Chapter 2 Nature, Prevalence and Economic Impact of Cyber Crime
This chapter addresses the nature, prevalence and economic impact of
The problem of cyber crime crosses many traditional technical,
conceptual and institutional boundaries, and, due to its prevalence, has real
and increasing social and economic impacts on all Australians. The chapter
concludes that because of the inter-related nature of the different aspects of
cyber crime, a more holistic and strategic approach must be taken to its
Nature of cyber crime
This section demonstrates that cyber crime is highly complex,
self-reinforcing, technologically advanced, geographically widespread and
indiscriminate by examining the history, tools, industrial nature, perpetrators
and victims of cyber crime.
Cyber crime and the Internet
Mr Peter Watson, Microsoft Pty Ltd, told the Committee that the Internet,
by its very design, is an inherently vulnerable network which has enabled cyber
crime to flourish in a new virtual ‘Wild West’ environment.
The Internet originated from a relatively basic network set up to share
information between trusted people and organisations for military and academic
purposes, with no view to the security of the computers attached to these
networks, nor the information stored on these computers.
Today, this open and insecure system has evolved into a world wide network,
directly connecting in excess of one billion users, and is employed for much
more than the simple sharing of information.
Cyber crime flourishes in the online environment for a variety of
n the fundamentally insecure
nature of the Internet leaves computers vulnerable to exploitation by
less-than-trustworthy Internet users;
n the huge number of
computers connected to the Internet gives cyber criminals a wide array of
n the Internet is an
effective medium for running automated systems, thus leading to the automation
of online criminal activity; and
n the unregulated
nature of the Internet makes it inherently difficult to control the content and
data traversing the network, thus impeding efforts to combat malicious
exploitation of the Internet.
Why do people commit cyber crime?
Cyber criminals may be motivated by curiosity, fame-seeking, personal
reasons (such as stalking or emotional harassment), political reasons (such as
protests), espionage or cyber warfare. However, during the inquiry financial
gain was repeatedly identified as the prime motivator of cyber crime.
The Committee heard that cyber crime has become a highly lucrative
business through cyber attacks which involve the theft of personal information,
fraud, illegally accessing financial systems and online extortion.
Additionally, an underground economy has developed through which cyber
criminals may earn money by trading cyber crime related goods and services.
How do people currently commit cyber crime?
Modern cyber crime is facilitated by a range of technologies and
n malicious software
n DNS based attacks;
n identity theft and
n underground cyber
crime forums; and
n money laundering
As with all aspects of cyber crime, cyber crime technologies and
techniques are often interrelated and complementary. These technologies and
techniques, and their purposes, are defined below.
‘Hacking’ is a term with multiple meanings. It can refer to testing and exploring
computer systems, highly skilled computer programming or the practice of
accessing and altering other people’s computers. Hacking may be carried out
with honest aims or with criminal intent.
In relation to cyber crime, and for the purpose of this report, hacking
refers to the practice of illegally accessing, controlling or damaging other
people’s computer systems. A hacker may use their own technical knowledge or
may employ any of the cyber crime tools and techniques that are listed below.
Malicious software (Malware)
Malware is a general term for software designed to damage or subvert a
computer or information system. A range of different types
of malware exists:
n viruses, worms and
trojans are pieces of computer code or computer programs that automatically
infiltrate computer systems, to degrade computer performance or to deliver
other types of malware;
n a backdoor permits a
computer to be remotely controlled over a network;
n rootkits are sets of
programs that hide malware infections on a computer by concealing infected
files and turning off anti-virus protection programs;
n keystroke loggers and
spyware are programs that illegally capture data from a computer (spyware is
related to a legitimate type of software called adware, described below).
Malware may propagate through virtually any medium that contains data or
transmits data between information systems including infected websites, email,
instant messaging, removable data hardware (such as USB drives), file sharing networks
and wireless networks.
Previously, websites transmitting malware tended to be less reputable, and
poorly maintained, many of which were designed purely to infect computers.
However, cyber criminals are increasingly using highly-reputable and popular
legitimate websites and social networking pages to infect computers. A cyber
criminal will exploit a vulnerability of the system that is hosting the website
or social networking page in order to hide malware in the system, unbeknown to
the legitimate website operator. When a benign user visits this legitimate
website or social networking page the malware will automatically and covertly
install on the victim’s computer.
Malware may install itself on a computer via a self-propagating
mechanism, or when a user clicks on a malicious link in an email, opens a
malicious file or visits a website where malware is hosted.
The relationship between adware and spyware
Adware is a legitimate type of software, similar to spyware, which is
often automatically, and openly, installed on a computer as part of a larger
software package. Adware enables software
providers to earn revenue by directing advertisements at the users of their
software via ‘pop-ups’ or banner advertisements. Adware programs may also gather personal
information which is then used by the adware company to tailor their
advertisements to be more effective.
The distinction between adware and spyware can turn on whether the
adware company has adequately informed the end user of the function of the
software and the use of any personal information which is gathered.
