In the first part of this article, we discussed the cyber criminal exploits of Evgeniy Mikhaylovich Bogachev, whose widely deployed malware – GameOver ZeuS (GOZ) – has led to around a billion dollars in losses since it came onto the scene in 2007. And yet despite GOZ's potency as a malicious threat – as illustrated through the example of Patco Construction, a Maine-based construction company whose experience with the malware led to $588,000 being stolen – its creator has not been captured.
Although the FBI has been working for years to track down Bogachev – and has even attached a $3 million bounty to his head – they are still seemingly no closer to nabbing the man behind the malware. When Bogachev's game will truly be over is anyone's guess. What's notable about the Bogachev case, however, is that it doesn't represent a unique situation. Indeed, in our cyber threat world – where hackers are evolving their techniques all the time – the huge majority of cyber crime is going unpunished. Hacking, after all, doesn't take place in the same way that, say, drug dealing or illegal arms distribution does. Whereas those criminal practices have a big physical component – illicit goods are handed off, money is exchanged – hacking takes place in the virtual sphere. Its perpetrators, therefore, are often able to hide behind the cloak of anonymity that the Internet offers. For his part, Bogachev is credited with using different aliases during the peak of his malicious reign – among them "lucky12345" and "slavik." He's not unique in this way. Around the globe, hackers are relying on authority-evading methods to conceal their identity and remain at-large – while many of them continue to carry out their criminal pursuits.
Catch me if you can
The $3 million price tag attached to Bogachev makes him the most visible of the world's cyber fugitives. But there are many others who, like Bogachev, continue to dodge law enforcement. Here are some of the biggest names as far as cyber fugitives go – and the tools these individuals have used to launch sophisticated attacks and evade capture:
- Nicolae Popescu: There's no denying that Bogachev has done a lot of bad things as a hacker, but Nicolae Popescu gives him a run for his money. The Romanian hacker is the second most wanted cyber criminal according to the FBI's list, and the United States Department of State's Transnational Organized Crime Rewards Program is willing to shell out $1 million for information that leads to his capture. What makes Popescu such a high-value target is that he reportedly helmed an international fraud effort that led to many U.S. consumers getting targeted, according to the U.S. Department of State. He didn't do it alone, however, as he's alleged to have worked with a man named Dumitru Daniel Bosogioiu, who has a $750,000 bounty of his own.
Between these two men was a massive Internet scheme centered around fake online ads that led to damages in perhaps the millions of dollars. As the FBI explains the scheme: "Criminal enterprise conspirators, based in Romania and elsewhere in Europe, posted advertisements on Internet auction market sites for merchandise for sale. Such advertisements contained images and descriptions of vehicles and other items for sale, but those items did not really exist. Conspirators posing as sellers then negotiated via e-mail with unsuspecting buyers in the United States. These 'sellers' sent fraudulent invoices, that appeared to be from legitimate online payment services, to the victim buyers, with instructions for payment to bank accounts held by other conspirators in the United States. These conspirators opened United States bank accounts under false identities using fraudulent passports made in Europe by other conspirators."
- Shailesh Kumar Jain: Jain is a U.S. citizen, but – like other cyber fugitives – his ties extend across the globe, which doubtless proves very helpful when it comes to living life on the run. Just as his ties are global in nature, so too were Jain's cyber criminal efforts. According to the FBI, Jain was behind a bogus software selling scheme that led to losses in excess of $100 million. All told, there were consumers in over 60 countries impacted by Jain's effort. Because Jain's malicious scheme took place between 2006 and 2008, he was likely able to take advantage of the broader sense of naievete toward fake advertisements like the ones he put out there with his alleged co-conspirator Bjorn Daniel Sundin.
"Jain and his co-conspirators allegedly deceived victims, through browser hijacking, multiple fraudulent scans and false error messages, into purchasing full paid versions of software products offered by their company, Innovative Marketing, Inc," the FBI stated. "The proceeds of these credit card sales were allegedly deposited into bank accounts controlled by the defendant and others around the world, and were then transferred to bank accounts located in Europe."
Time to mount enterprise defenses
The scary fact of the matter is that the individuals discussed above represent only a miniscule fraction of the cyber criminals currently on the run. The odds are good that if you're a hacker looking to make a quick buck via a malicious intrusion, you'll get away with it. This is something many cyber criminals are taking advantage of, which means that the responsibility falls on businesses to defend their networks against attack. Here are some of the key steps that organizations can take to guard their network and keep the bad elements out:
- Train employees in good cyber practice: By and large, hackers are looking for an easy way into a business they want to breach. And a lot of the time, the easiest way is through an unsuspecting staffer. For this reason, attacks like phishing schemes – in which an employee provides privileged data to a seemingly legitimate email source – are broadly deployed, and are a go-to method for cyber criminals looking to enjoy quick corporate network access. Eliminating these kinds of attacks calls for training of all enterprise employees in the basics of safe computing. All too often, companies assume that cyber security knowledge is the sole domain of IT, and therefore don't provide the rest of the staff with a set of best practices in terms of business network access. In the fight against enterprise-focused crime, this is a major misstep, and it all but promises to lead to a non-IT employee inadvertently opening up the enterprise network to risk. The key to counteracting this problem is to offer all business staffers comprehensive training in optimal cyber practice. If an employee doesn't know, for instance, that it's a very bad idea to send account password information over email, this is something your business has a responsibility to change.
- Realize that company mobility needs a higher level of defense: The mobile work sphere extends across industrial sectors. From healthcare to the financial arena, companies are mobilizing in ways that haven't been seen before. But this mobile push is often not accompanied by the necessary bolstering of security that it calls for. When enterprises leverage mobile solutions, they must look to secure their users no matter where they are. And with more enterprise employees working from home and bringing personal devices into work, this need has never been more central.
- Implement future-focused solutions: A truly stand-out company cyber security policy isn't going to be one that's just built for the malicious problems of today: It will be one that anticipates the issues of tomorrow. In this way, it's imperative that businesses look to leverage custom defense tools that are designed to evolve with the cyber threat atmosphere.
With a few notable exceptions, catching cyber criminals has largely been a losing battle. But businesses don't need to suffer just because hackers remain on the run. By following the steps above, organizations can solidify their enterprise security and therefore make an important move toward reducing the odds of a malicious intrusion.