Sophos Cloud Optix
Do you know how to report a computer crime? Or even who you would report it to?
We looked at unauthorised email account access in the first of our series of articles on how to report a computer crime. Now we turn our heads to malware by email.
We’ll look at what offences are committed in different countries when a crime like this happens, how you should report the crime, and what evidence you can preserve.
Take this scenario:
Andre receives an email with an attachment. The subject line indicates the attached file is a short movie of an A-list celebrity in a state of undress.
Andre is a fan of the celebrity purported to be the subject of the movie so he opens the attached file. It is in fact a variant of Troj/Poison malware.
Andre has an anti-virus application installed, but receives no alert.
The malware, when run, displays an error message which states that a codec is missing and that the movie cannot be played.
Andre gives the matter no further thought and takes no action. He has, of course, inadvertently infected his computer with malware.
The resulting infection compromises the security of Andre’s PC and opens a backdoor connection.
Two days later the malware is detected by Andre’s anti-virus software when the signatures are updated.
A cybercriminal who is a member of an underground forum had purchased a copy of the Troj/Poison backdoor malware kit.
The cybercriminal compiled his own Troj/Poison malware executable and distributed it via a list of email addresses, including Andre’s, that he paid for on the forum.
The cybercriminal disguised the malware as the celebrity movie in order to lure victims to run his Troj/Poison variant and distributed the malware by spamming it to the bulk list of email addresses he acquired.
The cybercriminal had no particular victim in mind; his intent was to lure as many victims as possible.
What was the offence?
We can break it down like this:
- The cybercriminal performed an unauthorised act in relation to a computer. It is unauthorised because he did not have permission to install the malware on Andre’s computer, and had Andre known he would not have consented to the cybercriminal’s action.
- The cybercriminal knew that his activity was unauthorised.
- The cybercriminal intended to impair the operation of Andre’s computer by installing a backdoor on the computer defeating the security.
The legal bit
We’ve focused on the UK, USA, Canada and Australia, but each country has its own legislation, though the relevant statute often exists to accommodate the same offences in each country.
UK
In the UK, most computer crime falls under offences covered by one of three pieces of law:
Other associated crimes could include Conspiracy or Money Laundering offences, but victims of computer crime are more often than not affected by at least one of the three acts listed above.
In this case, the cybercriminal commits an offence of an “Unauthorised Act with Intent to Impair”, contrary to Section 3 of the Computer Misuse Act 1990, committed when an offender modifies a computer with intent to impair the functionality of that computer.
USA
In the USA, most cybercrime offences are covered by Title 18, United States Code (USC) Section 1030 – Fraud and related activity in connection with computers.
This is what the cybercriminal contravened when he disseminated the malware-filled email.
Canada
The Criminal Code of Canada contains sections that specifically cater for cybercrime, including:
- Unauthorised Use of Computer
- Possession of Device to Obtain Computer
- Mischief in Relation to Data
- Identity Theft and Identity Fraud
In this case, both Section 342.1 Canadian Criminal Code (CCC) – Unauthorised Use of a Computer – and Section 430(1.1) CCC – Mischief in Relation to Data (damaging data) – were contravened.
Australia
Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.
The primary legislation for computer offences is the Summary Offences Act, 1953 (SOA) and the Criminal Law Consolidation Act, 1935 (CLCA).
Reporting the crime
UK
In the UK, when a crime has taken place it should be reported to the police, so Andre should go to his local police station to report it.
A crime allegation may be investigated by a police force or may be referred to the Police Central e-Crime Unit (PCeU) which provides the UK’s investigative response to the most serious incidents of cybercrime. The PCeU requests that the routine reporting of computer crime offences are not made directly to them.
There is also an alternative reporting body for internet-enabled crime: Action Fraud.
Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.
USA
The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).
Two Federal LEAs have a remit to investigate some computer crimes:
- The Federal Bureau of Investigation (FBI)
- The United States Secret Service (USSS)
In this case Andre should report the crime at his FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.
Canada
The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes, but they also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.
A computer crime victim, like Andre, should report their incident to their local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.
Australia
Andre should report the crime to the Australian State or Territory Police.
Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.
Preserving the evidence
Andre may want to consider preserving the original email he received, and any anti-virus alert log that was generated as a result of the infection.
Remediation
Andre should run a malware removal tool to identify and clean up the infection. (Sophos does a free Virus Removal Tool which does just this.)
As the effects of different kinds of malware vary considerably, he should also talk to his anti-virus vendor for advice on any other remediation he should perform which is particular to the kind of malware he has.
In future, Andre should always exercise caution when downloading attachments from emails that he is not expecting.
He should also always make sure his anti-virus signatures are kept up to date, and that his operating system and applications are patched.
Conclusion
In general, it’s important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.
