Feds feel bite of cybercrime
- By Patience Wait
- Jun 23, 2005
There is something about the Federal Deposit Insurance Corp. that seems to attract cybercrime.
Earlier this month the agency had to notify 6,000 current and former employees of a data breach that could put them at risk of fraud or identity theft.
The FDIC also has been used as a decoy in phishing schemes by con artists looking to separate consumers from their money. Spam e-mail claims to come from the agency, warning that user bank accounts are going to be frozen while the Homeland Security De-partment investigates violations of the U.S. Patriot Act.
But the financial agency is not alone. The FBI and other federal agencies have been used as decoys in other scams.
Despite these examples, government agencies apparently have been slow to realize that they, too, could be vulnerable to Internet scams, spoofs and spyware.
The Government Accountability Office recently weighed in on cybercrime, finding that federal agencies do not appreciate the dangers of phishing and other cyberthreats.
'Many agencies have not fully addressed the risks of emerging cybersecurity threats as part of their required agencywide information security programs,' auditors said in report released last month.
Of the 24 federal agencies surveyed by GAO, 19 identified the nonsecurity effects of spam, such as reduced system performance and the cost of filtering e-mail, as problems. When it came to phishing, 14 agencies said that the scam had limited or no effect on their systems and operations. As for spyware, 11 agencies said it caused a loss of employee productivity or required more help desk support. One agency 'stated that spyware was simply a nuisance to its users,' GAO said.
Phishing is the fastest-growing, largest fraud activity in U.S. history, according to a government expert speaking at the Techno Security 2005 conference in Myrtle Beach, S.C., earlier this month.
Stanley Crowder, a special agent with the Secret Service's Electronic Crimes Task Force section, told a standing-room-only audience that the agency estimates that phishing schemes raked in more than $3 billion since April 2003, by blasting out 57 million e-mails. It has grown 15 percent a month for the past 10 months, or close to 300 percent overall.
And phishing is not the only threat. A new Internet con, domain spoofing, called 'pharming''in which traffic going to a legitimate Web site is redirected to a fake site'is beginning to spread.
Then there's spam, spyware and malware'malicious software such as viruses, worms and Trojan horses.
He warned that malware is now in over 50 percent of phishing attacks. But 'malware is hard or impossible to detect via anti-spyware.'
Many of these schemes are originating in other countries, particularly Eastern Europe, Crowder said. 'In 2004, there was a 'how-to' conference in Kiev, Ukraine.'Hostile interests
Addressing Techno Security attendees, Chet Hosmer, president and CEO of WetStone Technologies Inc. of Cortland, N.Y., also spoke about the dangers of cybercrime, and the possible connection to interests hostile to the United States. From September 2004 to May 2005 there were almost 3 million documented downloads of password-cracking software, more than 2 million downloads of key-logging software and more than 1.2 million downloads of spyware, Hosmer said. 'Those download numbers are only the tip of the iceberg. They're only collected from a handful of download sites willing to give us the data, [so] we're only looking at a small piece of the puzzle,' he said.
There are dozens, if not hundreds of other Web sites, that also provide these free tools, and their data is unavailable, he said.
The most common cybertool that could be used for illicit intent was password-cracking software, Hosmer said. In 2004 alone, almost 140 new applications used to crack passwords were released, most as downloadable freeware. While there are legitimate uses for this, such as systems administrators who need to gain access to files when a user has forgotten his password, Hosmer said, the illegal opportunities are obvious.
Much of these activities are related to the explosive growth of Internet-based crime, and it is reasonable'indeed, likely'to suspect that enemies of the country are participating, Hosmer said. While the bulk of these tools originate in the U.S., there has been significant growth in tools developed in Asian and European countries.
'Is it such a stretch to think that someone sees these as weapons that can be used against government systems?' he said. 'Because we haven't heard that it has happened yet is no reason to not guard against it.'
GAO recommended that agencies include emerging threats in their required risk assessments and planning required under the Federal Information Security Management Act. It also called upon the Office of Management and Budget, the Homeland Security Department and the attorney general to develop guidelines for comprehensive incident reporting.GCN staff writer William Jackson contributed to this article.