Virtual Villains: The Evolution of Transnational Organized Financial Crime

Tuesday, December 4th, 2012

For nearly as long as there have been banks, there have been bank robbers. In U.S. heist history, Butch Cassidy and the Sundance Kid made away with $70,000 from a train car in 1899;[i] and impoverished Americans during the Great Depression quietly cheered on public enemy John Dillinger, who stole $300,000 in a multi-bank spree from July 1933 through June 1934.[ii] More recently, Allen Pace III orchestrated the largest cash robbery on U.S. soil with his 1997 theft of $18.9 million from a Dunbar Armored truck facility in Los Angeles.[iii] Hollywood has capitalized on these stories to the tune of unknown plunder, but as VHS tapes gave way to Netflix instant streaming, bank robbers went digital too.

As of June 2012, Operation High Roller resulted in at least $78 million in attempted fraudulent transfers.[iv] When McAfee and Guardian Analytics uncovered this cyberfraud and began their investigation of it, they reported that the perpetrators successfully carried out transfers from at least sixty financial institutions, including both multinational and small local banks; less conservative estimates placed the total attempted fraud at $2.6 billion.[v] While traditional physical bank robberies still occur—the “Handsome Guy Bandit,” responsible for eleven robberies, was sentenced less than a month ago—high-return, low-risk online financial crime has become increasingly attractive to transnational organized criminals, whether for financing other illegal activities or as an end game.[vi]

In the absence of an effective international governance system, countries and organizations must formulate and implement individual protection plans. The U.S. government has taken some strides to combat cybercrime, encouraging enhanced security in both the public and private sectors through legislation and information campaigns, but massive breaches and attacks continue to plague the nation.[vii] Beginning in mid-September 2012, an international hacking group claiming to be motivated by the “Innocence of Muslims” video and related Benghazi activities hit nearly every major online bank with a string of malicious distributed denial of service (DDOS) attacks. By September 17, only six days after the initial incident, the Federal Bureau of Investigation (FBI) reported similar theft attempts between $400,000-$900,000, leading many to believe the “Innocence of Muslims” motivation may have been a religious smoke screen to steal money.[viii] While devastating, these attacks are technically “nothing new;” the DDOS method floods the websites with additional traffic the same way well-meaning users might when many try to buy tickets to popular concerts, overwhelming the system until it becomes unavailable.[ix] These particular attacks simply amplified the traditional DDOS model, generating so much additional traffic that they essentially broke the online banking services.[x] 

In October 1994, Stanford Federal Credit Union introduced online banking to the United States.[xi] By 2003, reports indicated significant surges in online financial crime along with concerns that the future would bring much worse.[xii] “Mimail,” which surfaced in August 2003, quickly evolved from a harmless bug to an email virus targeting the credit card information of PayPal users.[xiii] Online spam schemes for identity theft or siphoning bank funds skyrocketed with the spread of the internet, and it didn’t take long before mob groups around the world got in on the action.[xiv] Transnational organized crime (TOC) networks today frequently engage in illicit cyber activities, financial or otherwise, and increasingly investigators discover new organizations founded entirely around online financial fraud.[xv] Thus far, international hackers have found that cybercrime does pay; according to the most recently published assessment by the White House National Security Council, Central European TOC networks alone make off with about $1 billion a year from the United States.[xvi] In his 1 November 2012 testimony before the U.S. Senate Judiciary Subcommittee on Crime and Terrorism, Assistant Attorney General Lanny A. Breuer discussed the scope of the U.S. problem with TOC networks engaging in online financial crime and other cyberattacks, warning,

Organized cyber criminals direct cyberattacks from abroad that target United States citizens and steal their identities for the purpose of raiding bank accounts or placing fraudulent credit card purchases. Other organized criminals commit crimes abroad and launder and maintain funds in the United States, without ever traveling to our shores, and sometimes through the use of U.S. shell corporations.[xvii]

TOC networks in Russia and Eastern Europe are some of the most persistent attackers on U.S. government branches and private organizations.[xviii] By November 2009, the FBI had cracked a TOC cyber ring operating out of Estonia, Russia, and Moldova that employed Georgian hackers to run a credit card scheme that hit 2,100 ATMs in 280 global cities, including many in the United States, resulting in spoils of over $9 million in just twelve hours.[xix] Suffering Eastern European economies and widespread corruption allowed the region to blossom into the hub of sophisticated online mass-marketing fraud, and the global financial crisis of 2008 only worsened such factors as unemployment and poverty that lead individuals to seek opportunities for compensation with TOC networks.[xx] In Assistant Attorney General Breuer’s recent testimony, he referenced several examples of Eastern European citizens who the U.S. Attorney’s Offices in Chicago and Washington DC have prosecuted for money laundering in the past year: a Romanian involved in an international online auction scheme; a Bulgarian caught working with a TOC group out of Eastern Europe; and another Romanian involved in the same conspiracy, who aided the group in stealing at least $1.4 million from individuals in the United States.[xxi]

However, the work of these small-time mobsters pales in comparison to the more established transnational hacking groups taking root in the region. In March 2012 the FBI finally broke through on the Trident Breach case, in which an Eastern European TOC group hacked into payroll accounts of an estimated 400 U.S. companies to net $70 million.[xxii] The TOC group employed the now-famous Zeus Trojan, which records password information on bank accounts and immediately texts it to the hackers. As noted by FBI Executive Assistant Director Shawn Henry, any faction carrying off such an elaborate heist had to be well-organized and well-structured, with “many people operating in unison, in a collaborative way.”[xxiii] Unfortunately for the victims, Eastern European mobs seem to do that quite impressively.

