Economic Bust, Cybercrime Boom - Forbes.com

Economic Bust, Cybercrime Boom - Forbes.com

Security
Economic Bust, Cybercrime Boom
Andy Greenberg, 11.19.08, 12:00 AM ET

The first ripples of a growing wave of cybercrime may be appearing.

In the physical world, the connection between declining business and crime is simple enough: As the above-ground economy suffers, the underground economy swells. The connection between economic trouble and cybercrime is trickier to prove. But as the economy slows, some online crime watchers see signs that a portion of newly unemployed skilled tech workers are turning to the theft and exploitation of sensitive data even as the existing cybercriminal economy is finding new ways to exploit consumer confusion around the banking meltdown.

Meanwhile data on industry spending for security suggests that companies are preparing for the worst. Fear about the downturn's consequences for data protection has kept the cybersecurity industry practically recession-proof, even as other IT spending slumps.

Gartner security analyst Avivah Litan reports that in recent months, banking clients have been warning her of a spike in fraud, much of it based on the use of stolen financial data. "There's been a marked increase in the number of attacks and the number of successful fraud attempts," says Litan, who plans to publish a formal report in December. "This is the busiest my practice has ever been."

Litan blames the attacks on the thousands of IT workers who have recently found themselves jobless, with the technical abilities needed to steal data or perpetrate fraud along with specific knowledge of their former employer's IT systems. "In times like these, people need the cash," she says. "You have disgruntled IT employees that leave companies, take customer records with them to sell them on the black market."

As the financial crisis spreads from the U.S. to other parts of the world, it will likely drive more laid-off employees into the Eastern European and Russian cybercriminal economy, says Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, a nonprofit organization that acts as a go-between for the private sector and government on cybersecurity issues. Borg says he's spoken with local government officials about "identifiable pockets of engineers" that are migrating from legitimate computer work to the Internet underworld. "These are talented computer scientists, people who expected to be in positions of prestige, but are now unemployed without prospects, basically let down by their system."

For now, those hints of a trend are difficult to back up with numbers. Security researchers at McAfee, for instance, report an explosion in the number of different strains of malicious software plaguing the Internet in recent months. Dave Marcus, McAfee's director of security research, says the most recent uptick began in March--when the company began detecting around 170,000 strains a month versus 30,000 or 40,000 in earlier months. This was around the time of the collapse of Bear Stearns but still several months before the brunt of the credit crisis hit the technology sector.

At least one sort of cyberattack can be linked directly to the downturn: scam e-mails that exploit consumer confusion resulting from the banking crisis. E-mail security firm Message Labs has tracked floods of so-called "phishing" e-mails following practically every rumor of a bank merger or collapse, impersonating official bank statements and asking users to "verifying your account details." That string of new scam targets has pushed the total volume of phishing e-mails from a maximum of around 400,000 a day in August to nearly 800,000 a day in November.

There's also some evidence that the scams are more profitable than ever. MessageLabs researcher Maksym Schipka, who often monitors Russian-language cybercriminal Web forums, says he has seen dozens of advertisements for stolen identity information that have doubled or tripled their prices over the last month. A stolen identity that once cost $5, for instance, now sells for $15, he says.

Schipka believes that's a result of two factors: Consumers are using a smaller fraction of their credit cards' credit limit, leaving more to be stolen by fraudsters, and a higher fraud rate has led to more demand for personal information. "This is a market driven completely by supply and demand, and a rise in demand is driving the change in the shadow economy," he says.

While that kind of data remains largely anecdotal, the evidence is enough to keep corporations spending on cybersecurity technology even as they trim expenditures on other information technology. According to a report earlier this month from Gartner's Avivah Litan, banks plan to keep spending on fraud prevention systems through the downturn.

In another report last month from research firm IDC, less than 10% of companies planned to cut security spending, the least of any category of tech expenditures. More than a quarter of those companies, by contrast, planned to scale back spending on business intelligence software and collaboration software.

Another report from Forrester Research in September showed that security spending would increase during the banking meltdown to account for 10% of total IT budgets. The bulk of that money, says Forrester analyst Jonathan Penn, will go toward systems designed to keep former employees or disgruntled workers out of proprietary systems and to prevent business-killing data breaches.

"In periods of recession or slow growth, companies are going to turn their attentions to customer retention rather than customer acquisition," writes Penn in an e-mail. "The last thing you need in that environment is a data breach and the associated brand damage."

See Also:

Cybercrime Gets Its Game On

The State of Cybercrime

Our Hackable Democracy