Internet Criminals Signing Up Students As 'Sleepers'

Taken from The Guardian, UK, December 8, 2006
By Jeevan Vasagar

Organised gangs are recruiting the next generation of internet criminals by approaching undergraduates on university campuses.

In some cases gangs offer to finance undergraduates' studies and plant them as sleepers within target businesses, according to a report on cybercrime which draws on intelligence from the FBI and British and European hi-tech crime units.

Cybercriminals are exploiting the popularity of social networking sites such as MySpace to steal identities or craft more personalised fraud attempts, the report says. More than 1m computers were infected with malware this summer after MySpace users clicked on a spoof advertisement placed by hackers.

Today's report by computer security company McAfee warns that online criminals are increasingly turning their attention to mobile phones, with the phenomenon of phishing, sending emails under a bogus identity to elicit personal information, spreading to text messages.

In August two major mobile phone operators in Spain were targeted in this way, the first time a criminal operation has transferred targeted spam from the internet to mobile phones, according to the report. The scam used the companies' own system to send texts to customers offering free anti-virus software purporting to come from the phone operator. But when customers followed the link to install the software their computers were infected with malicious programs.

Internet crime has become more focused, according to the McAfee report, which says there has been a shift away from hit-and-miss global viruses to attacks which try to cash in on news and sports events such as this year's World Cup.

In May a Trojan horse, a hidden malicious program, disguised itself as a World Cup wallchart and was distributed by spam email, while another virus which infected Microsoft Excel files was concealed in a World Cup results spreadsheet. Once compromised, vast botnets are created - sometimes millions of puppet computers controlled by hackers. Brazil, Portugal and Angola attracted a high proportion of spyware and malicious downloads.

Cristiano Ronaldo and David Beckham were the favourite player targets.

Criminals are also tailoring their attacks with a method known as spear phishing, emails which appear to come from employers or colleagues.

According to Apacs, the payments association, phishing by text message, also known as smishing, is rare in Britain, but there has been a steep rise in online fraud over the past year.

Online banking fraud cost the industry £22.5m in the first half of this year, compared with £14.5m in the same period last year.

"When this type of scam started the emails being sent out had spelling mistakes and the grammar was very poor," said an Apacs spokesman. "Now, when you get the emails you can be duped into thinking they're real - you can even have logos in them."

The McAfee report, which is based on work with law enforcement agencies including the Metropolitan police and the FBI, claims criminals are conducting extensive talent-spotting exercises on campuses. The typical target is not an existing criminal - the so-called black hat hacker - but a bright student trawling for passwords and personal data out of curiosity rather than malice.

Greg Day, security analyst for McAfee, said: "A lot of these people go into chatrooms, discussion sites, and start a discussion. Organised crime is involved in that."

Inexperienced young hackers often talk to each other in an internet slang known as l33t, which helps gangs target them. One popular tactic is blackmail. "They'll say: 'We know you did this, we can shop you unless you come and work for us'. Sponsoring students through a degree is more likely to happen in less affluent countries like Russia or India."

The report warns: "There is a false economy of trust. People don't present personal information to strangers on the street, but building profiles online means that internet criminals can instantly access a mine of details - names and interests, pets and life stories."

Junk and Jargon
Malware Covers many types of malicious programs able to infect computers, websites and files
Phishing Used to trick surfers into handing over confidential information. Personalised scams, often purporting to come from friends or colleagues, are known as "spear phishing"
Spam Unwanted email, often selling fake goods or illegal services
Virus A piece of code which attaches to a host file before copying itself and trying to infect other computers
Trojan horse Code disguised as something innocuous that attacks a computer and opens it up for other hackers
Botnet Large numbers of hacked computers linked together to send spam emails around the world
Spyware A kind of malware which installs tracking systems to watch what you do on the internet
Smishing A relatively new form of phishing which uses text messages to mobile phones
Black hat The most dangerous form of hacker, distinct from "white hats", who break into systems to alert the public
l33t A dialect developed by hackers. The sentence "I hacked you" becomes "I h4x0r3d j00"