UK cybercrime investigator and Sophos consultant Bob Burls has been on the inside of some of the biggest law enforcement takedowns of the last decade. Speaking with Naked Security, he says that, while investigators are getting better at what they do, cyber crooks are too: creating smaller and more efficient malware and focusing, more than ever, on a big score.
Burls, a retired Detective Constable with the Police Central e-Crime Unit for the UK's Metropolitan Police, said that he has seen malicious code become smaller, more efficient and more focused on economic crimes in more than a decade as a cybercrime investigator.
"It used to be pure pwnage," said Burls, who started his career as a cyber crime investigator in 2001 for the then newly-formed National High Tech Crime Unit (NHTCU). "In the old days it used to be 'We own you because we can.' Now it’s mainly financially motivated."
Burls has worked on some of the most prominent cyber crime crackdowns of the past ten years.
In 2006, he was part of a joint UK-Finnish operation, dubbed "Operation Kennet," that took down the m00p virus writing group, which was responsible for a wave of email-borne virus campaigns. Using clues buried in the malware created by the group, investigators found clues that led them to the malware author and botnet operators.
In joint raids, police arrested a 23 year-old career criminal in Finland, Artturi Alm, and a Matthew Anderson, a 33 year-old father from Drummuir, Scotland who used the online handle "Warpigs."
Burls said that the typical image of a computer criminal is of a young man with pallid complexion, dressed in black and hidden away in a dark room. But that's not the case. "It's a mistake to believe that," Burls told Naked Security. "These people could look like you or me."
Working on some of the UK's biggest computer crime cases, Burls said that criminal malware has become far more sophisticated and stealthy in the last decade. Early malware variants, such as Troj/TKBot were enormous by comparison with today’s modern malware Burls recalls.
"There was an IRC client component with an FTP server packaged together with scripts," he recalled of Troj/TKBot, which was the creation of a UK-based hacking group called "Thr34t-Krew" and spread by exploiting a hole in Microsoft's IIS Web Server.
Over time, however, malware authors figured out how to distil their creations into single, efficient binaries such as 2004's W32/Agobot.
Burls said the sophistication of modern, data stealing programs is astonishing.
Attackers no longer need to rely on victims' opening malicious email attachments to get a foothold on their machines. Instead: exploit kits coupled with compromised websites can deliver a malicious payload without any user interaction.
And malware has gotten more aggressive in vacuuming up sensitive information in order to turn a profit for the malware authors, he said.
"When you seize a Zeus Command and Control server reconstruct and examine it, and you see the amount of data that it has gathered and how invasive it is, it's simply breathtaking in detail. You're talking about passwords, email addresses, seeing what the victim bought online, phone numbers he or she uses and key stroke logging, as well as harvested financial account information."
The sophistication of the criminals behind the malware isn't always as impressive. Alm, the Finnish cyber crook arrested in connection with the m00p malware, famously embedded his government id number in the malware he created, and tattooed his online handle, "Okasvi," on his arm.
Similarly, law enforcement has greatly improved its cyber investigative capabilities in the last decade.
When Burls started his cyber investigation career, the UK had no centralized computer crime force. That changed with the creation of the NHTCU, which Burls joined in 2001 as a Network Investigator before moving on to the prestigious Metropolitan Police Computer e-Crime Unit (PCeU)in 2004.
"I think one of the biggest challenges is still the multi-jurisdictional nature of the internet," he told Naked Security. "The first malware case I dealt with involved people in both the UK and across US who had never actually met. Yet they formed an online group and created an internet worm," he said.
"It's the nature of the internet to make information accessible to all," Burls said. "But that can make it difficult to investigate these cases. For example, a group of criminals can be resident in different countries, and their infrastructure located in other jurisdictions where different laws apply."
And the barriers aren’t merely legal.
"Something as simple as time zones can have an impact and need to be factored in, during a case," Burls said. "An investigator who you are working with may be eight hours behind you or ahead of you, so just finding time to talk needs consideration. Cybercrime investigations are complex and more than just email communication is needed."
After years of working alongside his counterparts in the anti malware industry, Burls said he joined Sophos as a consultant to lend his law enforcement experience to the job of researching cybercrime.
"The data sets that Sophos has are vast," Burls said. "I think I can bring my investigative experience to bear on that. It is a very exciting opportunity."
Asked to give Naked Security readers advice about how to avoid being the victim of a cyber crime, Burls said that he sees user awareness of security issues growing, but that popular misconceptions can still leave consumers vulnerable to attack. It’s vitally important to be vigilant as well as keeping both your operating system and critical applications like your web browser patched and up to date, he said.
"People think 'Windows Update ran, so I'm safe.' But they don't realize that perhaps they may be running an out of date version of an application - leaving them vulnerable to exploits." he said.
Timezone clocks image from Shutterstock.