In Las Vegas during the last McAfee Focus’09 conference, I listened to various speakers in the Threats and Trends track. They explained how cybercrime was now managed by individuals driving their groups according to highly professional business models.

One of the most interesting talks was made by my colleague, Dirk Kolberg, who presented on Innovative Marketing, a Ukrainian scareware company the Federal Trade Commission accused of spreading some massive “scareware” schemes. Alarming messages falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The US District Court for the District of Maryland approved the FTC’s request to call a halt to the companies’ activities and freeze the assets of those behind the scams.

With more than 600 employees in real offices, subsidiaries in various countries such as India, Poland, Canada, USA and Argentina and complete with customer calling centers, Dirk explained the company received approximately 4.5 million order IDs in 11 months, or in other words $180 million dollars (4.5M * $40 = $180,000,000). Technical support, professional website and LinkedIn profiles for the company and its staffs provided a legitimate front for people not working in the anti-malware industry. Following its legal troubles, it is now a defunct company, many employees have joined a new entity having the same production targets.

The same day, Dmitri Alperovitch gave an overview of the Eastern European countries cybercrime landscape. Like Dirk, Dmitri demonstrated the high level of organization within the cybercrime industry. The first example came from Romania where the Bogdan Païu carding gang operated. Members were caught in the act and arrested in 2006 after they emptied the accounts of several hundred citizens of Brazil, Spain, Italy and the USA.

Well organized and equipped with sophisticated cloning devices, they received the personal data from Russian accomplices. Counterfeiters used the money diverted from ATMs on striptease entertainment clubs, luxury cars, luxury hotel accommodation, food and fine drinks.

In the second part of his talk, Dmitri presented an events timeline of the Eastern Europe carding underground:

He discussed CarderPlanet, and its hierarchical structure set up like a mafia (source for the hereafter picture: NICSA-FBI-SSA, Michael J. McKeown )

CarderPlanet was shutdown in 2004 and the FTC complaint for the injunction against IMU dates from December 2008 but cybercrime gangs will always rise from their ashes.

Around Kiev, the making of fake antivirus is still flourishing. The latest statistics on rogue antivirus, Craig Schmugar and Anthony Bettini presented in their session are unequivocal.

On the carding/phishing scheme the last piece of news also demonstrates the size and the worldwide organization of the actual cybercrime gangs.

• In France, about 70 individuals were recently indicted. They were mules who sent, via Western Union, to the Ukraine and Russia the money they embezzled.
• Still in my country, a gang of Slovakian gangsters from Britain was under investigation after bank cards were used to take more than $480,000 from cash machines in northern France. Up to 50 Eastern Europeans descended on Calais from Dover early on September 11 before emptying cash points across the region. 34 were arrested, all using Barclays bank cards. According to the Judicial Police in Lille, a “Mafia-style” masterminds had used dozens of “mules” to empty machines at a range of banks.
• This month, in the United States, the FBI announced the results of the Operation Phish Phry. After two-year investigation, more than 50 individuals in California, Nevada, and North Carolina, and nearly 50 Egyptian citizens have been charged with crimes including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft. The gang victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled. Here too the group was very organized as it is demonstrated by a chart created with i2 Analyst’s Notebook by Gary Warner.

All these examples support the position that Dave DeWalt discussed during the Wednesday General Session: “The bad guys are getting organized. This is not the hacker in your basement. We’re talking about organized crime, organized terrorism and organized warfare.”  Identity theft, phishing or fake alerts go through the Net. Faced with these threats, large organizations deploy solutions from multiple vendors because the truth is that no single vendor can meet all of their security and compliance needs. But today’s security threats and economic challenges demand that products from multiple vendors interoperate to provide better protection, reduce operational costs, and streamline the compliance lifecycle. This is why at Focus’09 Dave DeWalt also reaffirmed his support of the McAfee Security Innovation Alliance (SIA). He described it as “the NATO” of security software, a call for a universal architecture for security standards and confirmed that McAfee is focused on improving partnerships and establishing an extended broader community through this innovative technology partnering program.