Before you point the finger for criminal activities overseas, read on. Two reports released this past month suggest that the days of speculating about online criminals in Eastern Europe being responsible for a vast majority of cybercrime are numbered. New data from Symantec and Finjan trace the physical location of servers involved in botnet command and control, as well as in criminal economies such has hosting identity-theft information, right back to the good ol' United States. Of course, there's more to the story.
Fun with numbers
Security vendor Symantec is one of the largest companies in the world, gathering data from 120 million client, server, and gateway systems that have deployed Symantec products, as well as 40,000 additional sensors in 180 countries. In the latest Symantec Internet Security Threat Report, covering the period from July through December 2006, the United States accounted for 31 percent of worldwide Internet attacks, followed by China (10 percent), Germany (7 percent), France (4 percent), and the United Kingdom (4 percent). Between the first and second half of 2006, Germany and the U.K. traded places in the survey. Symantec attributes this to increasing awareness of individual computer security in the U.K. But overall, Symantec says, the number of Internet attacks is going down. During the second half of 2006, Symantec recorded only 5,213 denial of service (DoS) attacks, down from 6,110 recorded in the first half of 2006. A denial of service attack occurs when a large number of requests are directed toward a single Web site, effectively shutting it down.
In its survey, Symantec warns that an increasing number of zombie computers are being found within corporate firewalls.
Typically, a denial of service attacks is carried out by enlisting a large number of compromised individual computers known as zombies. In the period surveyed, Symantec saw, on average, 63,912 active zombie computers per day, an 11 percent increase over January through June 2006. A peak for the period occurred in September when several Zero-Day vulnerabilities against Microsoft Office applications and the Internet Explorer Vector Markup Language Buffer Overflow vulnerabilities were released. Symantec speculates that a decrease in attacks coupled with an increase in the overall number of zombie computers might mean that attackers are creating and using botnets (collections of compromised computers) as opposed to other methods to stage their Internet attacks.
Comand and control
Symantec recorded a total of 6,049, 594--yes, that's six million--zombie computers worldwide, a 29 percent increase over the total in the first half of 2006. It turns out that China has 26 percent of world's zombie computers, more than any other country, and an increase of 6 percent over the first half of 2006. Beijing had the most of any city in China, and alone accounted for 5 percent of the world's zombie computers. The U.S. comes in second at 14 percent, followed by France and Germany with 6 percent each, and Spain with 5 percent. China's lead could be attributed to the recent and rapid growth of individual computer use in that country and the general lack of knowledge regarding computer security among users.
A whopping 86 percent of all stolen credit card information seen by Symantec on the Internet was issued by U.S. banks.
In terms of command and control servers (the means by which the botnets dance and do their criminal activities), Symantec reports there are currently 4,746, a 25 percent decrease. Here, too, the U.S. comes in first at 40 percent. Why would the total number of zombie computer be up but the means to control them be down? Symantec thinks that individual botnets are consolidating, requiring fewer command and control servers. See last week's column for an example of what you can do with a really large botnet. Symantec suspects that botnets are no longer using Internet Relay Chat (IRC), they're using direct P2P and are experimenting with mobile SMS commands instead.
In its survey, Symantec warns that an increasing number of zombie computers are being found within corporate firewalls. By being inside the corporate perimeter, zombie computers can scan the corporate infrastructure for sensitive files and e-mails. Often the target here is personal information, such as HR information.
Bots can also be used to facilitate spam; using a compromised machine within a corporation is sweet because of the high bandwidth. According to the Washington Post this week, computers owned by a few Fortune 500 companies were found to be responsible for some recent spam and phishing attacks.
Security vendor Finjan also released its latest malicious activity survey. Finjan looked specifically at the URLs of sites hosting malicious content and reports that 84 percent of such sites are located within the United States, followed by locations in the United Kingdom, Canada, Germany, and Italy. Of malicious sites found by analyzing search engine results, 70 percent of the sites were hosted in the United States, followed by Canada, the U.K., and Spain. This makes some sense because of the Internet infrastructure within the U.S. and the rapid growth of broadband access here.
Finjan notes out that just because a site ends in ".ru" (Russia), that doesn't mean that the server is physically located overseas. In creating their report, they claim to have neutralized such obfuscation.
What sort of criminal activity are these various botnets and malicious Web pages up to? In addtition to facilitating spam, these bot-infected computers and malicious sites are engaged in stealing personal identities that also end up on a server somewhere. Symantec data shows that 51 percent of underground economy servers are located within the United States, with Sweden at 15 percent, and Canada rounding out the top three with 7 percent. Symantec says that the U.S. lead here is no surprise, given the expansive Internet infrastructure already in place and the rapid growth of broadband use.
A whopping 86 percent of all stolen credit card information seen by Symantec on the Internet was issued by U.S. banks. According to Symantec, U.S. cards sell for as little as $3 U.S. online, whereas cards issued in the U.K. sell for $6 U.S. Symantec suspects that there are many more U.S. cards available, thus driving down demand, and also the U.K. pound is worth more than the U.S. dollar. They also suspect that criminals no longer want to buy cards issued in the U.S.
Lives for sale
Symantec also reports prices seen for the following:
|U.S. credit card with verification data||$1 to $6|
|Whole identity package (including birth date, US bank account, credit card info, social security number)||$14 to $16|
|Online banking account with $9,9000 balance||$300|
|Valid Yahoo and Hotmail cookie info ||$3|
|Compromised computers (zombies)||$6 to $20 per machine|
|Phishing sites||$3 to $5 per site|
|Verified PayPal account||$50 to $500|
|Unverified PayPal account||$10 to $50|
|World of Warcraft account (one month)||$10|
What does it mean?
I've seen a few articles suggesting that entrepreneurs in the United States are crossing over to the dark side and engaging in criminal activity online because the risks are significantly low. I don't think that's true. Just as Finjan points out that a URL ending in .ru doesn't mean the site is physically located overseas, that fact that most of the physical machines reside in the United States doesn't mean the people operating those machines are here as well. I think the criminals are still global, and may, in fact, still be in Eastern Europe.
Both Symantec and Finjan cite the need for enterprises to take stock of the servers within their perimeters--many of these have been compromised, are contributing to the problem, yet are as yet unrecognized as such. As for home users, keep on layering that home security--firewall, antivirus, antispam, and antispyware. There may be more Internet connected machines within the United States, but they don't have to be under the control of others. Are you surprised that criminals are using machine in the United States for their activities? TalkBack to me.