If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.
The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.
We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.
All of the scenarios are made up and the characters depicted bear no resemblance to any person.
Acknowledgements
Naked Security gratefully acknowledges the assistance of the following organisations in preparation of this series of articles:
UK Police Central e-Crime Unit
Action Fraud
United States Federal Bureau of Investigation
United States Secret Service
Royal Canadian Mounted Police
South Australia Police
Blue screen of death, crime scene, electronic component, emails and viruses and cybercriminal images courtesy of Shutterstock
Also in the USA an online complaint filing method:
"Welcome to the IC3"
"The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C)."
http://www.ic3.gov/default.aspx
In the USA, the IC3 doesn't directly investigate these crimes themselves.Instead they will report them to the agency that they feel is best suited to investigate the crime.This is what their site's "homepage" said when I checked the site out for myself.
As a retired LEA, I wish you would follow up with the average time you should wait before an attempt to re-contact and find out if anything has or will be done.
This is a big point to victims that report an incident and never receive any indication that anyone even looked at the report or followed up on the violation. Every violation should receive a reply, we pay for these investigations and we should receive word on if anyone is prosecuted and if we can be present for the trail or punishment stage. Some people, when I was an officer rarely reported computer crime and we had only one person that worked that area and that was usually a crime and evidence was on their personal computer. I don't ever remember hearing about a crime of malware or sorts being reported and what is done about it.
A word from each of the UK, Canada, USA and Australian LE officials via Sophos to us about how they proceed with the investigation would be of great help to many of us about what to expect or not to expect anything?
If you call the local police in Canada, they will tell you to go to a technician to get your computer cleaned, End of the story. You cannot expect police to take this seriously here. This is the real picture no matter how many law articles could exist about this. It might be the same elsewhere.
Good luck getting the state police in Australia to do anything. They can't be bothered investigating non-computer related crime like property theft and fraud so getting them to act on computer crime seems pretty unlikely.
I took my computers to a repair technician after I'd suspected that a person with whom I'd corresponded via Hotmail was hacking my computers. The technician told me that, during the week he had my computers, he had removed "a lot of malware" by repeatedly running my antivirus program on them. I took my computers home and over the course of the next three to five months, I gradually realized that the hacker was still hacking them (e.g., the hacker had posted my newest private documents on Facebook, and more). At that point, I ran my antivirus programs like crazy in the (I now realize mistaken) belief that the programs would delete the hacker's spyware. So, I paid another technician to remove the hacker's spyware. That technician, like the one before, ran my antivirus program a couple of times and did nothing more. What happened after that? Yes, you guessed it; the hacker was right back to hacking my computers.
So, I finally told a computer-savvy friend of mine what was happening to me and my computers. My friend advised me to flatten and rebuild my hard drives – in other words, to clean wipe my hard drives and then reinstall my OS and all of my programs via their original sources (e.g., manufacturer's websites and Microsoft-issued CDs). Once I did so, the hacker wrote a cryptic publicly-viewable Facebook comment that he had just lost access to something (hopefully, he was referring to my computers) and since then he has no longer posted my new private documents on Facebook (or elsewhere).
For good measure, now I typically use three passes to overwrite my deleted data so that it is not recoverable before I do a flatten and rebuild. (Some people use DBan, which I've never used. Macs also have a built-in equivalent.)
Bottom line: Don't trust computer repair technicians. Fix it yourself. Flatten and rebuild your hard drives by yourself. The process is easy and free but time consuming; it might take up to 24 hours to clean wipe a PC (mostly because of the Windows Updates) and up to 15 hours to clean wipe a Mac. But you will have peace of mind knowing that your computer is clean.
Unfortunately, a very small percentage of computer "technicians" are experts in their field. Running only 1 or 2 types of anti-whatever to find modern malware is a pretty ignorant approach. One needs to do some digging. When one knows where to look, it is not so difficult to remedy the problems. There are tools like GMER for rootkits (others, too). The system eventlogs can contain important clues. Software like Silent Runners can help. Wiping the drive and reinstalling the OS is almost never required. If you made backups of your data and configuration, then how do you know whether or not that data is clean? In my opinion, wiping a drive and reinstalling the OS is a way to attack the symptoms without finding out what the real problem was.
In the long run, the proverbial "ounce of prevention" is worth more than given credit for, when it comes to computer security. Any/all internet related activities should be run from within a sandbox. That way, even if malware penetrates, once the session is closed it is gone.
Nice article with some possible useful info, unfortunately the infection scenario at the beginning does not work. The writer has confused the phishing atempt with the actual infection vector and thus described a successful deflection of the infection instead. i.e.
