One foot in jail
online criminals live dangerously

Software experts from around the world are increasingly insistent in warning against dangers from the Web: hackers, Trojans, botnets, spam and phishing. One question remains: Who is actually behind all this cybercrime?

On 20 September 2001, the Port of Houston, Texas, one of the largest international ports in the United States, was the target of a DDoS attack. Once the Web servers were no longer accessible, the transhipment of crude oil and other goods came to a halt. The port authority turned to the FBI, who evaluated the log files and traced them to England, where the London Metropolitan Police eventually identified the then 19-year-old Aaron Caffrey as the perpetrator – who, in his own words, was a member of the hacker group Allied Haxor Elite.

A court in London, however, acquitted the teen due to lack of evidence: proof of the helplessness of the legal systems with respect to the virtual world back then. The Internet has since then been used to commit crimes across national borders and continents; crimes which have not yet been defined as illegal in the individual countries.

In March 2012, the Russian Interior Ministry succeeded in arresting an eight-member group of hackers responsible for the Carberp Trojan. The malware spied out websites and login data called up by users in the browser before encryption could even take place. After the arrest, the online banking Trojan was put on offer for a five-figure sum in underground forums, and not much later the Carberp source code was available free of charge.

Much like in 2010, where a competitor Trojan called Zeus – in the background and without users realising it – searched mainly for financial and private data and recorded the keyboard input in the infected browser. Five men who had allegedly looted USD 51 million from accounts in the US were arrested in the Ukraine. In February 2011, the source code of Zeus was offered for sale; in May of the same year, it was already circulating for free.

In relevant forums and hacker platforms, samples of the malware from formerly successful actions are now available for free in interchangeable modules. This already includes the Blackshades Trojan, which mainly affects Windows computers and is available for only some USD 30 to 40 in the digital underground. To purchase the malware, membership in an underground forum was required; two guarantors were required to become a member. Only active coders were accepted, and as new members they had to make their malware publicly available.

To get to the programmers and customers, the FBI set up its own forum. There, officers were able to track all the posts and messages and identify the coders and buyers of Blackshades. The surveillance took two years to complete and in May 2014 it resulted in raids in 16 countries and nearly 100 arrests.

Another quite widespread variant is ransomware, which blocks a computer and demands a ransom from the aggrieved party for decryption. CoinVault was thus also aimed at files in different formats in order to freeze the computers of third party users. “These criminals are not always good programmers,” a spokesman for Kaspersky Lab recalls. The company was thus able to identify the CoinVault command-and-control server and develop decryption tools with which affected users were able to save their encrypted data. The malware was ultimately traced to the Netherlands, where the police succeeded in arresting two 18 and 22 year-old men from Amersfoort on 14 September 2015. (bs)