Organisations and security researchers sick of seeing cybercriminals getting away have begun to name and shame scammers, but this may be helping rather than hindering criminals, according to Kaspersky Lab senior security researcher Stefan Tanase.
(Credit: Michael Lee/ZDNet Australia)
Tanase, who spoke at the Kaspersky Lab Cyber Conference 2012 in Cancun, Mexico, said that cybercrime is becoming a mature industry, and that the criminals involved often have over 10 years of experience in creating malware. This maturity, he said, has led criminals to conduct their activities like corporations, reinvesting their profits in researching and developing new ways to scam people.
He pointed to the examples of Koobface, a worm that targeted the Facebook platform, and Vplay, a Romanian site that made its profits by streaming television shows that it did not own the rights to. The masterminds behind Koobface and Vplay were earning up to US$2 million and US$0.5 million per year, respectively, when they were in operation. Koobface in particular had a fully fledged accounting system to track profits, and sent daily profits via SMS to its masterminds.
Tanase said that while these groups are making money, they aren't necessarily going unnoticed by law-enforcement organisations, especially in the case of Koobface. Yet, despite knowledge of their operations, and in some cases holding specific information such as the likely physical location of scammers, Tanase said that law-enforcement organisations are often doing nothing.
"Both Western law enforcement and Russian law enforcement were aware of who these people are, who these people were ... but nothing happened," he said.
"I can only hope that these people will pay the consequences for what they did. It doesn't make us very happy to see several criminals operating out there [with] law enforcement knowing who they are."
This has led to information-security researchers, security companies and affected organisations becoming increasingly frustrated with a lack of action. This has, in some cases, forced them to take matters into their own hands.
Facebook eventually released information about Koobface's operators, which Tanase said was likely due to the company growing impatient with the damage that the offenders were doing to its business.
"For Facebook, it was [probably] a business decision. If these guys are not going to get stopped by legal processes, let's at least disclose what information we have about them, and make them stop."
But Tanase said that the approach of "naming and shaming" could jeopardise any hopes of bringing the criminals to justice.
"I'm questioning if this was actually the best choice, because I'm questioning if these guys will ever get arrested now that they are trying to hide."
He said that criminals only go to jail via trial by judge and jury, not trial by media, and that letting criminals know they are under investigation only makes it more difficult to track them.
Tanase said that the more appropriate response is greater cooperation, better laws and faster investigations.
"If an investigation takes three years, and a cybercriminal is active for one year, they will probably be able to make an exit without being caught. We need better cybercrime laws, which can allow us to better fight cybercrime — to fight faster and to be able to respond quicker — but at the same to protect the internet citizens' privacy.
"Any security researcher in the world can confirm that this can only be achieved through collaboration."
Without some sort of change, Tanase said that criminals will continue to win, as law enforcement fails to keep up.
"What we're seeing right now is cybercriminals creating and implementing real-life exit strategies, and the idea is that if they don't get caught before they quit, they will probably never get caught."
Michael Lee travelled to the Cyber Conference 2012 as a guest of Kaspersky Lab.