Why cyber crooks often walk free

Finding the smoking gun in a cybercrime investigation is not an easy task, experts say, and sending the culprit to jail is a rarity.

It sounds like a classic case of cyber harassment. Investigators say a couple hacked into an Australian college student’s university record and deleted him from classes, as well hijacking his Facebook account and making their own unpleasant posts on his page.

But if they actually did carry out this cyber harassment as accused, will they do time for the crime? Or was it someone else behind the computer?

“It can be very hard with computer data to prove who did it,” said Australian lawyer Rachael Shaw in an article in The Advertiser.

Not just in Australia, but around the world.

India has a .7 percent conviction rate for cyber crime, reported Firstpost. And only one in 10,000 cyber crimes result in a conviction in the United Kingdom, according to ITProPortal.

Cyber crime is costing the U.S. $24 billion to $120 billion a year, the Center for Strategic and International Studies estimates.

But stopping the cyber criminals can be expensive and difficult.

“Unlike television shows where the cyber bad guys are caught within an hour, the real truth is that good cyber investigations can be a very laborious, painstaking process,” an anonymous ex-CIA cybersecurity expert told Archer News. 

Why so hard?

You might think that computer data is easy to track, that a criminal would leave digital bread crumbs leading directly to his or her bread box. But experts say that is not the case.

“Cybercrime investigation is often difficult to address because there are so many opportunities for questions about the quality of the data,” said Stacy Bresler with Archer Security Group. “It becomes a question of data integrity—the digital evidence that proves the crime was committed by whom and when.”

Bresler said many cyber crime investigations are tainted before forensic professionals even have a chance to preserve the data.

“When it is discovered that something bad is happening on a system, the first IT department instinct is to fix it,” said Bresler.

But he said, “The act of fixing ‘it,’ replacing a hard drive or deleting suspected malware files, for example, can instantly ruin the opportunity to build a case against the criminal.”

“The files are now potentially tainted, and may not be in a state that can withstand ‘reasonable doubt,’” Bresler added.

There are convictions

Some cyber criminals and cyber crime suspects do feel the weight of the law. A 17-year-old Finnish hacker who was part of the Lizard Squad was convicted of more than 50,000 crimes in July, including data breaches and felony payment fraud, according to The Daily Dot.

Prosecutors in New York filed charges against a man from the Bahamas in December, saying he hacked his way into celebrities’ e-mail accounts and stole sexually-explicit videos, private information, and scripts for upcoming movies and TV shows, then tried to sell his wares to the highest bidder.

Two people were arrested for allegedly taking part in the criminal organization DD4BC, or Distributed Denial of Service for Bitcoin, Europol announced last week. The group is said to have demanded ransom in bitcoin from its victims, with the threat that otherwise it would do a distributed denial of service attack and cause damage.

But many more fly under the law enforcement radar and never end up in court.

“This is different in cases that reach large-scale or nation-state hacking, where millions of records or dollars are lost, or a government system is breached,” explained Patrick C. Miller with Archer Security Group. “But these large-scale cases don’t happen every day, and their frequency doesn’t even come close to the vast majority of ‘breaches’ or acts of cyber crime overall.” 

Too easy

Cyber crime is often easier, safer and more profitable than non-cyber crime, experts say.

“Theft in cyberspace can be performed on a scale not possible in meatspace. The folks who stole payment card data from Target in 2013 were able to pocket, in a matter of months, a lot more money than all the bank robbers in America that year (some of whom were shot and killed in the act),” wrote Stephen Cobb in a post on WeLiveSecurity.

But what if your average street criminal doesn’t have the technical chops to hack his or her way in to your bank account? No problem, said Europol, the law agency for the European Union, in its 2015 Internet Organized Crime Threat Assessment. The report said a massive online market has emerged, where non-computer-savvy crooks can buy the services they want. 

Don’t know what a DoS (denial of service attack) is? The market allows you to pay someone to know it—and do it—for you.

This market “grants easy access to criminal products and services, enables a broad base of unskilled, entry-level cybercriminals to launch attacks of a scale and scope disproportionate to their technical capability and asymmetric in terms of risks, costs and profits,” the Europol report said.

Not enough soldiers

It’s not just the U.S. government calling for more cybersecurity experts to help. Law enforcement has a need, too, for the overwhelming number of crimes committed every year.

“The problem is that there are millions of cases to be investigated. Even if the FBI assigned all its nearly 14,000 agents and 22,000 professional staff to cyber, it’d still not be enough,” wrote Nick Selby with CSO.

