Cybercops Without Borders
06.01.09, 6:00 PM ET
(Forbes) – Glancing at his file, there’s little in the case of 23-year-old Ovidiu-Ionut Nicola-Roman to distinguish him from the average cybercriminal. Beginning in 2005, he was a member of a massive “phishing” scheme that harvested millions of e-mail addresses from the Web and used a program called “E-mail Sender Express” to barrage those addresses with spam messages at a rate of around 30,000 an hour.
Those e-mails lured users to Web sites that impersonated banking pages requiring account information, realistically spoofing businesses like Wells Fargo, Regions Bank, Charter One and PayPal. The scheme brought in thousands of credit card numbers and PINs, each of which was used to siphon off cash from ATMs at a rate of as much as $1,000 per card.
All of those tactics follow the typical playbook of modern malicious hackers. But Nicola-Roman holds a distinction nonetheless: In March, he became the first foreigner to be extradited to the U.S. and convicted of phishing.
For years, profit-motivated cybercrime has been exploiting the geographic flexibility of the Internet, migrating from the U.S. and Western Europe to Eastern Europe and Asia, where digital crimes are equally lucrative and far harder to prosecute. But over the last year, U.S. law enforcement has been increasingly willing to follow cybercriminals to those far-flung destinations, both to help local authorities track down and arrest cybercriminals and to extradite them into the American legal system.
Though the U.S. Department of Justice doesn’t track cybercrime statistics–domestic or international–department officials insist the number of computer crime prosecutions that reach beyond U.S. borders is on the rise. “Unquestionably, we’re seeing an increase in the international cases of cybercrime and intellectual property crime,” says John Lynch, the deputy chief of the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS). “As a result, we’re increasingly cooperating with our international partners.”
The dismantling of the phishing scheme involving Nicola-Roman is an example of American law enforcement’s increasingly cozy relationship with foreign cybercrime investigations. Along with the 23-year-old Nicola-Roman, authorities arrested 37 other members of that cybercriminal ring last May. Those globally dispersed defendants were based in countries stretching from the U.S. to Romania to Pakistan.
Nicola-Roman, who was sentenced in March to 50 months for his role in the scheme, may have merely been unlucky: He was arrested and extradited to the U.S. during a trip to neighboring Bulgaria. But the 29 other Romanians arrested in the case are likely to follow close behind. On May 8, U.S. Secretary of State Hillary Clinton and Romanian Foreign Minister Cristian Diaconescu announced that they had signed a Mutual Legal Assistance Protocol, along with an extradition treaty between the U.S. and Romania.
U.S. law enforcement’s renewed focus on international cybercriminals officially began in April of last year, when then-U.S. Attorney Gen. Michael Mukasey told an audience at the Center for Strategic and International Studies that the country needed to launch a new program of cooperation between governments to stop cybercrime.
“We will step up what we are already doing with our international partners to get these criminals wherever they hide,” he said. “We have people assigned overseas who train and help our counterparts, to strengthen law enforcement efforts around the world. International borders pose no hindrance to criminals, so we’re making sure those borders do not pose an obstacle to effective enforcement.”
That initiative has yielded several high-profile results. Less than a month after the arrest of the 38-person Romanian phishing crew, Spanish officials granted the extradition to the U.S. of another Romanian, 22-year-old Sergiu Daniel Popa, who was accused of running his own phishing ring and of possessing equipment for manufacturing false credit cards.
In August, the FBI indicted 11 members of a sophisticated retail store hacking organization with elements based in the Ukraine, Estonia, China and Belarus. One, Ukrainian Maksym Yamstremskiy, was extradited to the U.S. while on vacation in Turkey, and Aleksandr Suvorov, an Estonian, was extradited from Germany.
That international retail hacking ring, which the U.S. Department of Justice says stole tens of million credit card numbers, was no ordinary cybercrime operation. Beginning in 2005, the widespread organization used a technique known as “wardriving”–testing wireless networks for security vulnerabilities–to identify targets. When members found that retailer TJ Maxx, for instance, used an outmoded and easily hacked wireless standard, they broke into the store’s network from a car in its parking lot and stole more than 45 million credit card numbers, by the company’s account. The trick was repeated at other retailers and restaurants including Boston Market, Dave & Busters and Sports Authority.
But even as law enforcement has toppled major identity theft schemes around the world, there’s no indication those initiatives have slowed international cybercrime’s steady growth. According to an April study from Gartner Research, more than 5 million Americans lost money to phishing schemes in 2008, a 40% increase from the year before, although the average amount lost in each scam decreased, largely due to strengthened bank safeguards.
Spam e-mail volumes, which dropped nearly 75% after the shutdown of the notorious Web host McColo last November, have staged a comeback. According to a May report from Symantec, spam accounted for 90% of all e-mails and grew 5% between April and May.
Targeted data thefts, like the kind performed by the TJX hackers, are also on the rise. The Identity Theft Resource Center reported in January that 2008 saw 646 data breaches, a 47% increase over the year before. And later that month, credit card processing company Heartland Payment Systems revealed that it had been targeted by seemingly international hackers who had planted malicious software on its systems, exposing as many as 100 million customers’ accounts–perhaps the largest breach to date.
Those numbers show that law enforcement alone can’t stop the growing ranks of cybercriminals, says Dave Jevans, chairman of Anti-Phishing Working Group, a cybersecurity industry consortium. “We’re starting to see more international prosecutions, getting more international cooperation. But is there less cybercrime? No. Is it less sophisticated? No,” Jevans says. “The problem is getting worse.”
Even with international partnerships, Jevans points out, the feds haven’t been able to capture the so-called Russian Business Network (RBN), a syndicate of organized cybercriminals thought to be based in St. Petersburg. In recent years, the shadowy RBN is suspected of becoming a hub for online crimes ranging from phishing to child pornography, and is suspected to have created the Storm worm that infected millions of computers in 2008.
That means American law enforcement needs to cooperate not just with foreign governments, but with the private sector, Jevans says–leveraging the analysis of cybercrime within information security companies like McAfee, Symantec or other tech firms.
“In the cybersecurity industry, companies are gathering and analyzing massive amounts of information tracking crimes and learning patterns. We have to share that information with banks and with law enforcement,” Jevans says. “Arresting people alone may be a deterrent, but it hasn’t made a measurable impact in reducing the scope of the problem.”