Challenges of solving online whodunnits
Why a pioneer of the internet is calling for an end to anonymity on the web to counter the malware scourge
Last week, the United States charged three Ukrainians with being behind the massive Carbanak (also known as FIN7) banking malware campaign, the culmination of years of painstaking detective work by security researchers and police.
In case you’ve not heard of Carbanak, the malware is thought to be Eastern European in origin and has been used for all sorts of crimes including automatic teller machine “jackpotting”, which involves hacking them to dispense cash, stealing payment card details and enterprise secrets, mostly via phishing emails.
Carbanak was discovered in 2014 and has earned those criminals using it more than a billion dollars.
Only three of the alleged criminals behind Carbanak have been named and charged so far, and it’s taken years to get to that stage.
In real life, bank robbers would never get away with heist after heist for years on end, so why can it be done on the internet? Because attribution for digital skulduggery is very hard.
Facebook made it clear last week when it published a detailed postmortem on taking down shady election interfering pages and accounts that were “engaged in coordinated inauthentic behaviour”.
Alex Stamos is a well-respected name in cyber security. Before joining Facebook (and leaving this month with no replacement for his role at the social network, curiously enough), he headed up security and fronted the massive data breach at Yahoo.
Working out who’s behind dodgy stuff on the internet takes a huge amount of work and global cooperation to find a trail leading to the culprits.
Successfully tracing bad people often depends on them either not having covered their tracks properly, or making a mistake like leaving log files on a compromised computer.
In its case, Facebook found that the baddies had hidden behind virtual private networks and used thirdparties to buy ads for them (which, as an aside, surely should’ve raised suspicion by itself because what legitimate advertiser would do that?). It might be Russian state actors, or someone else. Facebook says it doesn’t know.
Having the internet protocol (IP) address assigned to routers and computers isn’t enough to attribute blame as it’s very easy to fake them or to use hijacked machines that belong to innocent parties.
That salient point was ignored a few years ago when the antifilesharing amendment to our copyright act came into effect, and rights holders were able to send infringement notices to broadband account holders, based on the IP addresses allocated by their ISPs.
Going back to cyber criminals there is little doubt that their virtual activities cause real damage. What to do about it? Internet pioneer Vint Cerf has come full circle on the situation and now says network anonymity invites misbehaviours and “might not be absolutely desirable” for that reason.
Cerf suggests “differential traceability”, a concept that takes a range of identifiers in the internet environment such as domain names, IP addresses, and cryptographic keys and associates them with individual users.
That information would not be available to everyone, but only to the police and authorities.
“I expect this is a controversial conclusion and look forward to subsequent discussion,” Cerf said.
It’ll create an uproar rather than discussion, but if someone like Cerf says time’s up for anonymity on the internet, it’s a sure-fire indication that there is a serious problem with it.
While we ponder Cerf’s suggestion, despite the arrest and charges of some gang members, the Carbanak malware is far from dead.
I checked with security vendor FireEye which has been tracking the criminals’ activities, and they told me that a new strain of the malware is being used by other people, perhaps not the original FIN7 gang, and new command and control infrastructure is going up on the internet.
Some people clearly expect to make a good profit with minimal risk again.