Cyber-criminals cash in on web

Online miscreants used to have a certain profile in the public imagination. Frequently pale-faced and socially inept, they were often imagined in darkened bedrooms feverishly programming viruses designed to reduce hard drives to slime.

These characters, generally thought to harbour grudges against society, sought nothing more than simple notoriety.

The game has now changed significantly. With major financial gains to be had from the increasing numbers of people living their lives online, cyber criminals have now ditched fame for fortune. "As the global cyber threat continues to grow, it has never been more important to remain vigilant and informed on the evolving threat landscape," says Ilias Chantzos, Brussels-based head of government relations at security software-maker Symantec.

According to a report released by Symantec on 17 September, the sources of risk are manifold. Cyber criminals now dispose of so-called toolkits sold on the underground economy that can be used for a number of purposes. ‘Phishing’ kits allow criminals to spoof websites that can then be turned to their purposes, for instance to collect sensitive data.

Financial, social networking and career recruitment sites are also a rich source of data for the enterprising criminal. Scamsters breach sites for use as platforms to gain access to data stored on personal computers which can be used to conduct identity theft or online fraud.

The criminals tend to be organised into professional networks that carefully identity profitable activities. Information collated by networks is sold on black-market auction sites, with credit card and bank account details accounting for nearly half of marketable data.

Sales of credit card details at around 50 cents apiece are now part of a multi-billion euro industry. Other information sold can include email passwords, social security numbers and identity card numbers.

Viviane Reding, the European commissioner for information society and media, plans to introduce crime-busting measures in her forthcoming review of EU telecoms rules due in November. Under new rules, consumers must be notified of security breaches where loss of data has incurred. According to Chantzos, a safe harbour mechanism determining the scale of breaches that should be flagged up would be advisable. "If we get notices of every minor breach then the overall effect of notification loses its meaning," he says.

Rules governing the use of electronic data as evidence are covered by three EU laws. The 2002 telecoms framework, currently under review, sets a maximum timeframe of 24 months for data retention by crime authorities. The 1995 data protection directive sets rules of access to data for authorities, while the 2006 data retention directive determines how long companies or individuals can be obliged to keep data where there is suspicion of criminal activity.

Franco Frattini, the commissioner for justice and home affairs, targeted online criminals earlier this year in his communication on cybercrime.

This aims at creating policies that will improve co-ordination among EU countries and increase sharing of intelligence.

Online miscreants used to have a certain profile in the public imagination. Frequently pale-faced and socially inept, they were often imagined in darkened bedrooms feverishly programming viruses designed to reduce hard drives to slime.