Criminal Comms

Business,Technology December 12, 2012 3:14 pm

Last year, Mexican police raided the drug cartel Los Zetas three times. They weren’t looking for cocaine or marijuana; they were targeting the homegrown radio network that stretches across the northeastern chunk of the country, where the Zetas control drug and migrant smuggling routes. Los Zetas—comprised of former members of Mexican special forces—have been building the system of radio towers and receivers since 2006. The cartels divide up their territory into plazas, each with a boss responsible for buying and maintaining equipment and distributing handheld radios. By controlling their own mobile network, the Zetas can rapidly inform its members about an imminent raid by police or a rival cartel in a controlled and encrypted fashion.

Transmission technology is cheap. The Zetas can easily upgrade and maintain infrastructure, despite the raids. No sooner than masts, transmitters, and receivers are confiscated, they are replaced again.

Just as mobile and web technologies have transformed business, education, and society, so too with crime. While communications channels do not cause illegal activity, they bring new opportunities for crimes to be committed cheaply, remotely, and anonymously. Technology has democratized crime.

Criminals have always been early adopters. In 1986, Time ran an article, entitled “Street Smart: Drug Dealers Turn on to Beepers”, about Detroit drug dealers using pagers to keep in touch with clients. At the time, the only other people using pagers were doctors. It took another decade for beepers to become mainstream.

Today, communication technology is ubiquitous: people are more likely to leave their wallets at home than their cell phones. The connected have outsourced their brains to search engines, real-time data feeds, and social media. It has never been simpler to access information and services from across the world, no matter how niche. But constant connectivity leaves us vulnerable.

As “future crimes” expert Marc Goodman explained at TEDGlobal this year: “We consistently underestimate what criminals and terrorists can do. Technology has made our world increasingly open, but all of this openness may have unintended consequences.”

He describes how the terrorists who carried out the 2008 attacks in Mumbai were armed not just with heavy artillery but also mobile phones that kept them linked to a control room 550 miles away in Karachi, Pakistan. The hub was equipped with four laptops, two televisions, Wi-Fi, and a satellite phone. This allowed commanders to stay in touch with foot soldiers over VoIP (Voice over Internet Protocol) networks while monitoring live news and social media, giving instructions on whom and when they should kill. Prior to the attacks, the gunmen used Google Earth to familiarize themselves with target hotels. The result: 166 people were murdered over three days.

Stalk the Talk

While Radio Zeta and Mumbai terrorists captivated the global media, less dramatic crimes make regular use of “consumerized” apps and services.

“People will use the easiest routes when it comes to committing fraud or crime,” explains Ryan Rubin, who leads consultancy Protiviti’s security practice. “There are some fantastic technologies available, but a lot of the time people are using the standard tools available but in a different way.”

For example, burglars harness social media tools such as Facebook, Twitter, and Foursquare to determine when to target a home. In an attempt to raise awareness about over-sharing, websites PleaseRobMe.com and ICanStalkU.com cull this publicly available information and plot it on a map. Other applications, such as Creepy and Girls around Me, provide the same service—but without the social mission.

The tech savvy know how to change their settings to boost privacy. But as more communication platforms emerge (and existing ones like Facebook continually shift their privacy settings), it’s increasingly difficult to keep up. A battle continues between techie criminals seeking to exploit vulnerabilities and potential victims.

Attackers involved in 9/11 evaded surveillance simply by not sending emails. Instead, they used webmail services to draft notes and shared login information with co-conspirators, so they could read messages, add to them, and resave for the next viewer.

“Far too much security reporting concentrates on the new and exotic,” says Richard Clayton, a security researcher at Cambridge University. “In practice, most of the criminals are doing boring old email or running botnets [a malware-infected network directed by a controller] just like they were in 2001.”

What’s different now, Clayton explains, is that “if you want to be a bad person you don’t have to be a computer science expert. You can hire time on a botnet, buy off-the-shelf malware and customize it, and pay for servers to send out your spam.”

Tech-crime is open to the general public.

Wising Up

All hope is not lost. The same easy-to-use tools that arm the bad guys can also fight them. Forums with nefarious intentions are just as common as forums offering advice and notifications about the latest cons. A simple Google search can advise if it’s safe to click that link or what to do if you already have. With improved awareness, it’s hard to imagine anyone falling for a “Nigerian prince” email scam these days. The problem is keeping pace with technological change.

As cell phones become smarter and access services like banking and mobile payment, their appeal to criminals grows. It’s no longer the hardware they’re interested in but the data and payment capabilities. The same people who wouldn’t dream of surfing the web on their PCs without antivirus protection don’t think twice on their phone.

