Thursday

So How Much Can a Cyber Criminal Earn

Imagine you're trapped, through no fault of your own, you maybe stuck in some small backwater of Eastern Europe, surrounded by poverty and unemployment - with limited options to escape and make a better life for yourself.  You're bored, you have no focus, no chance for self improvement, but you have the internet.

The influence of the net simply cannot be measured, for instance many thousands of years ago, one of the worlds greatest philosophers was condemned to death. Why?  Well Athenians were worried about what effect a 70+ year old thinker called Socrates would have on their population by wandering around and chatting in the city - can you imagine what a threat he'd be with a web site or blog nowadays.



But yet again I digress, the point I was trying to make is that the possibilities that have opened up are incredible in all areas, for good and not so good.  The world has got so very much smaller online,  but for crime that is a fantastic boost.   The internet offers the chance to control, to sell both ideas and products and unfortunately to steal from people 1000s of mile from you without ever having to meet them.   The only barrier apart from morality to committing cyber crime is of course a decent education.

Of course many disaffected youngsters had excellent educations in Eastern Europe and China for instance, far better than some of the people they see living the 'good life' in the big cities of Europe and America.   Crime has always been a chance for people to break out, to make better lives for themselves at the cost of others.   But nowadays Cyber Crime offers even bigger incentives with the added bonuses of being relatively safe and depersonalized compared to ordinary crimes (your victims are usually little more than email or IP addresses).

When you've seen these people in action, spoken to victims and the people trying to trace them you'll understand why anonymous surfing is so very important to me!

There are of course almost unlimited opportunities for criminal acts on the internet - so here's a real simple method used by many,  obviously details are omitted - but to be honest they're not hard to fill in.

Step One - Get Your Own Free Anonymous Proxy

A little effort and research will allow you to use the various script kiddy tools that will soon gain you access to other peoples information.  Break into a server somewhere running an old unpatched version of Microsoft IIS or Apache and then open up that proxy to the world, publish it on the many free proxy list sites scattered across the internet.   Pretty soon you'll have all manner of people sending all their web traffic through your little proxy.

Step Two - Steal Their Data


Install a simple logging program on the server and watch as all the traffic flies passed in clear text, 99% will be HTTP traffic, unsecured, plain text details which can be easily read.   There are even programs around to help you parse this data easily, sifting out the email address, personal information, accounts and passwords. Log all the visits to sites like online banks, paypal, webmail, moneybookers, ebay etc - anything where there is the potential to steal or use your identity fraudulently.


Step 3 - Monetize this Information


You'll have so much data after a few days logging you won't know where to start.  The possibilities are endless - after sorting the information, you'll likely have some more obvious targets, information on who uses which online services, passwords or clues to passwords, email accounts where you watch and learn more.  It is at this stage that the smart cyber criminal shines, selecting the safest and quickest way to make money off his victims before disappearing into the night and erasing all his tracks from his stolen proxies.

Is it just Theory or does it happen ?
I spoke to a guy who got scammed like this a couple of weeks ago, he actually made a living online, he had loads of websites that where very valuable to him.   Identity Thieves got his email address and account password, instantly gaining access to a huge part of his online life.   Their attack was to steal his web sites, a quick request to his hosting provider, changing the domains to point to a different owner and IP address.   Modify the registration details and then to sell on the hugely profitable web sites on for a bargain price to some one else in cyberspace.  He may get them back who knows, he's in for some major headaches and legal problems to do it though, and he lost much more than if they'd just hacked into his paypal account and stole a few hundred dollars.

Do you know why he use a hacked proxy server which was how he became a victim ? Simply because he wanted to post multiple Craiglist adverts from different IP addresses - bad move - don't use free proxies you know nothing about.

But of course as per usual, I haven't answered the question - how much can a cyber criminal earn?  I'm afraid a heck of a lot more than you or I !




0 comments: