Cyber Threats

Issues and Explanations

  • 1. Cyberwarfare
  • 2. Terrorism and the Internet
  • 3. Cybercrime & Organized Crime
  • 4. Online crime against children
  • 5. Tools & Techniques

Cyberwarfare

A great deal of debate circles around the concept of cyberwarfare – and definitions are rarely agreed upon. While some claim that cyberwarfare is the fifth domain of warfare (after land, sea, air and space) others simply claim that the term is an attempt at sensationalism. From a more specific perspective, cyberwarfare refers to any action by a nation-state to penetrate another state’s computer networks for the purpose of causing some sort of damage. However, broader definitions claim that cyberwarfare also includes acts of ‘cyberhooliganism’, cybervandalism or cyberterrorism.

Cyberwarfare can consist of many threats, namely:

  • Online acts of espionage and security breaches – done to obtain national material and information of a sensitive or classified nature through the exploitation of the internet (e.g. exploitation of network flaws through malicious software).
  • Sabotage – the use of the internet by one nation state to disrupt online communications systems of another nation state (e.g. military communication networks) with the intent to cause damage and disadvantage.
  • Attacks on Supervisory Control and Data Acquisition (SCADA) networks and Nuclear Control Institutes (NCIs).

SCADA networks are national industrial control systems – computer systems (consisting of hardware, software and communication components) designed to monitor and control various critical infrastructures or facility-based processes. They include the computer-based systems that run such critical infrastructure as power generation plants and transmission networks, refinery plants, oil and gas pipelines, and transport and communication systems.

In the past, such SCADA networks operated in isolated environments – with different points communicating to each other within segregated networks, and rarely sharing information with any system outside a specific network. With the advent of internet-based systems however, these SCADA networks have gradually become more and more interconnected with the outside world and integrated into larger global networks. Consequently, their vulnerability to cyberattacks has increased drastically.

SCADA networks perform centralized monitoring for wide-ranging networks, which can be spread over long distances. The systems send supervisory commands to field devices based on information they receive from the remote field sites in which these devices are located. For instance, a central SCADA system can control the opening and closing of valves in power plants located hundreds of kilometers away. Consequently, if such a centralized system is compromised by a cyberattack, the attacker could potentially have control over the valve systems of those particular power plants – and may choose to use that control to cause widespread damage. Alternatively, the networks may be infected unintentionally by viruses or worms causing massive and widespread damage.

An example of an intentional cyberattack on a SCADA system was in January 2000 in Queensland Australia, when a disgruntled ex-employee of a sewerage plant covertly took control of the plant’s operating systems – opening and closing valves and disrupting communications systems. The attack resulted in 264,000 gallons of raw sewerage flooding a nearby river. Another more recent example is the 2010 Stuxnet virus, which was allegedly designed to specifically infect the SCADA networks of Iran’s nuclear infrastructures.

SCADA networks are the vital underpinnings of our society and lifestyle; yet, they are notoriously difficult to secure due to the increasing complexity of their system architectures. There is a general lack of discussion on issues related to SCADA vulnerabilities, and it is important that effective strategies and measures are developed to greatly improve the resilience of these vital assets before they become victim to either intentional or unintentional cyberattacks.

Terrorism and the Internet

The presence of terrorist groups on the internet should not be confused with the term ‘cyberterrorism,’ which specifically refers to terrorist acts committed online with the purpose of inciting fear, causing harm, and furthering a social, ideological, religious, or political objective. Terrorist presence on the internet generally refers to the different internet mediums that terrorist groups and supporters have adopted to advance their cause through activities such as fundraising and publicity. This page explains the different motivations for terrorist use of the internet, and why the internet is such an ideal platform for terrorist activity.

Why is the internet so attractive to terrorist groups?

For a variety of reasons, the internet is an ideal arena for numerous terrorist activities:

    There is very little regulation or censorshipAn internet presence is inexpensive to develop and maintainThere is a high level of anonymity with regard to communicationInformation can reach large audiences throughout the worldIt is very easy to access the internet globallyIt allows for the use of different media (images, text and videos etc.) to convey messagesIt provides for the immediate flow of information

How have terrorists established a presence on the internet?

Terrorist organizations and supporters have established a presence on the internet through several mediums. Most notably, they have established a direct presence through:

  • Official terrorist websites – directly run by terrorist organizations or extremist religious scholars.
  • Unofficial terrorist websites – examples include discussion forums and blogs, which address issues of terrorism (usually from a pro-terrorist perspective).
  • Distributor websites – these provide links to the abovementioned sites, as well as to other terrorist material such as online magazines and videos.
  • Social Media – terrorist organizations use platforms such as YouTube, Twitter, and Facebook in order to gain publicity, distribute propaganda, and reach out to prospective recruits, etc.

It should also be noted that a terrorist presence exists indirectly on the internet through commercial media reports; governmental websites presenting and commenting on terrorist activities; and extreme Anti-Terrorist websites, which generally adopt a radical political perspective.

How do terrorists use the internet to advance their causes?

Some of the main reasons terrorist groups use the internet are listed below:

  • Recruitment: Terrorists use the internet as a major source of recruitment in several ways – for instance, through identifying potential sympathizers in discussion forums. Would-be supporters also use the internet as a means to make themselves known to terrorist groups as potential members.
  • Fundraising: Terrorists utilize the internet to receive funding for their causes – either through the use of internet banking to transfer finances, or through setting up specific web pages disguised as charitable foundations and designed to accept donations.
  • Networking, Communications and the Sharing of Information: Due to the ease of access and levels of anonymity, terrorists utilize the internet as a means to stay in contact with one another, as well as with other terrorist groups operating around the world. The internet is also used to share information, documents and manuals on such things as survival strategies, and the best ways to plan an attack (e.g. the Terrorist’s Handbook).
  • Data Mining: The internet is a vast source of information on all topics, and is utilized by terrorists to gather any information that may be relevant to their cause or to future operations – such as satellite images, maps and blueprints of future targets.
  • Planning and Coordination: Terrorists have been known to use the internet as a major tool to plan and organize attacks – for instance, through the use of public email addresses and chat rooms to provide instruction, issue orders and plan upcoming operations.

Publicity:

  • The internet can be used to wage ‘Psychological Warfare’: the dissemination of horrific images and threats aimed to spread fear – such as the release of ‘execution videos’ in which Islamic Fundamentalist groups behead kidnapped Western victims – are just some examples.
  • The internet can be used to garner support: terrorists spread publicity that attempts to emphasize issues of victimization and ‘injustice,’ arousing the emotions of both supporters and potential supporters.

Cybercrime and Organized Crime

Cybercrime has become a billion dollar industry – therefore it is of no surprise that organized crime groups are increasingly seeking a share of the illicit profits. Attracted by the high rewards and low risks that many online criminal ventures provide, more and more organized criminal groups are focusing less on traditional criminal activities, and are instead setting up online criminal networks. These groups plan, organize and commit numerous types of online crime – from fraud, theft and extortion, to the abuse of children.

Unfortunately, the structure of such organizations makes them very difficult to intercept their activities. Unlike traditional criminal groups, online groups generally operate on a ‘stand alone’ basis, with members rarely coming into direct physical contact with one another, only meeting online. The organizations are usually run by a core group, which divides up different responsibilities of an operation amongst its members (e.g. spamming, web design, data collection). Members run their own outer networks to fulfill those responsibilities –rarely even having contact with one other online.

The decentralized structure of the internet, as well as the high level of anonymity it provides, makes it difficult for law enforcement agencies to locate cybercriminal groups. A group could have networks in a myriad of different countries, whilst using servers based in different countries and jurisdictions. Furthermore, many national jurisdictions lack the legislative framework required to properly prosecute cybercrime. Therefore, a high level international cooperation and synchronization is necessary to counter these criminal groups. Online organized crime is a ‘moving target’ and it must be addressed by the international community collectively, and with harmonized efforts at both the national and international levels.

Online Crime Against Children

Online crime against children generally refers to two main types of offences:

  • Making and downloading images of children being sexually abused (otherwise known as child pornography); and
  • Approaching a minor online with the motivation of soliciting some sort of sexual act, which could occur both online (sexual activity via webcam or text) or offline (meeting up with a child to perform acts of a sexual nature).

The possession of online child pornography is illegal in the European Union, the United States, and many other countries. However, there are many states, particularly in South-East Asia and Eastern Europe, that lack adequate cybercrime laws to counter this phenomenon. As a result, online child pornography has become a billion dollar industry.

It is difficult to assess the full extent of online crime targeting children; however, the Virtual Global Taskforce has suggested that there are over 100,000 websites that carry images of child abuse, noting that roughly 1 in 5 children who regularly use the internet has received some sort of unwelcome sexual solicitation.

UNICRI has collaborated for several years with the International telecommunication Union (ITU) on a project called Child Online Protection (COP), mostly contributing to the set of guidelines for Policy Makers and Industries.

Please visit ITU’s Child Online Protection page learn about ways to protect children while they are online, and this page for links on how to report offences against children.

Tools and Techniques

This section offers an overview of some prominent tools and techniques used by cybercrimals to achieve their goals. The following list is not meant to be exhaustive.

Internet Fraud and Identity Theft

Internet fraud refers to all forms of fraud that are facilitated by the use of the internet and include all transactions and solicitations involving some form of intentional deception for personal gain or to cause damage. There are many different forms of fraud, but some of the most common internet fraud strategies and scams are outlined below:

Note: For details on the best ways to avoid online fraud, please visit this page.

Phishing

Phishers generally send out millions of e-mails, which contain messages that appear to originate from legitimate sources (e.g. a well known company such as ebay or Facebook), with the aim of convincing potential victims to hand over personal information. Some e-mails will even direct readers to a bogus external website, which has been made to look authentic. Like the email, the website will encourage victims to provide confidential information – bank account details, identifying information, social security numbers, passwords etc. – which can then be used by the perpetrator to commit a variety of subsequent fraudulent acts. While it is impossible to record the success rate of these e-mails, it is commonly believed that a successful phishing scheme can receive about a 1 – 10 percent response rate. More complicated phishing campaigns may even involve some form of malware being placed in the email itself, or on the bogus website – which can directly extract the information it needs from the victim’s computer, without requiring the victim to provide the confidential information themselves.

Pharming

Pharmers also rely on bogus websites as a source for stealing confidential information; however, these websites are much more difficult to detect as they usually do not require a potential victim to click on a link provided in a ‘bait’ e-mail. Pharmers effectively hijack a website by redirecting users to an imitation website, even when the user has entered the correct web address of the website they are seeking. This can be achieved either through changing the host file on a victim’s computer, or by exploiting vulnerabilities in the DNS server software – DNS servers are the computers responsible for converting websites from their letter-based domain names (www. etc.) to their identifiable, machine-understandable digits (123.45.1.2). The user may then be deceived into thinking the imitation site is the actual, correct site, entering his/her personal details that can later be harvested by the perpetrator.

Online Advance Fee Schemes and Internet Retail Fraud

An ‘advance fee scheme’ modality generally occurs when a victim purchases an item online from the perpetrator, who asks for a cash advance or transfer and never sends the item (which probably did not exist in the first place).

Similar to advance fee schemes, perpetrators of internet retail fraud aim to dupe users (sometimes with the use of legitimate looking websites) into purchasing items or services with their credit card details. The items never exist, and the perpetrator may use the credit card information to purchase other items, or sell the details to a third party.

Online Dating Fraud

Perpetrators use online dating websites to develop relationships with potential victims, who are then requested to transfer money for a variety of fictitious reasons.

Two Common Schemes

Nigerian Letter or ‘419’ Fraud

This common type of fraud may contain elements of phishing and identity theft, as well as an advance fee scheme. Generally, an internet user will receive an e-mail offering them a ‘rare opportunity’ to share in a percentage of millions of dollars that the sender is having trouble transferring out of Nigeria. The scheme aims to convince a willing victim to hand over personal information (e.g. bank details and identifying information) as well as paying a financial installment to cover the expenses for the transfer of the money out of the country. Of course, the ‘millions of dollars’ do not exist; the e-mail sender keeps the sent money and uses the personal information to commit a variety of other fraudulent activities (mainly with the purpose of draining the victim’s credit and debit accounts). While the scheme may seem laughable to some, it accounts for millions of dollars in damages annually.

Work at Home’ Schemes

Perpetrators of this scheme will advertise a supposed employment opportunity that will allow individuals to earn large amounts of money through varying work-at-home ventures. They generally set up very genuine-looking websites to trick potential victims as to the legitimacy of the operation. If a victim expresses interest, the perpetrator will instruct them that before receiving employment, the victim must first transfer funds for ‘registration purposes’ or to receive online business packets, or other materials. Once the funds are transferred, the victim receives nothing in return.

Crimeware

Crimeware is malicious software that is utilized by an individual to commit cybercrime. It is not a program that involuntarily enables crime (such as email or instant messaging software), but one that deliberately enables the commission of an offence, such as keystroke loggers, backdoor programs, bots, spyware and Trojan horses (the last three are explained below).

Crimeware can be installed on a victim’s computer in a variety of different ways, including:

  • Attacks sent via email – usually disguised as valid emails with malicious attachments or links.
  • The exploitation of open ports on peer-to-peer file sharing networks.
  • Vulnerabilities in web applications (including web navigator programs such as Mozilla and Internet Explorer).

Bots

Bot programs allow cybercriminals in remote locations to command infected computers to perform a wide variety of tasks – including sending spam, or contributing to a co-coordinated ‘denial-of-service’ attack. The aim of bots is to remain hidden until they are activated by their ‘master’ to perform a task. Internet users who have had a computer infected by a bot will rarely know of its existence.

ots do not work alone, and are generally part of a wide network of infected machines. This network is referred to as a ‘botnet,’ which is controlled by a master computer, the so called ‘command and control server’. Some botnets have been discovered consisting of hundreds of thousands of computers. Botnet owners (‘botnet herders’ or ‘botnet masters’) can either use the network themselves for cybercriminal activities, or can rent it out to others for a fee.

Trojans and Spyware

Trojans, named for the famous Greek tale of the Trojan Horse, present themselves as legitimate programs that appear to perform desirable functions. Once they are installed, however, they facilitate unauthorized access to the user’s computer.

Trojans are often delivered to victims through a disguised email, which can install the malicious program onto the unsuspecting victim’s computer through vulnerabilities in web browsers. Once installed, the main purpose of a Trojan is to remain hidden, while simultaneously installing other, stronger threats onto the computer (such as bot programs or spyware).

Spyware programs, once installed, will covertly monitor the activities of unsuspecting victims. They may monitor information on internet behaviour (e.g. emails sent, websites visited etc.), as well as gather personal information, such as usernames, passwords, account numbers, files and social security numbers. The program will then transmit all the information to another computer, and the information can then be used for a variety of criminal purposes – or even sold to advertising companies. Spyware can be installed unintentionally in a variety of ways, including through downloading file sharing services, or by downloading other ‘free’ software.

Please visit the Safety Tips for Internet Users section for information on how to prevent your computer being infected by Bots, Trojans and Spyware.

Cybercrime Black Markets

Similar to the underground markets that exist to sell illegal material in the physical world, online markets exist through which cybercriminals are able to sell illicit items or services, share tips, and exchange information in order to conduct business with one another. Most of these markets exist on the Internet Relay Chat network and differ in levels of accessibility.

Online black markets can be utilized to buy and sell:

  • Email address lists – these can later be used for spamming or phishing attacks
  • Online bank account details
  • Online payment service account credentials (e.g. Paypal and E-gold)
  • Credit card details
  • Root or administrative access to servers

Online black markets also allow individuals to solicit illegal services and engage in recruitment activity for cybercriminal ventures. Most cybercrimes require the efforts of different people performing various roles in order to be successful, and most individuals do not possess the skills required to fill all these roles – as an example, some types of fraud require the services of specialized spammers, web designers, ‘exploiters’, ‘cashiers’ and ‘droppers’. Therefore, cybercriminals also utilize online black markets as sources for obtaining the services needed to carry out their criminal operations.

The global impact of the cyber underground economy has yet to be fully accounted for; however, in its July 2013 report entitled The Economic Impact of Cybercrime and Cyber Espionage, the Center for Strategic and International Studies and McAfee estimated the cost of global cybercrime to be somewhere between $300 million and $1 trillion(1). A more concentrated notion of the dark web’s economic scale can be derived through a recent investigation made by Hold Security LLC. In Hold Security’s investigation from early 2014, it is estimated that there are currently more than 360 million stolen credentials available for sale on the online black market(2). In addition, an incredible 1.25 billion stolen email addresses are also for sale online, with credentials come from all the major carriers, inflicting incalculable damage to the global economy(3).

(1) Center for Strategic and International Studies & McAfee (2013), “The Economic Impact of Cybercrime and Cyber Espionage,” p. 5. Available online at: http://csis.org/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf

(2) Finkle, Jim (2014), “360 million newly stolen credentials on black market: cybersecurity firm.” Available online at: http://www.reuters.com/article/2014/02/25/us-cybercrime-databreach-idUSBREA1O20S20140225

(3) Ibid.

  Google+
Contact Us Disclaimer | Acknowledgements