Where the adware company gathers information outside of its permissions, or
uses the information for purposes outside of its advertised terms, the software
may cease to be adware, and become spyware.
As previously mentioned, backdoors are a category of malware that enable
a cyber criminal to remotely control an infected computer over a network. Such
an infected computer is often called a robot or ‘bot’ computer. When several
computers are infected with a backdoor and become bots, they can be simultaneously
controlled from a single remote ‘command and control’ (C&C) mechanism.
These remotely controlled networks of bot computers are known as ‘botnets’.
Botnets can be comprised of a huge number of computers, with there being
many documented cases of botnets comprised of more than 100,000 computers.
Table 2.1 below shows the biggest botnets for 2009 as reported by MessageLabs,
a subsidiary of the Symantec Corporation.
Table 2.1 Biggest botnets in 2009
Source MessageLabs, Message
Labs Intelligence: 2009 Annual Security Report, MessageLabs, December 2009,
Botnets are considered to be one of the biggest enablers of cyber crime
with the Cyberspace Law and Policy Centre, from the University of New
South Wales, submitting that ‘almost
every major online crime may be traced to botnets’.
Below is a description of the different functions of botnets followed by
a description of methods by which botnets are becoming increasingly resilient.
Functions of botnets
A botnet can be instructed by its controller, known as a ‘botmaster’, to
carry out a range of functions (as outlined in Figure 2.1 below) including:
‘distributed denial of service’ (DDoS) attacks (a method by which botnets flood
a computer system with information thus damaging or shutting down the system); 
n hosting malicious
websites (such as money laundering, malware or phishing websites) or obscene
content (such as child pornography) to shield the originator from being
n scanning for, and
exploiting, software vulnerabilities in other computers and websites; 
n sending large numbers
of unsolicited emails known as spam. 
Figure 2.1 Initiation, growth and function of a botnet
Source OECD Committee
for Information, Computer and Communications Policy, Malicious Software
(Malware): A Security Threat to the Internet Economy, OECD, June 2008, p. 23.
The relationship between spam and botnets is significant: spam can be
used to spread malware, such as backdoors, to other computers which in turn may
recruit more bot computers to a botnet (see Figure 2.1). This demonstrates the
interconnectedness and self-reinforcing nature of cyber crime.
Resilience of botnets
Botnets are becoming ever more resilient through: improved C&C
techniques; an ability to remotely upgrade very quickly; and a practice called
‘fast fluxing’, which shields important parts of the botnet from being
identified and shutdown.
As previously mentioned, botmasters control botnets via C&C mechanisms.
The botmaster posts a command on the C&C mechanism (often a hijacked bot
computer itself), which is then automatically disseminated to the individual bot
computers that comprise the botnet. Botnets can operate on a centralised model
(where each bot computer individually contacts a single central C&C mechanism
to receive commands) or a decentralised model (where commands can be posted on any
part of the botnet and then automatically passed from computer to computer via
a peer to peer network).
The decentralised botnet model is extremely hard to stop or dismantle as
there is no centralised C&C point which can be targeted. If a number of bot
computers are identified and taken offline, the gaps in the network will close
up and the botnet will continue to function.
Botnets are also high resilient due to the ease with which botmasters
can rapidly update the underlying malware which runs the botnet. This enables
botnets to rapidly adjust to exploit newly discovered vulnerabilities, and to
respond to new anti-botnet measures.
Botnets are further strengthened by the process of fast fluxing, whereby
important parts of a botnet can be shielded from being traced, identified and
shutdown. During this process, data travelling to and from important parts of
the botnet (such as bot computers that host malicious websites or C&C mechanisms)
first passes through any one of a number of decoy or proxy computers. Fast
fluxing refers to the practice of employing the large number of computers in a
botnet to rapidly alternate which computers are used as proxies. Thus when an attempt
is made to trace the host computer, the trace only leads back to one of these
relatively insignificant and temporary proxy computers.
Spam refers to unsolicited emails, or the electronic equivalent of ‘junk
mail’. Spam is often disseminated in large amounts by sending out generic
emails to large lists of email addresses.
Spam may be sent through normal email accounts provided by an ISP, free
online email services such as Hotmail, hijacked email servers, offshore
companies that specialise in sending bulk mail, or the large number of
computers connected to a botnet. Additionally, in order
to avoid anti-spam programs that identify generic emails or offending spammer
email addresses, spammers employ programs which subtly change each email or
hide the actual spammer’s email address.
Spammers can acquire lists of email addresses by: using different pieces
of address-harvesting software to locate, steal, decipher and compile email addresses;
hacking into the information systems of organisations; creating fake websites which
fool users into entering their email address on the website; or through buying
lists of email addresses on the black market.
Spam has a variety of uses including: the mass delivery of legitimate
advertising; the mass delivery of
scams and phishing schemes; and the delivery of
malware and in turn the expansion of botnets.
