer-to-peer protocols, or hiding command and control infrastructures in anonymizing environments, such as the Tor Network.

What's the end user impact of cybercrime? What's the perception of the risks related to principal cyber threats?

The Symantec security firm has just released the 2013 Norton Report, the annual research study which examines the consumers' online behaviors, the dangers and financial cost of cyber crime.

Also, their data confirms the concerning results of other analysis. Cyber criminal activities and related profit are in constant growth, the cost per cybercrime victim is up 50 percent, and the global price tag of consumer cyber crime is $113 billion annually. That's a result of the concerns security analysts consider. It also effects the actual global economic scenario and the difficulties faced by enterprises.

This data was reported in the Norton Report, a document considered one of the world's "largest consumer cyber crime studies, based on self-reported experiences of more than 13,000 adults across 24 countries, aimed at understanding how cybercrime affects consumers, and how the adoption and evolution of new technologies impacts consumers' security."

The Norton Report also states that the number of online adults who have experienced cyber crime has decreased, while the average cost per victim has risen.

Figure - Global Price tag of consumer cybercrime (Norton Report)

Symantec experts have also analyzed the incidence of cybercrime in different countries around the world. As expected, it concludes that cyber crime has no boundaries, its action is globally distributed, although substantial differences are related to the local law framework and to the real effort of the authorities. The difference in the impact of cyber crime is also influenced by many other factors, including the penetration level of technology, perceived corruption, and the adoption of defense mechanisms. The study revealed that the annual number of victims has been estimated at 378 Million. The countries where the greatest percent of the population are victims are Russia (85%), China (77%), and South Africa (73%). The greatest cost of consumer cyber crime are reported in the USA ($38 billion), Europe ($13 billion) and China ($37 billion.)

Figure - Global price tag of consumer cybercrime (Symantec)

Technologies that are affecting the IT sector the most are related to mobile and the social media. Both areas are growing at an impressive rate, attracting a growing number of users. Cyber criminals are looking at platforms as vectors for online frauds with increased interest. The number of crimes based on mobile devices and social media is exploding.

The 2013 Norton Report states that the lack of efficient authentication mechanisms and defense mechanisms is the primary cause of incidents for mobile users. Almost half don't use basic precautions and a third were victims of illegal activities last year. What's very concerning is that, given the awareness level of users regarding cyber threats, only a small portion of mobile users (26%) have installed security software and 57% aren't aware of existence of security solutions for mobile environments. These numbers explain why mobile technology is so attractive for cyber crime. In the majority of cases, the systems are totally exposed to cyber threats due to bad habits and risky behavior.

The greatest challenge for the mobile sector is the promiscuous usage of users. 49% use personal mobile devices in the workforce, with serious repercussions on the overall security of businesses and enterprises. Consider that 36% revealed that say their company has no policy

to regulate that matter.

"If this was a test, mobile consumers would be failing. While consumers are protecting their computers, there is a general lack of awareness to safeguard their smartphones and tablets. It's as if they have alarm systems for their homes, but they're leaving their cars unlocked with the windows wide open." said Marian Merritt, Internet Safety Advocate, Symantec.

Cyber crime activity affects the principal trends of IT. New business opportunities, mobile platforms, clouds and social media are considered privileged vectors to reach a wide audience unaware of cyber threats. The 2013 Norton report highlights the incidence of cybercrime on social media. Users' risky behavior is responsible for many incidents. 12% of users revealed that someone has hacked their account in the last year. In 39% of cases, users don't log out after each session, and 25% share social media credentials. One in three accept request forms from unknown parties.

These risky practices are very dangerous and are a considerable cause of the increase of cyber attacks. On the other side, cyber criminals are adopting hacking techniques that are even more sophisticated. Specifically designed malware and phishing campaigns are the most common techniques of attacks observed in recent months.

"Today's cyber criminals are using more sophisticated attacks, such as ransomware an spear-phishing, which yield them more money per attack than ever before," said Stephen Trilling, Chief Technology Officer, Symantec.

