It’s crunch time for cybercrime

In a dawn raid in July 2002, hi-tech crime units in seven countries arrested 46 members of an internet paedophilia ring called the Shadowz Brotherhood, with six men arrested in the UK. As a consequence, the National Hi-Tech Crime Unit (NHTCU) successfully shut down 244 paedophile sites and rescued children involved in real-time abuse.

It was one of the unit's most spectacular successes since its formation in 2001. The operation required dogged investigation by the unit's staff, since the members of the Shadowz Brotherhood used sophisticated encryption to communicate and tried to cover their tracks.

"It's really satisfying when we're able to neutralise the threat that some of these groups pose," says Detective chief superintendent Len Hynds, head of the NHTCU. "It was primarily because of our ability to share intelligence between our counterparts in other countries, and as a result, we put the jigsaw together."

A quarter of the unit's work is with internet paedophilia, which can be harrowing for the staff who need to view the torrent of offending images that swarm on the internet. The psychological burden is heavy. "All of my staff likely to come into contact with child abuse have to have compulsory sessions in a psychologist group session," says Hynds. "We also offer one-on-one sessions, if they wish, without the knowledge of the management team. That process has been embraced, and I think it's healthy they've taken it on."
But the work is changing. Although paedophilia remains a huge problem, the unit now face new challenges as organised crime goes online.

The NHTCU says e-crime in the UK costs companies billions. Organised crime has taken traditional activities – extortion, blackmail, identity theft – and transferred them to the cyber world. "Organised crime is increasingly becoming involved in hi-tech crime," insists Hynds. "And to be honest, we're holding our own. This is one occasion where law enforcement got ahead of the game. We've been established for three years, and we're not chasing the phenomenon, we're meeting it head-on.

"There are people in organised crime who believe they are completely and utterly above the law, and think they've got the technology sewn up in such a way that they've got complete security and anonymity. There are a lot of cases where that simply hasn't been the case. It's particularly satisfying when my people pit their wits against those who believe that they are technically more proficient."

The NHTCU is located in an anonymous-looking, well-guarded location in London Docklands, with 43 computer crime centres at local police stations. Its 60-plus employees focus on areas such as the online drug trade, malicious computing and extortion.
"We're learning a great deal about the way organised crime is identifying vulnerabilities in IT and offering to 'fix' it for a fee," says Hynds. "We're also seeing action taken on the online leisure and betting industries, and organised crime threatening to deny service to their websites if they don't pay up."

In its 2003 research, the NHTCU found that 83 per cent of UK companies experienced e-crime. Of the 201 organisations surveyed, 167 experienced £195 million worth of damage – £121 million of which was financial fraud. Three financial companies lost a total of £60 million, mostly due to identity theft.

Last year, we saw the emergence of a new scam, when identity-theft emails (phishing) caused problems for companies, particularly banks. APACS, the mouthpiece for the banking industry, claims that fewer than 100 individuals lost money from the fraud in 2003, but experts say phishing is making bigger waves than official figures show. The Anti-Phishing Working Group, for example, claims that phishing attacks rose by 50 per cent in January. John Lyons, crime reduction coordinator for the NHTCU, thinks phishing is a big obstacle for businesses.

"Clearly, phishing is an issue for all the banks and users," he says. "The most alarming thing [in the survey] was the level of fraudulent crime on the internet. Identity theft tends to be a [method] to carry out the crime, but doesn't necessarily attract a financial figure. It's what you do with that stolen ID that leads to the crime happening in the first place."

He does not blame the banks for their reticence on the matter. "It's reasonable that the banks would not disclose the numbers," says Lyons. "Their client base is being socially engineered to give away PINs and passwords. Criminals involved in exploiting the weaknesses of the public are the people we are seeking to bring to justice. The issue is that there is a lack of awareness among users, and we need to address that by education."

The banks' silence highlights a problem for the NHTCU – getting people to talk. Some businesses submit to threats because they are scared of losing business. So the NHTCU makes full use of a confidentiality charter introduced in 2002 which protects the identities of those reporting intelligence. As a result, say Hynds and Lyons, investigations have little effect on business continuity.

"We work so our investigators have the least effect on the business," says Lyons. "We don't take 20 staff at a time off for questioning. We don't rope off servers and walk out of the building with them because we need to image the disks. We can carry out those activities in line with the business requirements. I think we do that quite well. People have been very surprised by our sensitivity to the commercial realities. What is the point in causing more damage in the investigation than in the attack itself?"

"Being offline affects businesses," adds Hynds. "It costs a significant sum of money. Where we've been called in, we've proved our worth. We've been there to ensure the targets are arrested."

The unit's intelligence network is expanding globally and Lyons emphasises the importance of making allies of e-crime victims. He says good relationships are the best way to fight e-crime.

"I think there are a number of ways to [fight crime]," he explains. "One of the elements is building close partnerships with the victims. A key part of my work is getting out there and building relationships with people in business whose job it is to secure assets. We don't want to over-hype the issue, but we do want to alert businesses to the level of threats."

Policing the internet involves sharing information with other hi-tech crime units. Tracking the movement of money has proved to be one of the simplest, most effective ways to find criminals.

"The money has to go somewhere," says Hynds. "We work with businesses to trace the money, but we've got some good links with counterparts in eastern Europe. We're working with them to identify people behind these scams and to track back to their assets. We've run somewhere in the region of 40 operations this year and the number of arrests is up over 100. That's just the NHTCU. In addition, you've got the computer crime units across the country within the local enforcement that we've been able to assist. Put these things together and I think we've been very effective."

Along with other security staff, Lyons thinks companies must expand their view for security. "If companies implemented all the BS7799 standards, that's a very good start," he says. "But it's not just a question of looking to the IT department. There needs to be more security education for staff. Everyone is responsible for protecting the business, at work and at home."

Lyons explains that organised crime exploits physical and digital vulnerabilities. "Organised crime will always target the weakest points in a business and use that chink in the armour to get into the company or subvert someone," he says.

"You can have all the security you like, but if your staff aren't aware of what precautions they need to take in their working lives, it represents a threat to the business that employs them."

Looking forward, Lyons calls for a coordinated effort between business and government. "We would be pleased to see some initiatives coming out of the public and private sectors to address the central issue of user awareness," he says. "It's going to take time to get the message to the general population, but we've got to address that very quickly."