The cyber Mafia has already hacked you

@CNNMoneyTech July 27, 2011: 9:45 AM ET
Organized cybercrime has already hacked you

This is part three of a week-long series on the ecosystem of cybercrime.

NEW YORK (CNNMoney) -- Just how pervasive is cybercrime?

"There are probably some corporations and credit cards that haven't been hacked," said Kim Peretti, director in PricewaterhouseCoopers' forensic services practice. "But you have to assume you've been compromised."

Large, organized crime syndicates have been launching sophisticated attacks against individuals and major corporations for decades. The result of their efforts is the theft of billions of dollars every year, and a large, ongoing presence in many of our most sensitive computer systems.

These aren't petty thieves. They're committing breaches like the Sony (SNE) attack that stole credit card information from 77 million customers and the Citigroup (C, Fortune 500) hack that stole $2.7 million from about 3,400 accounts in May. They're organized, smart, and loaded with time and resources.

"It's not like the Mafia, it is a Mafia running these operations," said Karim Hijazi, CEO of botnet monitoring company Unveillance. "The Russian Mafia are the most prolific cybercriminals in the world."

Organized cybercrime is a truly international affair, but the most advanced attacks tend to stem from Russia. The Russian mob is incredibly talented for a reason: After the Iron Curtain lifted in the 1990s, a number of ex-KGB cyberspies realized they could use their expert skills and training to make money off of the hacked information they had previously been retrieving for government espionage purposes.

Former spies grouped together to form the Russian Business Network, a criminal enterprise that is capable of some truly scary attacks. It's just one of many organized cybercriminal organizations, but it's one of the oldest and the largest.

"The Russians have everyone nailed cold in terms of technical ability," said Greg Hoglund, CEO of cybersecurity company HBGary. "The Russian crime guys have a ridiculous toolkit. They're targeting end users in many cases, so they have to be sophisticated."

Low-tech Internet scams harvest billions of dollars

Where hacktivists lack patience and most fraudsters lack skill, organized crime syndicates like the RBN possess the necessary tools to hack just about any target they set their sights upon.

"They're incredibly persistent," said Jose Granado, leader of Ernst & Young's information security practice. "If it takes a year to set up their targets, then they'll wait the year."

Once a hacker in an organized crime unit has gained entry to a targeted system and reached the limit of his expertise, he'll send the hack up the chain to a more expert attacker. That continues until it reaches an organization's top hacker, who will often steal whatever information the organization wants and cover the previous hackers' trails.

Unlike their more boisterous hacktivist peers, organized crime groups don't want their victims to know they've been attacked. They design their presence in their victims' systems to be completely silent.

That's because their motives are very different. Hacktivists like Anonymous are seeking attention. Organized crime syndicates are after gobs of money.

Though credit cards continue to be a source of revenue for organized crime syndicates, experts say there's a supply and demand issue: There are so many stolen cards on the black market, they're not selling for nearly as much as they were several years ago.

As a result, many organized crime syndicates are now going after bigger fish: They're engaging in corporate espionage to steal intellectual property, source code and IT architectural renderings that they can sell to competitors.

"They could go after thousands of credit cards or one very, very sensitive document," said Larry Ponemon, chairman of the Ponemon Institute research center for cybersecurity. "The technologies that they're using are beyond the capabilities of most security systems. We're defenseless against those attacks; it's a big problem and it's only getting worse."

Our defenselessness means these crooks are making off with a lot of money.

Globally, data breaches are expected to account for $130.1 billion in corporate losses this year, according to the Ponemon Institute. Historically, about 30% of that total cost has been direct losses attributable to the breaches, which would mean about $39 billion will stolen in 2011.

"If you think about the money that organized crime has, if they throw out $100,000 to attack you, it's hard for a corporation to fight against that," said Dave Aitel, president of security firm Immunity Inc. and a former computer scientist at the National Security Agency.

To catch a cyberthief

As hard as it is for corporations to stop organized crime groups from attacking their systems, it's even more difficult for law enforcement officials to bring them to justice.

Since it's so easy to cover your trail online, the FBI's task isn't easy. It's incredibly hard to prove a person orchestrated an attack when a hack took dozens of different routes to get from point A to point B.

"The anonymous nature of the Internet creates plausible deniability for attack sources," said Jeff Bernstein, executive vice president of security intelligence contractor Critical Defence. "It's hard to fingerprint the source of an attack with absolute certainty."

Making things more difficult is the international aspect of organized cybercrime. For U.S. law enforcement to act on foreign soil, the FBI must be able to show cause.

"Russia won't do anything about it, so the FBI needs to dot their i's and cross their t's to go after them," said Charles Dodd, CEO of cyberwarfare intelligence organization Nicor Global, which contracts with the U.S. government. "But unless they're idiots and left fingerprints all over the place, these guys aren't leaving any forensic details. Bringing charges against them is very difficult."

That's why most cybercrime convictions involve a stroke of dumb luck.

The cost of cybercrime

Good fortune played a big role in the apprehension of Albert Gonzalez, the ringleader of one of America's most notorious organized cyber rings.

In 2008, U.S. law enforcement officials apprehended a hard drive of a cybercriminal arrested in Turkey, which contained logs of his chats with other cybercriminals.

Why would he keep those?

Most hackers have an identity on underground chat rooms, but more sophisticated criminals stay away from public or even password-protected boards, making them more difficult to catch. Some stay on smaller boards where they don't even use a handle -- they just use numbers.

"Criminals deal with so many other criminals in business transactions," said PwC's Peretti, who acted as the U.S. Justice Department's lead prosecutor in the Anthony Gonzalez case. "They don't know who they're dealing with, so recording chats allows them to remember others' identities and what's owed to them."

A search of the chats on the confiscated drive showed that the number 20167996 belonged to the lead attacker who compromised cash registers at TJ Maxx (TJX, Fortune 500) stores and stole nearly 46 million credit card numbers in 2006. Law enforcement realized that number also belonged to a hacker who attacked restaurant chain Dave & Busters' systems a year earlier.

That number happened to be used by a hacker with the username "segvec," which was also used by a previously convicted cybercriminal named Albert Gonzalez.

Despite the solid connection, getting a conviction proved difficult. Gonzalez's ring was known to have gained illegal access to hundreds of companies, yet the prosecution could only convict him on seven indictments.

"That's all the hard evidence we had," said Peretti. "It's very difficult to identify the actual person who sat behind the keyboard and did a crime."

Coming Thursday: The story of cyberespionage that threatens our trade secrets, economy and national security. To top of page

CNNMoney Sponsors

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.