Great interest is dedicated to cloud computing, and in particular to cloud storage solutions that make it easy to archive and share files. 24% of users use the same cloud storage account for personal and work activities. 18% share their collection of documents with their friends. Once again, bad habits facillitate cyber crime. Cloud services bundle a multitude of data services in one place, so they're attractive targets for hackers.

Figure - Cybercrime and cloud storage habits (Symantec)

Cybercrime in UK – case study

To contextualize the effect of cyber crime, it's interesting to consider the data available for a country like the United Kingdom. It's one of the nations with the highest technological penetration levels. The data published in a recent study conducted by cyber security experts at the University of Kent is more shocking. Over 9 million adults in Britain have had online accounts hacked, and 8% of the UK netizens are revealed to have been victims of cyber crime in the past year. 2.3% of the population reported losing more than £10,000 to online fraudsters.

Figure – UK netizens losses

The main crime suffered by UK online users is the hacking of their web services accounts. Those include online banking, email, and social media. In nearly 33% of the cases, the offense was repeated.

In 2011, the UK government documented in an official report that the overall cost of cyber crime economy was £27 billion a year. Identity theft was most common crime, accounting for £1.7 billion. That was followed by online scams, with £1.4 billion. Cyber crime in the UK was most insidious for organizations, private businesses and government offices, suffering high levels of cyber espionage and intellectual property theft.

Social media is a primary target for emerging cybercrime in the UK. Malicious code is used by criminal gangs to exploit social networks for banking fraud or for phishing campaigns. A new trend has emerged in recent months. The same malicious code is used by criminals to hack victims' accounts, for the creation of bogus social network 'likes' that could be used to generate buzz for a company or individual.

Fake "likes" were sold by lots of 1,000 per unit, underground. RSA estimated that 1,000 Instagram "followers" could be bought for $15 (£9.50), and 1,000 Instagram "likes" cost $30 (£19). These are more profitable for sales. Consider, when selling credit card numbers, they're sold for $6 (£3.80) for a lot of 1,000 numbers.

"It seems online crime has a clear impact on the lives of average UK citizens, with their accounts and credentials being compromised significantly and in some cases multiple times. Cybercrime may not yet have hit a large proportion of the British public, but successful attacks do tend to lead to substantive financial damage," said Dr Julio Hernandez-Castro and Dr Eerke Boiten, from the University of Kent's Interdisciplinary Centre for Cyber Security Research.

Cybercrime as service

The terms "Attack-as-a-Service," "Malware-as-a-Service," and "Fraud-as-a-Service" are used to qualify models of sale in which cybercriminals sell or rent their colleagues hacking service and malicious code, to conduct illegal activities. The concept is revolutionary, the black market offers entire infrastructures to service malware (e.g.bullet-proof hosting or rent compromised machines belonging to huge botnets), and outsourcing and partnerships services, including software development, hacking services, and, of course, customer support.

The majority of these services are presented in the underground economy, based on a subscription or flat-rate fee model, making them convenient and attractive. The principal cost of arranging criminal activities are shared between all customers. This way, service providers could increase their earnings, and clients benefit from a sensible reduction of their expenditure, with the knowledge needed to manage illegal businesses.

These services are characterized by their ease of use and a strong customer orientation. They typically have a user-friendly administration console and dashboard for the control of profit.

The diffusion of the cloud computing paradigm has brought numerous advantages to IT industry, but also new opportunities for cyber criminals. The term "Attack-as-a-Service" is referred to as the capability of criminal organizations to offer hacking services. The majority of cases exploit cloud based architectures.

Cyber criminals offer entire botnet and control infrastructures, hosted on cloud architectures for lease or sale. Compromised machines could be used to steal information from the victims (e.g. banking credentials, sensitive information) or to launch massive DdoS attacks against specific targets.

The prices for attacks on commission are widely variable. Some services are totally free, such as a subscription for IMDDOS. Meanwhile, it costs between $150 and $400 to crack e-mail passwords in less than 48 hours.