By planting malware in a seemingly innocuous app—for example, a knock-off Angry Birds crooks can take control of victims’ mobile phones. Once inside, they can intercept communication between apps to glean PIN codes and passwords or use the phones to call premium numbers they own, charging as much as USD 5 per minute. This way, tech-criminals steal small amounts of money from large numbers of people.

This strategy repeats itself in the realm of international calls. Fraudsters exploit the difference between international and local rates by routing calls through the Internet (VoIP) to a network on the other end, so it’s treated as domestic traffic. But the tech-criminals record the calls as international traffic and collect the extra fees. The routing device, called a GSM VoIP gateway, or SIM box, connects thousands of local SIM cards to the Internet.

One mechanism for SIM box fraud is selling long-distance calling cards overseas, which channels all calls through a specific number. The call then passes over the web and ultimately appears domestic. The technique is complex and illegal, and it deprives the operator payment. It’s also very difficult to detect—and costs operators roughly USD 3 billion per year.

That’s why Andy Gent founded Revector, a security company that specializes in detecting SIM boxes and other forms of mobile network fraud. SIM boxes, he says, create a black market for airtime:

“Say you are BT [British Telecom], and every month you have one million minutes you need to send to Australia, which you do via Australia Telecom. One month you are short, so you go out in open market and buy them. Bundled into the stuff you’d buy on the open market will be grey minutes—SIM box minutes. There might be a gang who sells it to another, who sells it to a reseller, who sells it to another seller who bundles it in with legit minutes and sells to and international phone network.”

One of Gent’s raids in Haiti stopped an illegal SIM box operation costing an operator more than USD 750,000 per month in lost revenue. Each SIM can generate 10 cents per minute for more than 20 days a month, costing operators up to USD 3,000 per SIM per month. Revector knows of networks with 300,000 illegal SIM cards working simultaneously.

Gent believes some hackers see this as preferable to other criminal activities. There’s no violence and no obvious victim (except international phone operators, but it’s never clear who loses out), and the money quietly ticks over.

“If they’ve been involved in drugs, they might see this as an easy option. It is illegal, and you
can be prosecuted, but it’s a bit of a white collar crime.”

No business is more “white collar” than high-frequency financial trading. And while investment banks invest heavily in securing their networks, they have an Achilles Heel in the shape of their GPS (global positioning satellite) receivers.

All global financial exchanges rely on GPS signals for timestamping trades. So banks usually have GPS antennae on their buildings. A profiteer might direct a “GPS spoofer”—a device that mimics the signals usually sent from the satellite—toward the antenna to manipulate the time signal.

Many exchanges, such as the New York Stock Exchange (NYSE), have additional time-keeping systems that detect time shifts as small as one twentieth of a nanosecond per second. Yet Todd Humphreys and colleagues at the University of Texas discovered that one commonly sold GPS receiver is incapable of detecting GPS spoofing attacks that shift timing by less than 100 nanoseconds per second; room for massive takes on financial transactions.

Automated trading systems are designed to look for inexplicable market behavior. If they notice something anomalous like timestamps that don’t match up, they’ll back out of the market. It was this sort of anomaly that caused the 2010 “Flash Crash of 2:45”, where an algorithm sold 75,000 stocks with a value of USD 4.1 billion in just 20 minutes, causing other super-fast trading algorithms to follow suit. The Dow Index fell nine percent within minutes.

While there’s no evidence that GPS spoofing has been used to disrupt markets in this way, Humphreys has shown that it’s possible. He’s also experimented with taking control of unmanned aerial vehicles using a spoofing device. Given that some military drones holding missiles rely on GPS navigation, it doesn’t take great imagination to conjure up negative consequences if placed in the wrong hands.

Cat v. Mouse

As our lives increasingly rely on automated systems, sensors, and networks, tech-criminals will take advantage of them—to the detriment of the less informed. The distributed, remote nature of these crimes makes it difficult for law enforcement to keep up.

Rubin calls it a classic cat-and-mouse game, though one lost in constant redux. “Security companies will find a fix, then criminals will find a way around it.”

Clayton reminds of the difficulties of coordinated policing:“There are no borders on the Internet. Criminals operate online across borders with impunity. We need to work together to deal with criminals more effectively.”

The established international crime-fighting infrastructure is geared up for more traditional vice. “The current legal process makes glaciers look extremely fast,” he says. “It’s designed for catching Dr. Crippen, not someone sending out ransom demands on Twitter.”

But just as technology can be used to commit crime, so too will it be used to fight back. “If things are set up in the right way, we can track, monitor, and audit,” concludes Rubin. “Not that we are always doing that, but we can.”

Photo by Unversity of Texas at Austin