How cyber crime went professional

As Russian and Georgian soldiers were flinging explosive artillery shells at each other, both sides in the South Ossetia conflict were also exploiting the very latest in cyber aggression, using techniques honed by professional gangsters specialising in online crime.

Although the attacks are largely untraceable, both sides are pointing the finger firmly at each other. Russian reports claim that South Ossetian government sites were brought down by Georgian hackers. But Georgian institutions, including government departments and the National Bank, have also suffered a string of attacks. Georgia's foreign ministry is posting all news content to the Polish President's website after its own was taken out when President Mikheil Saakashvili's pages were replaced with pictures of Adolf Hitler. Meanwhile, reports also claim that Russia's RIA Novosti news agency site is being targeted and crashed.

Such tactics are not only political weapons. The start of the Beijing Olympics last week kicked off a slew of malicious internet activity. Some are relatively indiscriminate – using malicious software embedded in innocent websites, often of news organisations with audience numbers boosted by their sports coverage, which then infects the visitor's computer.

Some are more sophisticated. MessageLabs, a security company, detected a bogus email sent to at least 19 national sporting organisations that purported to be International Olympic Committee information on media plans for the Games, but was actually carrying a trojan which takes control of the PC and scans all files and networks to steal information.

Hacking, which was once the preserve of tech-savvy teenagers showing off, has turned into big business. By some estimates, organised crime represents up to 20 per cent of the global GDP, and cybercrime is the fastest-growing part of it. And as the perpetrators become more experienced, the attacks become more precise.

"There is an increase in targeted attacks on specific pieces of high-value information, whether that is directors of companies and their personal pension investments or attacking corporate networks to try to take intellectual property (IP) out of the organisation and move it to the developing world," said Chris Potter, a partner at the consultancy PricewaterhouseCoopers.

The term cybercrime covers a multitude of sins. Spam campaigns and infected web pages can be used to embed spyware into end users' computers – to monitor keystrokes and steal anything from single credit card details to a large chunk of corporate data.

Or they can be used to recruit the computer into a "botnet", a network of hijacked PCs that can be used either to launch more spam, or to participate in denial of service attacks (DoS) that target a website and bombard it with traffic until it crashes.

The cyberwarfare over South Ossetia is of this type. "The computer in Aunt Ethel's back bedroom may be right now playing a role in a cyber warfare campaign," explained Graham Cluley, a senior consultant at Sophos, a security company. "We don't know for certain it is Russia attacking Georgia and vice versa, or if the attacks are sanctioned by the military, but there is clearly disruption taking place as the governments take pot shots at each other."

As internet crime has become professionalised, it has spawned a shadow economy that could be worth as much as $105bn (£55bn) every year.

"The shadow economy is very similar to the real world economy," said Maksym Schipka, a senior architect at MessageLabs. "Specialisation drives competition, and high-quality goods, and all the things that make the real world economy tick."

Different groups in this new market provide different services. One creates the malicious software, one collects and sells lists of target identities, one distributes the virus using a botnet rented from somewhere else, and so on (see panel, right). Trading, which often takes place between criminals thousands of miles apart, is conducted on online forums and chatrooms that are relatively easy to find using internet searches. Payment is made using online payment systems such as eGold, not unlike in legitimate transactions.

In some ways, in fact, the cybercrime economy is closer to Adam Smith's original concept of a free market, because it is not subject to external price regulation, namely taxes. "The shadow economy is much freer than ours, and therefore price is regulated by supply and demand alone," Mr Schipka said.

Notwithstanding its capitalist purity, the majority of electronic crime is unsophisticated in intent and some 95 per cent is designed for financial fraud and theft. But about 5 per cent is for the purposes of espionage, either political or industrial, using techniques that are ever-more refined, pursuing ever-more specific targets – often highly placed executives.

Partly, such targeting is the result of an efficiency drive that would not be out of place in any market. From the corporate spy's perspective, the most promising recipients of infected emails are likely to be executives – they have access to all of a company systems, and are often too busy to think about whether incoming documents are real or bogus before sending them on.

Using complex programs, criminals selling identities can automatically trawl corporate "About Us" web pages, and marry up biographical information with email address formats to produce bespoke lists of contact details for executives of a certain level in a given geography or industry sector.

But the hardest attacks to defend against are not financially motivated. The most common targets are IP-rich industries, such as in financial services, defence and aerospace, and it can be impossible to spot the problem until a rival comes up with an uncannily similar product, or a developing world government suddenly has better warplanes. "These are the scariest problems because they are very difficult to notice, and can go undetected for years," said Mr Schipka.

Such approaches are highly sophisticated, and very expensive. One major aerospace group found out that an apparently innocent Microsoft Word document, sent to a single executive, contained a piece of malware that came to life if the host computer ran a specific engineering calculation programme. Once launched, it stole very specific, highly technical information that could be used for designing new rockets, which was then sent to an anonymous "drop" address.

"It was difficult to tell who paid for the attack, but the type of information stolen suggests it would have been worth hundreds of thousands of dollars," Mr Schipka said. "No individual would be interested in that kind of data, because they couldn't do anything with it."

For law enforcers, the problem is how to fight crimes that are diverse, technical, sometimes undetectable, often unreported, and conducted by loose affiliates from multiple jurisdictions all over the world.

Last week's arrest of 11 people alleged to have participated in the theft of 100 million credit card details highlights the difficulty: charges are being brought against two Chinese, three Americans, three Ukrainians, an Estonian, a Belarussian and one suspect known only by his online moniker, Delpiero.

Shadow economy: Just like the real world

* Malware is the software that drives all types of cyber attack, from high level espionage to basic theft. Off-the-shelf malware can cost from $50 (£26) to $3,500, depending on the sophistication of its targeting, what kind of information it can grab, and what kind of security it can circumvent. You can also buy a service to monitor anti-virus developments and tweak your malware accordingly – charging $25 to $60 per month – or a premium service to make it undetectable.

* The next step is finding targets. A basic list of unqualified email addresses costs about 1/10th of a cent per address; a complete identity, including UK national insurance number, could set you back by $5 a piece. For a tailored solution – corporate executives within a certain geography or industry sector – expect to pay bespoke prices.

* The next step is to send the program out, using a "botnet" of thousands of innocent computers hijacked by hackers. Services can be bought piecemeal, costing about $10 for a million mails. Or the botnet can be rented and used for spamming, hacking, denial of service attacks, or anything else you might have in mind. One hour of a reasonable-sized network of 8,000 to 10,000 computers costs about $200.

* The most common aim is theft of credit card details. A successful attack might yield 100,000 numbers within a week. You can then either exploit them yourself, or sell the list on an online forum for 2 per cent to 5 per cent of the remaining balances. If the average card on your list has remaining credit of $1,000, each set of details is worth around $25 – bringing in $2m.

* A good way to convert the card numbers to cash is to buy commodity goods, often electronics, online and arrange delivery to a "drop" address. A minor hireling, who may or may not be criminally complicit, receives the parcel and takes it elsewhere, often to a railway station locker. The final link is the person that collects from all the drops and sells the goods for, perhaps, 70 per cent of their value – typically just over half the resale value, the rest reverting to you.

* In case you are concerned about being ripped off buying your malware or selling your credit card list, there are also guarantee services. For between 2 and 5 per cent of the transaction value, the third party will hold both goods and payment in escrow pending verification.