One of the most interesting studies proposed regarding cyber crime offers was presented by Fortinet in December 2012. The report produced by the security firm describes the model of "Crime-as-a-Service" in particular, providing a detailed price list for principal hacking services offered in "Attacks-as-a-Service," with some interesting data:

  • Consulting services such as botnet setup, $350-$400
  • Infection/spreading services, under $100 per a thousand installs
  • Botnets and rental, Direct Denial of Service (DdoS), $535 for 5 hours a day for one week, email spam, $40 per 20,000 emails, and Web spam, $2 per thirty posts.
  • Blackhat Search Engine Optimization (SEO), $80 for 20,000 spammed backlinks.
  • Inter-Carrier money exchange and mule services, 25% commission.
  • CAPTCHA breaking, $1 per a thuosand CAPTCHAs, done by recruited humans.
  • Crimeware upgrade modules: Using Zeus modules as an example, they range anywhere from $500 to $10,000.

The above deliverables are provided using different modalities, such as renting, buying or leasing to respond to the client's needs. No doubt, despite different terms adopted to describe similar practices, the models behind them appear to be winning.

Trends and forecast

Technologies such as mobile and social networking are increasingly threatened by cyber criminals. They're "adapting" consolidated attack methods to those platforms, and are defining new offensive strategies.

"The proliferation of mobile devices will lead to an amplification of abuse based on knowledge/attack vectors targeting to social media."

According to security experts and security firms, black market offers support the growth of cyber threats within the cyber crime ecosystem.

As reported in ENISA Threat Landscape, Mid Year 2013, the following top threats are candidates to dominate the criminal landscape in the medium term:

  • Drive-by-exploits: Browser-based attacks still remain the most reported threats, and Java remains the most exploited software for this kind of threat.
  • Worms/Trojans: Sophisticated malware is used by cyber criminals and governments for various purposes, such as offensive attacks, cyber espionage, and sophisticated cyber scams. Cyber crime
    makes extensive use of malware, especially for banking fraud. The mobile platform and social network situation is very concerning. Those platforms are exploited to spread large-scale malicious agents.
  • Code Injection: Attacks are notably popular against web Content Management Systems (CMSs). Due to their wide use, popular CMSes constitute a considerable attack surface that has drawn the attention of cyber-criminals. Cloud service providing networks are increasingly used to host tools for automated attacks.

Botnets, Denial of Services, rogueware/scareware, targeted attacks, identity theft and search engine poisoning will continue to represent a serious menace to the IT community.

Project 2020

What will the cybercrime landscape look like in 2020? It's difficult to predict the evolution of such a complex ecosystem. Technologies evolve at impressive speed, and with them, opportunities for cyber crime.

The European Cybercrime Centre (EC3) at Europol, and the International Cyber Security Protection Alliance (ICSPA) presented in a study titled Project 2020: Scenarios for the Future of Cybercrime - White Paper for Decision Makers, an overall predictable scenario of cyber crime in 2020. They evaluated a scenario under three different perspectives, from an individual, company and government point of view.

The document proposed worst-case scenarios, highlighting:

  • Increased abuse for cloud infrastructures. Cyber criminals will increase the use of cloud technology to launch DDOS attacks, or host botnets. Underground market offerings will mature to support cyber gangs in the organization of sophisticated cyber attacks.
  • It will be very difficult to distinguish between legal and illegal activity.
  • Data protection is already a challenge in relation to the internet. The future reality of large scale Radio Frequency Identification (RFID) deployment, global sensor proliferation, aggregation of data and highly personalized, augmented services will require the legal frameworks for privacy and security to further adapt.
  • Increased need for identity protection due the enlargement of individuals' online experiences.
  • Regarding privacy; as governments establish more privacy laws, the risk of incompatibility between countries increases, creating more roadblocks for responding to cyber crime.
  • The heterogeneous legal framework will allow criminals to choose optimal target countries for illegal activities, and the best sources to engage attacks.
  • A lack of unity in internet governance means a lack of unity in cyber security. Regardless of the precise number of governance authorities operating in 2020, there'll need to be broad consensus on standards, to ensure interoperability of emerging internet mediated technologies, including augmented reality and "the Internet of Things."
  • A consolidation of user encryption management to avoid surveillance activities operated by governments could give cyber criminals an advantage.
  • Threats will continue to blur the distinction between cyber and physical attacks (such as human implants, SCADA systems, etc.) Virtual reality technologies may lead to psychological attacks.
  • Conventional thinking of protected and absolute control of intellectual property may lead to conditional control, as some governments may become dovish in responding to the increasingly prevalent (legal and illegal) access to IP. (However unlikely governments are to shift traditional thinking, they may enact policies that move with the punches of an increasing risk of IP theft, rather than put up a fight.)
  • Data protection tools and laws will have to meet the increasing accessibility and proliferation of data.

