Cybercrime More Lucrative Than Drugs

prostoalex writes "Yahoo is reporting that global cybercrime overtook global drug trafficking in terms of revenue this past year. In related news, only 4% of Internet users can flag 100% of phishing e-mails as fraudulent, and Americans filed 207,000 reports on cybercrime to FBI."

Curbing malware and cyberthreats

[Sheetrock]

I've been around the Internet for a long time -- since the early 90s in fact -- and am thus quite aware of the ruinous activities it has been subjected to by the typical user since then. You know, things like people popping into a random USENET group and treating it like a tech support line, or in the larger picture basically assuming the entire network is there to serve as some form of entertainment.

When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.

It's a short hop to realizing that the problems we're experiencing with virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.

Many experts believe we should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.

It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?

Dealers tell the media how much they make?

[RealisticCanadian]

I've yet to understand the supposed principle that the Powers That Be or the Media could possibly figure out any kind of accurate figures on illegal activites.

Dunno 'bout the rest of you guys here, but I never told the police or the press how much profit I made back when I was a small time dealer (can't touch me, young offenders act! :p)

If I didn't, you can be damn sure that big-time or organized criminals do not share these figures either.

Neither do the users. (How many crack-heads report the amount they spend on their habit?)

So what the hell is the premise on which these "statistics" have ever been based on?

I can think of a few ways to fudge up some statistics about people screwed outta their money on the net, but I can't see a way to truly gauge that either. Again, if I fell for the "send me a grand and I'll send you a million" I sure as hell wouldn't tell anyone I was that stupid.

Hence, I dub the entire original article as BS, just like the 'War on Drugs' and even the 'War on Spam' /end rant :p

Re:dotCrime Bubbles

[FooAtWFU]

In 2010, you will probably still be able to send the same sorts of pretty messages pretending to from be J Random AOLer's bank or John Q Public's eBay account, which link you to a site that looks almost excactly the same, and which scrape their email and passwords. The exact same message? Probably not. But take a look at the dozens of Nigerian-419 scams which are still basically unchanged since their inception...

Petty crime has plenty of 'local' variables like where the police hang out, which places have alarms and electronics, et cetera, but most have similar principles; electronic crimes have different rootkits and different websites to fake and emails to send and addresses to harvest and spam filters to bypass, but again, most have similar principles. Unless you're manufacturing the (crowbar|rootkit/botnet) things won't change much.

Re:Curbing malware and cyberthreats

[Eli Gottlieb]

Things are so difficult when it comes to computers because people are so insistent on having their own computers for their own data but don't want to learn how keep those computers secure. They are voluntary fools.

However, I do agree that we have no reason to put executable code in documents.

Re:Legalize hacking!

[fafalone]

Huge difference there. Hacking directly infringes on anothers persons rights; the drug war attempts to legislate control over what people do with their own bodies. If drugs were legalized, doing things like slipping a girl roofies would still be illegal. Drugs hurt others only to the extent that other freedoms, such as speech, can.

The test is bad

[jmv]

In related news, only 4% of Internet users can flag 100% of phishing e-mails as fraudulent

Had a look at the test [mailfrontier.com] and this is not surprising. Basically, they just take a screenshot of the mail reader window, ripping out any info (headers, html source) that could be of any help. Not to mention that as long as you assume anything you get from your bank/ebay/paypal/... is *potentially* a phishing e-mail, you don't have to actually be able to tell the difference. Education should not be about recognizing phishing emails because phishers will always be ahead. However, if you *never* click on a link and always use bookmarks (to bank and all) you have, then there's nothing a phisher can do. Of course, education should also be for institutions like my bank which includes its website URL in emails they send me (they're encouraging their customers to learn bad habits).

Re:fishing survey is bullshit

[Quiet_Desperation]

I have to agree here. Accidently considering a genuine commercial email as fraud is not an "error" under any realistic sensibility. You know they did the test that way intentionally just to get an artificially low number.

Re:4% is bogus

[mysqlrocks]

I took the test and got all but one correct. I identified one legitimate e-mail as a phishing attempt. When given the choice I guess it's better to err on the side of caution. Anyways, it's not very realistic. The one I got wrong had the last four digits of an account number in it. If I'd gotten the e-mail I'd open up my wallet and see if my account number matched.

Re:No new law needed

[dada21]

What does your "believing" in it have anything to do with whether it exists?

Belief means placing trust or confidence in something. I don't believe (trust) that cybercrime exists beyond the basic property crimes we already have laws against.

Singapore

[Anonymous Coward]

I don't know about America, but in Singapore the only real difference between CyberCrime and Drugs is that hackers and criminals are rewarded with $10,000 prizes [people.com.cn] while drug mules [wikipedia.org] are hung.

4% and phishing test.

[RingDev]

That test is a waste. The 'emails' are image files, so you can't see where the actual links point to, you can't see the email header or the true from address. Anyone who nails 100% is more lucky then savey.

-Rick

Don't be such an ass.

[jabbo]

> I suggest that the field and the general user experience would be greatly enhanced by
> limiting access to compilers/assemblers (by means of pricing and with the cooperation of
> the open source community) and by separating macros or other executable content from
> documents.

[eg. the premise: artificially raise the cost of compilers and nastybad people will stop writing viruses, etc. just like gangsters in New York improvised zip guns when guns cost too much... oh, wait, that's a bad analogy... bad people just make do.]

You should also consider separating "clueless" from "malicious" in your thought process. HTH.

> Think about it; in what other field do we "educate" "users"?

Other than prenatal care, disaster response, home safety, poison control, vehicular operation, wildfire control, diabetes management, power tools, gun storage, and how to program your VCR? Can't think of any offhand...

> We don't try to educate people
> with electrical outlets and let any curious individual perform as a licensed electrician.

But we'll sell wire cutters and conduit to any moron at Home Depot, along with a Hole Hawg and a 3 foot masonry bit. Surprisingly, a license is not required to burn down your house as a DIY repairman, nor is it required to pack a thousand pounds of fertilizer, some gasoline, and some nails into the back of a van, detonate it, and cause much worse harm.

Cars are deadly weapons, as are guns; both require a license to operate, but in neither case does that eliminate fatalities caused thereby. (In fact, on the evening news last night, I noticed that a Class C licensed bus driver rolled over an embankment, killing 2 people and one fetus, injuring the other 39 people on the bus. More than likely, a smaller percentage of licensed commercial drivers do this than, say, unregulated Pakistani mountain bus jockeys, but I have no useful measure of the protective effect conferred by this certifying process.)

Bad people will still be bad people, and "the cooperation of the opensource community" is not something I think you can depend on for this venture. (cf. PGP and SSL export restrictions)

Stack protection, virtualization, perhaps legal penalties for willfully distributing software known to pose a risk to the users without their awareness or education (cf. the Theramed); maybe an overhaul of the communications system, and use of (NON-unicode) certificates required for financial communications. I don't know for certain, but I do believe that your rant about compilers holds little relevance to phishing at this point in time.

Full disclosure: I learned to program on an HP-80 and a Timex-Sinclair ZX-81. I was using Usenet before AOL 'broke' it. And I still think you're chasing the wrong idea.

Re:4% is bogus

[remahl]

So what if the phisher had intercepted a previous mail from your bank, containing the bank account number suffix?

If they gain control of a large mail server or active router, they could easily and reliably associate thousands of account digits with the correct email addresses, and use that information to gain credibility. Email that's this important should be sent encrypted for the receiver and the signature verified against a certificate exchanged when the account or service was established.

Re:Oil

[nycguy]

While I have no love for the regimes of oil-producing countries in the Middle East and South America, the notion that importing less oil will seriously affect the funding of global terrorism is nonsense. According to the 9/11 commission, the attacks on the US were funded with only about $500,000 (link [cnn.com]). I would venture that the global "budget" for terrorism is only in the low tens of millions of dollars, which is a drop in the barrel compared to the many billions of dollars oil exporters are making. A better argument for importing less oil is that we should not support the prosperity of regimes that have turned a blind eye on terrorism and that deprive their populations of democratic institutions (even if free democracy might result in theocratic leadership in the short term). However, I think that just working to ensure that the income generated by oil is more evenly distributed among the populations of exporters would go much further toward eliminating terrorism than trying to indirectly strangle the funding of groups that can already do quite a bit of damage on a shoe-string budget.

Re:Curbing malware and cyberthreats

[unitron]

"I recommend we limit posting access to all users who have a greater than 3 digit ID."

So in order to have posting access you'd have to abandon your #638 account and get another one?

I wonder if Cmdr Taco has already reserved # 1,000,000 for himself to avoid being trapped in the 1-999 ghetto.

Re:4% is bogus

[KenAndCorey]

I think most of us failed the same two: #3 and #9 I believe. One of the legit emails had a link to a different domain AND went to a non-standard port (8082). I'm sorry, but just because something is technically legitimate doesn't mean I should have trusted it. I don't open ANYTHING that tries to open a non-standard port. Also, I find it really easy to spot phishing since I don't have an account at Capital1 or EBay or Bank of America.

Re:10%

[eagle0468]

This is just opinion based on perception, but I would guess that the black market may be equal in volume of sales, but lower in capital gains due to the prices being so much less. Also, I would predict that both of those levels fluctuate with the rise and fall of economies throughout the world. I.E. the black market in China may be dwindling with the rise of capitalism there. Whereas, it seems the black market in Russia is thriving due to the lack of governmental oversight and increase in corruption. Of course these are just opinion, think what you may.

Re:4% is bogus

[Agelmar]

I have a real problem in that they expect me to be able to tell just by looking at a screenshot from (what I believe to be) Outlook Express. I can't hover over links to see if the URL matches the displayed text, I can't look at the message source, and I sure as hell can't see the headers. How am I supposed to be able to tell for sure without this? Sure, I can get most of them, but #3,9 for example would be very nice to see the headers of.

Two totally different crimes

[Mr. Cancelled]

One's a crime of greed, while the other is a crime of demand (although plently of people get into the drug business solely for the income potential).

If there wasn't a demand for drugs, there would be no drug trade. Conversely, the only reason to steal from others is always greed. Some might steal for fun *cough* winona ryder *cough*, but theft (in person, 3rd person, or via cybercrime) is almost always due to greed. Big difference there... One's there as a result of people wants, and demands. The other is largely parasitic, and exists solely to leech off people.

Personally, I'd rather see my government invest more of our tax dollars into protecting our identities, and investments, as opposed to busting generally harmless dope smokers, and their suppliers (In case you didn't know, marijuana smokers are the most commonly targeted drug demographic these days, and the majority of our tax dollars, go towards fighting marijuana, while proven "bad drugs", such as meth, ruin lives, and run rampant throughout the country).

The reason for all this is greed. The big companies almost write their own laws these days, and meanwhile more and more of our freedoms our lost, as our lawmakers focus on giving their funders (not constituents!) what they want. And surprisingly, things like Cybercrime continue to grow, and be largely ignored (Note, I'm talking real crimes, such as identity theft, phishing, and so on. Not downloading music and videos, which IMHO should be near the bottom of our list of priorities) .

Personally, I'd like to see a major change in how we handle crimes in this country: Elevate identity theft, and other life-altering crimes to the level they deserve, focus our energies and money on bettering our country, and removing our dependence on other countries for our very existance, and stop focusing on the average downloader as being the worst thing to hit the US since Pearl Harbor. Meanwhile, start fighting the real drug problems that are facing our country: Meth, Cocaine, Heroin, and so on, rather than going after the "low hanging fruit", marijaua users, which are largely chosen simply for the ease of busts, and the profit available to cops for doing so.

It's all about priorities, and right now our lawmakers top priorities are largely themselves, as evidenced by recent [cnn.com] events [cnn.com].

Re:Curbing malware and cyberthreats

[Anonymous Coward]

In other related news, fewer than 4% of slashdot users could correctly identify sarcasm.

Frightening opinion you have there.

[pyrosim]

Well, first of all, "ARRHGHGHGHGHGHHHHH the tinfoil hat, it BURRRNNSSS", and

Secondly, if we raised the barrier of entry to the internet to require programing certifications, we would not need to worry about the worms and virii, because anybody worth their certification would have far less of a likelyhood of having a problem with such things, and the virii would have much less shelter to propigate from.

Third, how are you going to make it that only licensed people are allowed to program? Seize the computer of anybody who tries to write a program? Make compilers and assemblers highly contraband and only allow liscensed individuals have them? Shut down internet based tutorials for programing languages because they are not officaly approved by the certification body, and we cant allow people to learn basic programming on their own? Fourth, what the hell good would educating bus passengers do? Educated computer users ARE better at avoiding worms and virii, are educated bus passengers gonna be better at preventing crashes? I would like to know how that works. Using an electrical outlet to plug in a electronic device is nowhere near what an electrician is supposed to train for, and knowing not to click on the "PUNCH TEH MONKEY AND WIN $999999999 $$$$$ DOLLLARS!!!!" flash ads, is nothing near coding.

Your post frightens me severly, and I sincerely hope that this is not a majority opinion.

Re:No new law needed

[Pig Hogger]

Hey Ma! Look at what the cat dragged-in!!! A libertarian asshole!!!

Libertarians (in reality, cheap-labour conservatives) only want a government to protect them from their slaves.

Now, crawl back from that rock you came under.

Link doesn't support assertion.

[Phanatic1a]

only 4% of Internet users can flag 100% of phishing e-mails

I took the test [mailfrontier.com] the linked-to article cited as the source of data for that 4% claim. I only scored 80%. Does that mean I flagged only 80% of phish attempts? No, it doesn't. I flagged 100% of the phishing attempts as exactly what they were.

I had two false-positives, which lowered my score. But false-positives are quite a bit safer than false-negatives. In each case, the 'legitimate' email linked to different domains than the origin; the one from Bank of America linked to bankofamerica1.com, and the one from CapitalOne linked to a really odd domain, bfi0.com. That second one is a *huge* red flag, regardless of the content of the email, you'd have to be very trusting or do some extra research in order to *not* flag it as a phishing attempt.

Only 4% of users might score a 100% on that quiz, but that's not at all the same thing as saying that only 4% of users can't flag all phishing scams as such.

Re:So, when I

[geighaus]

a high possibility of chemical addiction or overdose ok, let's take a brief look on schedule I

MDMA, MDA, TMA, DMT, LSD, Psilocybin, Mescaline, DOET, 2CB, THC, DOB and many many others - none of these substances produce a chemical dependency. Nor it is trivial to get OD'ed on those substances. Furthermore, harm of many psychedelics and empathogens (MDMA would be the most well-known example) is not proved despite extensive research. Makes you think when you compare them to alcohol and tobacco.

Now let's consider alcohol and tobacco. Overdosing on alcohol is very very common (something that you see every weekend if you go out). Another thing that alcohol is an integral part of our culture, so nobody freaks when they see an overdose. Physical dependency to alcohol is well documented and not something rare too.
Nicotine overdose is very rare indeed, at least when smoked. But if you try any other administration route, you'd find that it is quite easy to get OD'ed on it. I take it nothing needs to be said on addiction potential of nicotine.

The original motives for prohibition are sketchy. The benefits of marijuana, for example, were publicized before WW2, but still it got prohibited shortly after the war was over. According to one version, prohibition of coke, opium, marijuana and later psychedelics in 60s was used as a means of race and social oppression. I have no information backing up or discarding this version, but considering the racistic sentiments in the US in the first half of the 20th century, it is not something to completely discard.
GHB prohibition is interesting as well. Despite numerous scientific publications on medical use of GHB, it was placed in Schedule I. Quite an interesting coincidence is that GHB prohibition happened at the same time as new sleep-aid drugs hit the market in the US. Makes you think again.. Also it should be noted that no overdoses on GHB are documented in 80s despite the widespread use.

Those were just examples. If you take a closer look on the whole drug-prohibition policy, it hardly is beneficial for anyone except the state and companies which are in the drug-figthing business. Hopefully this helps.

PS: Amounts of coke in the original Coca Cola were miniscule and cocaine does not produce a physical dependency no matter how much you abuse it. Sugar and caffeine is probably more addictive than amounts of cocaine that were found in the original coke. You should know your subject better.