The usual phishing attemp of sending a video out as an attachment (no longer much used) is one where the video is just that, a video. The trick is that some video files have metadata that describes the codec needed to play them and if your machine lacks that codec, and you are using MIcrosoft Windows Media Player (an older version) then it will follow the metadata link blindly and install the codec for you. It is this codec that is the real malware and opens the door for whatever the sender wants to add later.
So in the senario given the recipient was not using and older version of WMP and was just told there was a missing codec, no download no malware, NO Infection.
That is not to say that this is the only form of attack or that others seem less innocuous, so for everyone reading out their, here is some simple rules:-
"If you didn't go looking for it (software, codec, anti-virus tool) and it is offered to you from an untrusted source, don't go get it"
Because
"The only way to provably remove malware (and houshold germs) is to wipe clean all places where it could possibly hide" – That means the whole hard drive and potentially with the latest PC's the BIOS and graphic cards too, though those last too will need a professional.
For the purpose of this comment, I will be focusing on the parts regarding Canadian approaches and laws of cybercrime. Malware by email can be an infectious and dangerous to the user’s computer, as well as many others. Malware is a type of software used to gain access to information or programs on a computer system. As in the scenario purposed by the article, Andre was a victim of malware through his email. When an individual opens an email that contains a malware program, the computer becomes infected and the hacker has access to the computer. In Andre’s case, the hacker chose to expand his malware software to his email contacts.
Canada has laws and techniques for dealing with crimes like the one in Andre’s situation. The Canadian Criminal Code, as mentioned in the article, is one way of dealing with a crime. Unfortunately, targeting where the cybercriminal is located is a difficult task to accomplish. Also, attacks on computers can come from anywhere in the world, which makes it difficult to punish an offender. It is very important to report any type of cybercrime so that authorities can track vicious and repeated offenders, but action with regards to punishment is often difficult to carry out.
For individuals reading this article and wondering what they can do to protect themselves from malware through emails, I have listed a few suggestions below that are not time consuming and are quite simple.
1.Try to avoid filling out information through emails. Emails are one of the most common places for hackers to attain your information. If you are purchasing something online, or signing up for an account on a website, make sure to compare the links you are being sent from the website, especially if you are confirming a transaction. Often hackers will send you an almost identical link from a website in order to get your information.
2.Avoid clicking emails that redirect you to a store because hackers will often create websites that look legitimate, but are not. If you receive an email that you are interested in then make sure to access the stores legitimate website or go to the actual store.
3.With regards to the above statement, if you receive an email from a site you have not signed up for, or one that you have never heard of and they are selling a “good deal”, often it is too good to be true. Hackers try to make the offer look very desirable in order to draw you into handing over your information. Stay away from these types of emails.
4.Change the passwords to your emails often and make sure that they are creative. . Try to avoid using important information like phone numbers, house numbers, etc. Also try to make sure that your passwords are different for each account. If your password is the same for all your accounts then a hacker has an easier job of attaining access to more of your accounts. Include a variety of characters, numbers and capitals within your password to make it more difficult to hack.
5.As mentioned in the article, make sure that you regularly update your anti-virus programs. Malware (like viruses, worms, Trojan’s and spyware) can do a lot of harm to the data on your computer. Regular updates will help keep on top of the latest methods hackers have been using. If you fail to update your anti-virus software, there is a greater likelihood that a hacker can gain access to your computer data.
6.And lastly, also mentioned in the article, avoid clicking on unknown attachments or downloads in emails.
Due to the lack of confidence in our criminal justice system, often victims of cybercrime do not feel the need to report crimes. This can be due to a variety of reasons, like embarrassment or lack of confidence in the criminal justice system. As the article stated in its conclusion, it is still important that all computer crime is reported. Reports contribute to crime report intelligence that can help authorities with other investigations, especially if there is a connection between similar cases.
People do not realize the importance of apply these protection methods in order to avoid issues like identity theft, fraud, hacking of social networks, etc. With crime shifting to the cyber world, it is even more important to address these issues and make sure individuals are aware of ways to protect themselves from being a victim of cyber crime. The cyber world have been made a more desirable place to commit crime within the past decade due to the anonymous characteristics of it as well as the amount of people they can access all over the world. Since law is typically weak with regards to punishing crimes in the cyber world, it is extremely important that individuals educated themselves and others in order to protect their personal information and data on their electronic devices.
On that note, I conclude that the general public, as well as our criminal justice system, has to be updated with the issues regarding cybercrime. Often, crimes dealing with computers go unnoticed by the user. More precautions have to exist in order to prevent these crimes from occurring. Canadians are not aware of the vulnerability the internet can cause, especially when dealing with personal information.
Interesting article with comments ,i do not know why there isnt a straight……… …….”reportThis malware or whatever ‘ …..command on the window of the spam page ,surely this could be a deterentto the Cyber criminals