The principal threats related to cyber crime activities could be grouped into the following categories:

  • Intrusion for monetary or other benefits
  • Interception for espionage
  • Manipulation of information or networks
  • Data destruction
  • Misuse of processing power
  • Counterfeit items
  • Evasion tools and techniques

In the next year, almost all these cyber menaces will continue to concern authorities. The principal losses will be attributable to cyber espionage and sabotage activities. SMBs will be most impacted by cyber crime. That's why it's necessary that cyber strategies of governments include a series of mitigation countermeasures for principal cyber threats. Critical infrastructure and defense systems will represent privileged targets for cyber criminals and state sponsored hackers. The two categories of attackers will be difficult to distinguish in chaotic cyberspace.

"Evolved threats to critical infrastructure and human implants will increasingly blur the distinction between cyber and physical attack, resulting in offline destruction and physical injury."

Conclusion

The data provided by security firms on the global impact of cyber crime are just a raw estimation in my opinion. They could give a reader just a basic idea of the overall damage caused by illegal activities. Analyzing the cyber crime ecosystem is a very complex task, due to the multitude of entities involved, and their different means and methods. For example, consider a group of cyber criminals who conduct state-sponsored attacks against strategic targets, such as the team of cyber mercenaries discovered by researchers at the Kaspersky Lab, Icefog. The Icefog team is responsible for a huge cyber espionage campaign that occurred in 2011, against Japanese parliament, and dozens of government agencies and strategic companies in Japan and South Korea.

Cyber mercenaries are recruited by governments and private companies. According to Kaspersky experts, they comprise of highly skilled hackers who are able to conduct sophisticated attacks.

In cases like that, how can we evaluate the impact of the actions of groups like those? It's just one example to demonstrate how difficult it is to identify cyber crimes.

The only certainly emerged from this analysis is that, with an exponential growth of cyber criminal activitiy and related costs, it's a challenging fight that could be won by law enforcement and governments. That can be done with the development of proper mitigation strategies, and a common legal framework globally recognized and applied through sharing information obtained from investigations conducted by various bureaus.

References

/cybercrime-and-the-underground-market/

http://securityaffairs.co/wordpress/18206/cyber-crime/f-secure-threat-report-h3-2013.html

http://securityaffairs.co/wordpress/18517/cyber-crime/ponemon-2013-cost-of-cyber-crime.html

http://securityaffairs.co/wordpress/18475/cyber-crime/2013-norton-report.html

http://www.cybersec.kent.ac.uk/Survey1.pdf

http://www.emc.com/collateral/fraud-report/current-state-cybercrime-2013.pdf

https://www.icspa.org/uploads/media/ICSPA_Project_2020_%E2%80%93_Scenarios_for_the_Future_of_Cybercrime.pdf

http://www.theguardian.com/technology/2013/aug/23/cybercrime-hits-nine-million-uk-web-users

http://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf

http://www8.hp.com/us/en/hp-news/press-release.html?id=1501128#.Ullf0VC-0uv

http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

http://securityaffairs.co/wordpress/17945/cyber-crime/enisa-threat-landscape-mid-year-2013.html#!

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.