Government, law enforcement, private companies—all trying to hire people with the skills to help solve cyber problems.

“Everybody is competing to get the cybersecurity talent that they need,” said Patrick Coyle with Chemical Facility Security News. “It looks like more people, the FBI included, are going to have to start their own on-the-job training programs to get the effective manpower that they need.”

“Security training is going to be the next cyber growth industry,” he predicted.

“As more and more organizations come to realize that effective cybersecurity training for all connected employees is the cheapest first step to securing corporate data and control assets, there will be much more demand for outside organizations specializing in such training,” explained Coyle.

Location

A detective at a local police department might be able to follow leads and make progress in a cyber-based case. But the trail may lead to a public place, like a Starbucks or a library. Or even worse, to a computer overseas.

Some countries may not be so helpful to foreign law enforcement.

“In some cases, depending on where the attack happened, prosecution isn’t even possible,” said Miller.

“If it is a criminal from a foreign state, then whose laws are being applied to the crime?” asked Bresler. “Often, the criminal can be found and arrested, but then what? Which laws are applicable? Is there a prosecutor available who has the expertise to win the case? With so many questions it may just not be worth even prosecuting. Many of these difficult and complex cyber crimes become a matter of plea bargaining.”

Finding a path

The non-criminal world can help protect itself by sharing, gathering and analyzing more information about how cyber criminals are pulling off their heists, cybersecurity experts say.

Some companies do not want to let law enforcement or government agencies know if there has been a cyber incident.

“Victims consider very risky the reporting of a cyber attack. They fear the agency will leak, customers will get wind and, God forbid, take their money elsewhere,” wrote Selby.

But that may lead to further attacks on that company and on others, said Miller.

“We need better data breach and cyber crime data,” he said. “We can’t make informed risk decisions until we understand which protective, detective and response actions are actually working. Executives and leaders need more than gut instinct, voodoo and spidey-sense to mitigate cyber risk.”

“If organizations don’t open the kimono a bit and start voluntarily sharing this data, it may take the less-preferred path of legislation to get it. Either way, we are virtually blind without it,” Miller said.

Launching an offensive

Investigating crime reports is not enough, said Europol. 

The agency said it wants to proactively take out some of the components that help criminals commit cyber crime,

like the sites selling cyber services to crooks, sites offering “bulletproof” hosting, online forums for criminal experts, malware distribution through botnets, counter-anti-virus services and carding sites.

Also on the list of potential law enforcement targets–bitcoin laundering services and money mules, people who transport money for criminals, sometimes unaware that they are taking part in a crime.

“To the extent possible and realistic, the focus should primarily be on the arrest of key perpetrators and organised crime groups,” the Europol report said. “Yet such an approach should be complemented by dismantling, awareness raising, prevention, dissuasion and asset recovery.”

Surviving the attack

In this world where cyber crime is easy, you need to be prepared for the attack, Miller said. Not just the attack, but how to handle it, especially as a company with critical assets.

“Breaches will happen. Criminals will succeed. Detecting when they do, and knowing how to contain and respond is key to being resilient,” Miller said.

He said an organization needs to have detection and response capabilities equal to or better than its preventive capabilities.

“Organizations must be capable of ‘operating through’ the attack while they perform the necessary forensics to understand what happened, and how to prevent it from happening again,” Miller said.

What did I do?

We are often part of the cyber crime machine, responding to fake e-mails and giving away crucial info. 

The complaint filed against the man accused of stealing and peddling celebrity info said he got access by sending his victims messages that their accounts had been hacked, and they needed to change their passwords. By entering their “old” password and then their “new” password into his cyber trap, they may have given him everything he needed to raid their digital possessions.

If you do that with your work account, you could put your company at risk.

Your boss should take note, experts say.

“One of the most effective methods we’re seeing is to add security awareness and security performance to the job role,” said Miller.

“Set the expectation clearly with the staff. Think of it like safety. It’s everyone’s job. This distributes the load and makes everyone accountable in the organization,” he said. “You can even do simple things like adding security messages to the existing, well-established safety communications program.”

And for you, at your computer?

Do the basics, according to STOP.THINK.CONNECT.—including keeping your security software up-to-date, deleting e-mail with links you are not familiar with, being careful of what kind of business you do on an open WiFi system, and asking sites to offer you protection beyond just a password. 

And if you become a victim, you can find out how to save evidence and report the crime through StaySafeOnline