It’s no secret that when removed from the direct scrutiny of law enforcement, crime will thrive. Why is this of concern? Because recent studies of cybercrime show that the use of virtual currencies has further distanced the crime from its consequences. As this distance increases, the severity of the crime can be expected to escalate accordingly.
In an earlier paper (PDF) by McAfee CTO Raj Samani, “Cybercrime Exposed: Cybercrime-as-a-Service,” clearly identifies the availability of vulnerabilities, exploits, spam services, malware creation, malware delivery, password cracking and denial-of-service — all for hire, online. This is very concerning for anyone with an interest on securing critical national infrastructure: systems that we all rely on yet are highly vulnerable to a cyberattack. I’ve often said that one of the reasons we haven’t seen an abundance of such attacks is because they carry heavy consequences. If Joe Anarchist wants to cause a blackout, you can bet that the full investigative weight of public- and private- sector law enforcement will come crashing down on Joe’s head like the fist of an angry god.
Without consequences, things might be different.
The extent to which cybercrime has evolved proved staggering when further investigated by McAfee Labs. In a follow-up paper (PDF) “Digital Laundry,” an investigation of digital money laundering shows just how enabled cybercriminals have become.
Digital currencies are little more than a curiosity to most. In infosec circles, however, Bitcoins and e-gold represent something far more interesting. The convenience of a digital transaction, coupled with varying degrees of anonymity, provide a safe method of purchasing goods and services. In an industry where whitehats and blackhats are blurred by myriad shades of grey, this could facilitate acquiring anything from malware samples, custom payloads or payload delivery services all the way to “hacker for hire” services. At one end of the spectrum, these services could be used for good (at least perceived good), but as intentions darken, the world of cybercrime emerges.
With researchers François Paget and Matthew Hart from McAfee Labs, Samani dove deep into this issue, and learned that the world of cybercrime is broader, more accessible and more prevalent than ever. Empowered by anonymity, cybercrime extends beyond malware to offer drugs, firearms, and even assassinations — all available via an online shopping cart.
It all comes back to virtual currencies, which offer unregulated transactions using invented currencies. Because the transactions happen anonymously, and the currencies are virtual, they confuse issues of jurisdiction and can become difficult to enforce. When authorities do take action, cyber-crime simply re-images itself with a new currency and a new platform.
As the paper states, “… virtual currencies are unregulated and use an invented currency … They are reliable, relatively instant, and anonymous. Even when privacy issues have been raised with particular currencies (notably Bitcoin), the market has responded with extensions to provide greater anonymity. Market response is an important point because regardless of law enforcement actions against Liberty Reserve and e‐gold, criminals quickly identify new platforms to launder their funds.”
Let’s rewind a moment. Did I say assassinations? Yes, I did. While the paper clearly states that cyber-killer services were left uninvestigated (due to concerns of the authors’ safety) and therefore unverified, we have to assume that with the availability of anonymous finance, virtually any crime can now benefit from the same virtues of global ecommerce that have been recognized by legitimate industries for decades.
So is it that great a leap to move from assassination of an individual for the $10,000 USD equivalent in bitcoins, to a dedicated attack on infrastructure? When you combine the relative ease and high risk of a potential cyber attack, with the relative ease of a physical attack — acquired via the cyber black market — the true scope of a threat against critical national infrastructure can easily be imagined. Now, the type of targeted and coordinated attack that has to date been limited to the cyber battlegrounds of nations, is suddenly available as online service.
Cybercrime today has evolved. It isn’t infallible — evident by the recent FBI takedown of the online black market Silk Road, and the arrest of its creator — but it is boundless, highly anonymous, and instantaneous. To protect the systems and services that we rely on, we must recognize this and adjust our risk equations accordingly.