Cybercrime wave gathers force

Cybercrime is big business. It is costing consumers $110bn a year and affects almost 1.5m people a day, Symantec, the online security group, reported last year.

Bank accounts are being compromised, credit card details leaked and mobiles hacked. As people spend more of their lives online – banking, shopping and talking to friends – so too do criminals. “Cybercrime follows the money,” says Greg Day, a chief technical officer at Symantec.

Gangs now operate internationally, often using substantial infrastructure. In 2012, McAfee, the antivirus software and security group, and Guardian Analytics, the online banking security company, uncovered a fraud involving the use of 60 servers to make thousands of attempts to steal from the bank accounts of the wealthy. “It is quite easy for hackers to build economies of scale,” says Mr Day.

The scam started in Italy and spread to accounts in Germany, Latin America and the US. It bypassed security measures such as “two-factor authentication” – the keypad used for online banking – and attempts were made to steal at least $60m. In total, almost $2bn could have been at risk.

The ethics of cybercrime might explain its prevalence. “If I were to mug a little old lady in the high street, I’d feel bad,” says Mr Day. “But if I steal £50 from Mrs J Smith’s bank account, I don’t know if she’s 72 – I’m never going to meet her. It doesn’t feel such a wrong thing to do.”

Hackers are getting savvier, says Graham Cluley, an expert in cybercrime at Sophos, which makes security software. “Criminals are using the same malware as in the past, but they are getting much cleverer in what code they are injecting into web pages.”

Cybercriminals are not just attacking through web browsers, however. Hackers are turning their attention to the Android mobile operating system now that it has around half the smartphone market. The rise of mobile banking and payment with smartphones means cybercrime on these devices will become more prevalent in 2013, analysts predict.

Android devices, for example, suffered a higher rate of malware attacks than PCs in Australia and the US last year, according to Sophos. Malware often takes the form of an app or might appear as a link promising pornography, for instance. Another common malware trick is to get devices to send text messages to a premium-rate number.

Even normally vigilant technology users are sometimes snared: nearly half of all mobile users are not even aware that security software exists on smartphones.

The adoption of high-speed 3G and 4G mobile networks adds to the risk. “What does this all mean?” asks Jens Montanana, chief executive of Datatec, the networking technology company. “It means much more opportunity for airborne cybercrime.”

The authorities are attempting to fight back. Europol, the EU law enforcement agency, has recently busted a Europe-wide scam run by Russians that involved installing malware on PCs to lock them, then, in the form of a fake police warning, demanding €100 from users to fix the problem. Europol estimates some 3 per cent of victims paid up. With tens of thousands of victims, that means a healthy profit for the criminals.

Interpol, the International Criminal Police Organisation, meanwhile, will launch a dedicated cybercrime unit in 2014 in an attempt to enable a coherent response to a global threat. While cybercriminals nearly always leave a trace, that does not mean tracking down the perpetrator is feasible, explains Mr Day: “[They are] always traceable, but it’s about how much time and effort you can put in. If you cross international boundaries, it becomes very tough. Smart criminals know which are the safer countries to work from.”

Distance is no obstacle for hackers. “You can attack someone from anywhere,” says JR Smith, chief executive of AVG, the online security group. The bulk of Android attacks stem from .ru domains hosted in Ukraine, according to Sophos. In total, just three countries accounted for more than half of the world’s hacks in 2012, according to NCC Group, the security company: Russia, China and – the biggest source – the US.

Not all cybercriminals are motivated by money, however. “Some do it for the fun, or for intellectual curiosity,” says Ashley Stephenson, chief executive of Corero Network Security, an online security group that specialises in preventing denial-of-service attacks – where vandals try to overload a website with requests, blocking genuine visitors.

So-called “hactivists” – online activists – took down MasterCard’s and Visa’s websites in 2010 using this method, after the payment companies refused to transfer money to WikiLeaks, the media organisation.

Regulators are cracking down on companies that are lax with consumer data. In the UK, the government has increased pressure on firms to tighten security. The Information Commissioner’s Office can levy hefty fines even on small businesses if they fail to keep customer data safe.

In 2011, for example, hackers broke into the Sony PlayStation Network and copied the personal details of around 77m users. The encrypted details of nearly 13,000 credit cards were also copied. This January, Sony was fined £250,000 by the ICO for the breach.

It is not fear of fines that drives compliance, however, says Ann Bevitt, a partner at Morrison & Foerster, the law firm, but the potential damage to the brand that a breach can do. “It is annoying when the government loses our data, but we don’t have a choice [about that] – we do have a choice in lots of consumer areas,” she says.