International cybercrime investigations are fraught with challenges, such as gathering evidence that meets court standards in multiple countries.
To help shut down the Mariposa Botnet, which by some estimates had infected 13 million machines with malware, Panda Security of Spain worked closely with Spanish law enforcement officials on the investigation that resulted in this cybercrime success story.
It was critical to work closely with the Spanish Civil Guard in order to arrest the suspects, who were also located in Spain, said threat researcher Sean-Paul Correll when discussing the incident at a conference in Washington, D.C.
A botnet is a network of computers that have been surreptitiously taken over by malware and are run from a command and control server. The significant thing about botnets is that they put a lot of computing power into anyone’s hands. In this case, the small group could run the application even though they “almost completely” lacked technical expertise, Correll says. Others could likely do the same.
Overall, arrests of cyber criminals are on the rise, according to officials and published reports. The United States, the United Kingdom, Ukraine, and other countries recently announced an unusually large round of about 100 arrests, with many of those arrested said to be “money mules” sending cash to cyber thieves overseas.
But these types of arrests probably have “virtually no impact at all on global cybercrime,” Correll grimly noted.
Others agree, pointing to the many challenges to cross-border investigations and prosecutions. Challenges range from varying extradition and evidentiary laws to the high cost of investigations and the low cost of malware products.
Prosecutions are difficult, and significant prison sentences are rare in these cases, say experts. One of the biggest challenges is gathering evidence that can be used in courts in the countries with jurisdiction, says Barrett Lyon, a technology entrepreneur who spent years helping law enforcement track Russian denial of service extortionists, which led to three arrests. The problem is that the evidentiary laws vary considerably from country to country. Law enforcement has made progress in easing differences, he says, but many challenges remain.
Another significant issue is how quickly cyber criminals can attack and operate compared to the pace of law enforcement. In many cases, “it is not possible to wait for international law enforcement to get itself together,” says Correll. Cyber criminals use constantly evolving tactics that thwart available security products, he says. “I don’t see that dynamic changing anytime soon.”
When the cases involve countries that are not traditionally allied with the United States or that have a relatively undeveloped legal structure, the prosecution is further complicated. Randy Miskanic, deputy chief postal inspector at the U.S. Postal Inspection Service, discussed the challenges of handling such prosecutions at a separate event sponsored by the Online Trust Alliance.
Miskanic described an investigation he handled with Nigerian authorities. The investigation targeted workers at a cybercafé who were suspected of helping others send fraudulent e-mails. Some of the challenges of the investigation included the cost and a lack of technical and forensic expertise. It was also a “dangerous place for U.S. law enforcement to be working,” said Miskanic. He doubted whether the investigation was worthwhile, he says, though they did succeed in making a few arrests.
In the Mariposa case, the botnet operators were caught partly because one member used a home computer with its real Internet Protocol address, says Correll. But the United States and many other countries face regular attacks from China and other unknown locations, because they’re hidden behind proxy servers. U.S. officials and others have accused China of giving hackers state support for political or financial reasons. China has denied this.
After the Nigerian experience, Miskanic and some of his colleagues decided to focus more effort on other cyber crime-fighting strategies. These included working more closely with U.S. and foreign law enforcement agencies as well as with private sector companies, including some major e-commerce firms. These relationships have been highly valuable, he says, in areas such as providing early intelligence about possible threats and conducting investigations. Many other experts advise public and private sector companies to take advantage of trusted partnerships and associations. In many of these partnerships, companies can share data in a way that is nonpunitive or anonymous.
Miskanic and others involved in cross-border investigations also stress the value of end-user awareness campaigns. In Operation Aurora, in which more than 100 companies were penetrated by malware, many of the attacks were successful because employees downloaded malware attached to e-mail, noted Andy Crocker, a former investigator at the United Kingdom National Hi-Tech Crime Unit, when he spoke at a conference sponsored by security firm ArcSight.
That might not have happened if the employees had been properly forewarned. “[End-users] really are our front line,” Crocker said.