U.S. President Barack Obama’s White House has pushed for greater efforts at enhanced cybersecurity for the country, creating positions for expert advisors and emphasizing the importance of the issue with regard to national security. In 2012, public and private organizations finally began to place a premium on finding better ways to protect systems against further—or more devastating—cyberattacks.[xxiv] In a recent conference on Financial Crime Prevention, Richard Webber, the chief of the Internal Revenue Service’s (IRS) Criminal Investigation Division, insisted that the only way to effectively combat what he calls this “renaissance of fraud” is a collaborative effort between the IRS, U.S. law enforcement, and private organizations – particularly those financial institutions typically targeted by transnational hackers, such as banks with significant amounts of online transfers or large accounts.[xxv] Webber recognized that the United States is taking steps in the right direction; the Joint Terrorism Task Force, for example, has been relatively successful at bringing together several different government organizations to prevent continued terrorist financing.[xxvi] The U.S. Department of the Treasury’s Financial Crimes Enforcement Network has worked to prevent, investigate, and combat TOC networks that engage in financial crime, including online transfers, money laundering, and fraud schemes; the U.S. is also a member of the inter-governmental Financial Action Task Force, which works international to combat money laundering, terrorist financing, and other financial crimes.[xxvii] Additionally, the United States has stationed agents from the FBI, U.S. Secret Service, and Drug Enforcement Administration in Romania, where they collaborate with local police to root out Eastern European mobs engaging in cyber and organized crime; these efforts have led to over 100 arrests.[xxviii]

U.S. legislation and information awareness campaigns championed by the current administration further encourage private firms to step up their own security systems, and many organizations are beginning to heed such warnings. In particular, the financial community’s risk management tactics have begun to mature as attack frequency and sophistication increase.[xxix] Too often, though, U.S. organizations—public and private—wait to act until after someone exposes the organizations’ weaknesses by stealing U.S. citizens’ information or money. Last month, an international hacker breached South Carolina’s government-controlled networks to access tax returns of residents dating back to 1998.[xxx] On the returns, such sensitive material as social security numbers, addresses, and bank account information remained unencrypted, so the identities and wealth of anyone who worked or lived in South Carolina between 1998 and 2012—an estimated 3.6 million people—were compromised.[xxxi] Though the incident focused nationwide disbelief and outrage about lax security on the South Carolina government, Governor Nikki Haley noted that the state’s policy regarding protection of such information was in line with that of major banks and other municipal and federal governments, stating, “[the] industry standard is most Social Security numbers are not encrypted. A lot of banks don’t encrypt…it’s very complicated. It’s very cumbersome…”[xxxii]

That may sound absurd in light of the potential consequences, but Governor Haley has actually summed up the problem quite succinctly. While security-savvy advisors advocate heavily for data encryption, the process is time and cost intensive.[xxxiii] Smaller organizations skimp because they cannot afford it; larger ones do so because they believe their expensive security is already good enough, and that basic firewalls protect their data. CFOs infrequently agree on the value of additional security until their companies have suffered a malicious attack.

In the wake of the South Carolina breach, Governor Haley, who herself has previously been a victim of identity theft, improved the state cabinet’s cybersecurity to real-time computer monitoring under constant supervision of four full-time employees—an aggressive strategy that many security consultants believe banks and governments worldwide should embrace.[xxxiv] Tom Kellermann, Vice President of Cybersecurity for Trend Micro, believes that the only secure way forward is continuous monitoring. As he explains in a recent report, traditional cybersecurity defenses focus on creating programs that respond to specific threats. But, like any virus, virtual ones are constantly evolving and new versions can easily slip past old defense mechanisms. Continuous monitoring requires that a firm be more aware of its own weaknesses and may be a method that can “bridge…military-type assessment programs, civilian standards, and risk assessment paradigms.”[xxxv]  When questioned, Kellermann insisted that “the future of cybersecurity will be grounded in continuous monitoring and increasing the level of our adversaries’ discomfort so they no longer attack and/or remain persistent within our networks.”[xxxvi] 

“The hand,” as Governor Haley calls her new continuous monitoring system, was an expensive investment. Though it has been partially funded by a $160,000 grant from the Department of Homeland Security, it will require further personnel costs out of other South Carolina state agencies’ budgets.[xxxvii] In addition to the unprecedented technological upgrades, Governor Haley has publicly stated that she wants the perpetrator of the breach “slammed against the wall” and “just brutalized.”[xxxviii]  Though parts of Governor Haley’s response may seem extreme, experts agree that the security environment will continue to deteriorate and that U.S. organizations need to make the appropriate changes or expect hard hits. When asked about the implications of and lessons learned from Operation High Roller—the heist that resulted in a $78 million loss earlier this year—Vincent Weafer, senior vice-president of McAfee Labs, said:

“[everyone] from governments to large enterprises, small business and home users are facing a wider range of digital threats from these forces, as they gain more actionable intelligence on their victims, and leverage the newest attack platforms and exploits tools to launch their campaigns.”[xxxix]

In other words, Governor Haley might have the right idea. TOC networks posed a serious danger to the United States and the international community even before the exponential globalization of the past few years. With the advent of these increases in type, sophistication, and scale of online financial crime by such groups, U.S. organizations—public and private—absolutely must accept the responsibility to implement more effective security provisions in order to survive. As Assistant Attorney General Breuer concluded in his testimony

“today’s criminals can remotely access the computer systems of government agencies, universities, merchants, financial institutions, credit card companies, and data processors from thousands of miles and many international borders away…”[xl]  

Butch Cassidy and John Dillinger could be physically prevented from carrying out their robberies by banks who changed out their safes, installed better security, or even employed brute force. However, these old methods will not stop the virtual villains of online financial crime. Today’s criminals are online, and the only effective strategy going forward will be to enforce policy that evolves with them.