Thieves set up data supermarkets

By Jane Wakefield
Technology reporter, BBC News

Many web criminals are selling stolen patient records

Web criminals are stepping back from infecting computers themselves and creating "one-stop shops" which offer gigabytes of data for a fixed price.

Speaking at InfoSecurity Europe, security firm Finjan said it had seen thousands of such online services.

Experts at the conference said web fraud was skyrocketing and called for police to urgently address the problem.

Security guru Bruce Schneier said anti-cyber crime efforts needed to be closely allied to the scale of threats.

Price lists

At the three-day conference Finjan said the latest tactic adopted by web criminals is to buy sensitive data from third parties rather than run their own crimeware servers and toolkits that compromise websites.

Sites offering medical histories, information about the shipment of goods and corporate e-mail and pension details have all been uncovered by the firm.

"All this was found on one hacker's server and we believe it was information that was collected to be sold online," said Yuval Ben-Itzhak, chief technology officer at Finjan.

The web has been discovered by criminals in a big way Bruce Schneier, BT Counterpane

"It is even being marketed on certain forums - 'We are selling this type of data and here is our price list'," he said.

While credit card details are cheap, selling for only a few dollars, the logfiles of big companies can go for up to $300 (£150), he told the BBC News website.

Recently released banking industry data show UK card losses from phone, internet or mail order crime totalled £290.5m in 2007.

A BBC investigation found if failed attempts had been successful the total could have been £500m.

New tactics

Bruce Schneier, founder of network security firm BT Counterpane, says the net is a hotbed of criminal activity.

"The web has been discovered by criminals in a big way," he said.

But he was not convinced that security solutions that focus on the tactics of such criminals were the best way to defeat it.

"The reality of the threat can change. It could be that this change is simply happening too fast and that we as a species can't handle it," he said in a keynote address to the conference.

The price of credit and debit card numbers has tumbled online

"There are new tactics each month and next year there will be something we haven't even thought of yet. It is difficult to create a model of the threat when we don't know what is going to happen," he said.

He thought the issue of web crime was creeping up the political agenda.

"It isn't top of the agenda at the moment because people aren't scared and businesses are not losing enough money," he said.

Tony Neate, managing director of campaign group GetSafeOnline, believes a new e-crime unit is about to be created in the UK.

"Currently there is no easy way to co-ordinate reporting e-crime or even what it looks like. There is a missing piece between the Serious Organised Crime Agency and local police forces," he said.

He imagines such a unit would allow members of the public who had been the victims of e-crime to report their crime directly as well as providing a more detailed idea of what constitutes cybercrime and how big the problem is.

Teenage hackers

Other trends highlighted at the conference include findings from security firm Sophos which suggest a return to the old-school tactics of teenage hackers.

One Chinese spam gang is using the Olympics to snare victims

"We are seeing viruses that are reminiscent of the deliberately complicated viruses of the early nineties and it looks like they are written by the same sort of guys," said Paul Ducklin, head of technology for Sophos in Asia Pacific.

As well as facing up to five years in prison, this new generation of hackers could find themselves embroiled in net gangs.

"The risk is that they become the research arm for cybercriminals," said Mr Ducklin.

Meanwhile security firm MessageLabs has spent the last six months tracking one particular Chinese gang which has been targeting government and human rights organisations probably "to order".

Using trojans embedded in e-mail, the gang chose topical subjects such as the Olympics to lure people into opening attachments with malicious payloads.

Alex Shipp, chief technologist at MessageLabs, believes gangs such as these are looking for new file formats to exploit.

"I predict it could be PDFs," he said. "It is a complicated file format which makes it easy to exploit and a lot of people use it."