Page last updated at 11:32 GMT, Friday, 12 December 2008

Cyber crime attack from the East

Spencer Kelly meeting Russia hacker Sp0Raw
Cyber criminals operate freely in East according to Russian hacker

With so much of the world's business now being conducted on the internet, there is serious money to be made from cyber crime.

Click presenter Spencer Kelly found out why hacking is big business in Russia and other countries in the East.

Organised crime gangs are running profitable operations involving programmers writing malicious software (malware) and viruses.

A Russian hacker, known online as Sp0Raw, said "good money" can be made from knowing how to manipulate internet traffic.

"You may create a wicked virus, but that doesn't make you a fortune on its own. Maybe someone could buy it for 500 bucks," said Sp0Raw.

"But if you know someone who could convert the infected traffic into cash, your earnings would soar to 100,000 or even 500,000 dollars," he said.

He said hackers achieved this by changing browser homepages and manipulating search results to get users to click-through to their sites and sign up for services.


Cyber criminals in the East operate freely against Western countries because "it's very difficult to arrest them", according to Sp0Raw.

Artist Alex Dragulescu visualises computer viruses

"There's lots of international bureaucracy - different parts of the chain in different countries, and under different laws," he noted.

Eugene Kaspersky from Kaspersky Lab described attempts to pursue cyber criminals in the East as leading to a "dead-end".

"If the British law enforcement has information about a bad guy in the States, there is enough information-sharing that they'll follow it all up," explained the boss of the online security firm.

"You've got Russia, Ukraine and China, they won't join the big boys' club that makes joined-up legislation. So if they're not going to play ball, that's why those territories are a safe haven," he added.

This means anyone banking, shopping and even gaming online is open to attack if their machines do not have basic protection such as anti-virus software and a firewall.

But with stolen sensitive data translating into earnings, those on the wrong side of the law are finding increasingly sophisticated methods to beat defence systems.

Quick cash

Hackers advertise and sell their wares in chatrooms and web-forums across the net - a keystroke logger that records passwords as they are entered sells for an average of $23 (15).

By contrast, stolen bank account information can fetch anywhere between $10 to $1,000.

Mark Sunner, chief security analyst at MessageLabs, said anyone with "intent", rather than "technical sophistication", can now afford to buy malware.

Spam with sound file attachment
Example of sophisticated spam with a sound file attachment

"From certain Russian websites, you can buy a purpose-built Trojan guaranteed to go under the nose of virus-detection for $200," he said.

"If it subsequently becomes caught, by a virus-scanner, you can pay an additional $50, and get an update, because you're now a customer. Or for $2500, you can get the bad-guy equivalent of a service contract, and get automatic updates," he added.

But a hacker can also be hired to create a Trojan horse virus, which sits in a machine gathering personal details, often used for targeted "industrial espionage".

He explained: "It's where someone wants in to a single company or even a single individual, and they want that particular target because they may be holding data that is of interest."

Moving target

Mr Sunner said malware makers were very creative in the ways they found to get their messages across.

"Towards the tail end of 2007, we started noticing we were intercepting a high quantity of spam that had sound file attachments called things like beatles.mp3 or elvis.mp3, even celinedion.mp3," he said.

These genuine sound files played a synthesised female voice touting a particular stock.

The files were part of a stock-pumping scam where criminals take out a genuine investment in a real stock, but with stolen credit cards.

"So they'd take the investment, blast out the messages, cash out quick, hopefully having made a profit, but also having laundered the money in the process," explained Mr Sunner.

Greg Day, from McAfee, said his online security company had "seen an evolution in the commercialisation of cyber crime".

He said anyone can find out easily the latest vulnerabilities to allow them access to other people's machines.

"By pulling together hundreds of different techniques I can literally click and say whether I want to be a password stealer, a keyboard logger or a spammer, and it will compile me my own threat," Mr Day said.

Downturn 'boosting cyber-crime'
09 Dec 08 |  Business
EU to search out cyber criminals
01 Dec 08 |  Technology
Online fraudsters 'steal 3.3bn'
24 Nov 08 |  Technology
Q&A: Stay safe online
17 Nov 08 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

banner watch listen bbc sport Americas Africa Europe Middle East South Asia Asia Pacific