“I don’t think we’ve seen anywhere near how nasty this is going to get.”
How have your journeys in cybercrime over the years changed you?
They’ve made me far more aware of how much of an unfair fight cybersecurity really is. The attackers are motivated, they love their work, and the world is their oyster – because so few of these guys are in places where they will face consequences for their actions. Conversely, in many organizations – even some of the biggest companies in the world – the security guys are increasingly being asked to spend more of their time and resources just keeping the networks and systems running, let alone secure.
Far too many organizations routinely fail to fully grasp how much of their operations, business, longevity, competitiveness and profits depend on all the IT stuff running smoothly and securely. As long as that disparity in awareness persists, we’ll continue to see major data breaches involving consumer information and the theft of invaluable corporate intellectual property.
In your new book, Spam Nation, one of the problems you discuss is illegal online pharmacies. How would you describe the changes over time in the approach by federal law enforcement to fighting illegal online pharmacies?
I don’t see federal law enforcement as having played a major role in battling the problem of online pharmacies. Sure, the agencies have a facilitator role to play, but much of the progress that I write about in Spam Nation has more to do with companies that have availed themselves of resources set up with the help of federal agencies to report the fraudulent use and abuse of their trademarks and brands.
Politicians and pundits can complain until they’re blue in the face to Visa and MasterCard about dodgy businesses that accept credit cards. But unless the brand holders and rights holders use existing laws and contracts with the card associations to complain about banks that are facilitating this activity, nothing will change. I documented some real successes in using these reporting tools to combat cybercrime and illegal pharmacies in detail toward the end of my book. We’re seeing the same calls for the card associations to do something about content lockers now, but unless the people whose trademarks and copyrights are being violated report this activity to Visa and MasterCard on their own, the status quo will continue.
What, if any new laws would be helpful in the fight against cybercrime as described in your book?
As I mentioned in the answer to the previous question, we don’t need new anti-cybercrime laws. We need more creative and thoughtful ways of enforcing existing laws. Complaints filed by rights holders through the International Anti-Counterfeiting Coalition (IACC) can have a huge effect on any operation that accepts credit cards for pirated goods by reporting the activity to Visa and MasterCard, which will rain down fines on acquiring banks that facilitate this activity.
Is there a role for open source intelligence (OSINT) gathering by businesses to protect themselves from the type of criminals you describe in Spam Nation?
Yes, always there is a greater need for this. Intelligence – no matter how it is gathered – is very valuable, if it is good. And so there is a natural tendency to hoard it instead of share it. That needs to change. What we have today is a lot of companies recycling a lot of recycled intelligence, and much of what they’re regurgitating is not worth much.
There is a lot of concern in the security industry that being more open about what we know about the bad guys’ operations will force them to change. Maybe that’s true in some cases, but from my experience, the attackers normally only change their tactics when the existing ones stop working, and many companies in the threat intel space seem more concerned that a broader, more open and timely sharing of threat intel will mean that the intel they’re selling will become less relevant more quickly.
You mention a non-profit coalition from industry partners devoted to fighting illegal online pharmacy in the book. Is that still around?
What is the relationship between the online pharmacy spammers described in your book and those who launch phishing attacks? Are they usually the same actors?
Very few of the successful cybercrooks that I profiled in Spam Nation were involved in only one type of criminal activity. Most had experience and/or were actively involved in a variety of criminal endeavors, including money laundering, porn, online gambling and malicious email and phishing. I tend to lump password stealing malware (which describes capabilities built into probably 75+ percent of the malware out there) into the phishing category. Every one of the major spammers was also involved in developing and disseminating malicious software, because it kept their crime machines going. And the same money laundering networks that can be used to cash out hacked bank accounts can be useful in obfuscating the movement of cash for large-scale cybercrime operations.
One of the most engaging threads in the book is your relationship with Pavel Vrublevsky, including your face to face meeting in Moscow. Do you think you’ll ever meet Vrublevsky in person again? What would that encounter be like?
I hope I get to meet Mr. Vrublevsky again, but I would much prefer it if he visited me this time. He told me he has never been to America, which is certainly a shame. But I don’t think he will, given his history and the fact that several U.S. law enforcement agencies would most likely wish to give him a ride from the airport. But truthfully, I very much enjoyed most of our many conversations, and found him to be a very likeable fellow.
Is there anything you’d do differently if you had the opportunity to start these investigations all over again?
I’d have done a better job documenting all of my research while I was doing the research. So much of the research I did for the book I ended up doing twice, mainly because I would get distracted by some shiny thing or another and chase a promising lead off in another direction that ultimately proved fruitless. The trouble was, when I later went back to find the information that led to a specific conclusion, connection or aha! Moment, I often ended up having to retrace my footsteps because I hadn’t documented how I got to that place to begin with.
From where you sit, what is the next frontier in cybercrime?
More destructive and malicious attacks. I don’t think we’ve seen anywhere near how nasty this is going to get. Especially once the crooks start getting better and more reliable situational awareness about when they are inside of major companies or those who can afford to pay to not have all of their internal systems trashed or sold in the underground. This is coming. Unfortunately, most organizations are still unprepared for a threat that merely seeks to destroy or erase information.