DNS based attacks
The Domain Name System (DNS) is one of the underpinning aspects of the
Internet. The DNS converts user-friendly text commands (in the form of web
addresses) into IP addresses (complex numbers which identify each individual
computer connected to the Internet). Thus the DNS enables users to easily
access computers that host web pages, without the need for complicated codes.
Cyber criminals subvert the DNS in a number of ways:
n ‘DNS spoofing’ is a
practice where cyber criminals hack into the DNS and replace a genuine IP
address that leads to a legitimate website with a fake IP address that diverts
users to a malicious website, such as a phishing website, or a website that
infects computers with malware;
n ‘DNS hijacking’
employs a trojan that changes the settings on a user’s computer to access the
DNS through a rogue DNS server instead of a legitimate ISP server, thus
enabling users to be diverted to false websites;
n ‘domain hijacking’ is
where a cyber criminal takes control of a domain name by stealing the identity
of a domain name owner, then uses this domain name to host a malicious website.
Phishing describes an online attempt to assume the identity of, or mimic,
a legitimate organisation for the purpose of convincing users to divulge
personal information such as financial details, passwords, usernames and email
The AIC provided the following example of a phishing website. Figure 2.2
shows the top section of a web page which appears to be from the legitimate ‘Bank
of the West’ website.
Figure 2.2 Example of phishing website
Institute of Criminology, Exhibit No. 5, p. 8.
However, as demonstrated below in Figure 2.3, upon closer inspection of
the address in the top bar of the browser, it can be seen that the W in ‘Bank
of the West’ has been replaced with two V’s to give the appearance of a W.
Figure 2.3 Close up of web address in phishing website
Institute of Criminology, Exhibit No. 5, p. 8.
An unwitting user may be directed to this phishing website by clicking
on the link in a fake spam email or through subversion of the DNS. The users
may then fall for the confidence trick of the phishing website and may divulge
personal details. In turn, the user may become a victim of identity theft or
Identity theft and identity fraud
Through the use of keystroke loggers, spyware, and phishing websites
cyber criminals may obtain a wide range of personal details. This is known as
identity theft. These stolen details may then be used to commit ‘identity
fraud’ (such as illegally accessing a victim’s bank or credit card account, or taking
out loans under a victim’s name), sold online to other cyber criminals or used
to fabricate fake official documents such as passports.
Stolen information may also be used to commit further cyber crime
activities. For example, a cyber criminal may use a stolen identity to open a
new Internet account with an ISP from which to commit criminal acts.
Online scams are another lucrative activity for cyber criminals. A
plethora of scams exist on the Internet and new scams are continually emerging.
Some of the scams brought to the Committee’s attention were: romance scams,
where victims hand over money to fraudulent participants on online dating
websites (see the case study below for a victim’s account of such a scam); advance-fee
scams where the victim is promised large returns on an upfront payment; and fake
lottery, ticketing or online shopping scams, where victims are fooled into
paying for a nonexistent product.
Case study: A victim’s account
of a romance scam
Witness A, who is based in Australia, established an
online relationship via a dating website with a man claiming to be a citizen
of the USA. The man claimed to be travelling to Nigeria to work, after which he
proposed to visit Witness A in Australia. Over the following months the man
claimed to have run into a range of difficulties while in Nigeria and repeatedly
asked for assistance in the form of money transfers and the provision of
valuable goods. Witness A was suspicious of these requests, but felt emotionally
compelled to assist their ‘partner’ to travel to Australia. Witness A lost
AUD$20,000 before becoming aware that they were being victimised, and
suffered significant emotional distress as a result of the scam.
A, Transcript of Evidence, 17 March 2010, pp.2-4.
Perpetrators may use other cyber crime tools to fashion and disseminate online
scams. For example, a cyber criminal may use seemingly inconsequential
information gained from a spyware program, such as an address or friends’
names, to make a personalised and highly convincing scam email. Additionally, a
cyber criminal may seek to reach a wide number of victims by sending out a scam
in a spam email.
Cyber criminals carry out online extortion via DDoS attacks and specially
Cyber criminals may threaten to carry out a DDoS attack on a business’
website if they don’t pay a fee. This is particularly the case with businesses
that are wholly reliant on their website, such as online gambling companies.
For example, in 2006 three Russian nationals were found guilty of, among other
offences, carrying out a DDoS attack on an Australian gambling website when the
company refused to pay $10,000 in extortion money. The DDoS attack shut down
access to the gambling website and was said to have cost the gambling company
$200,000 in lost revenue.
Additionally, a virus, worm or trojan may be designed to automatically
encrypt the data on an infected computer. The cyber criminal will then demand
money from the victim in return for the ‘key’ with which to unencrypt the data.
Underground cyber crime forums and websites
Cyber criminals utilise online forums and websites in order to
communicate and trade. These websites or forums are often run purely for the
purpose of facilitating cyber crime, and may be hosted on hijacked bot
computers. This issue is discussed further in the section on the cyber crime
Money laundering techniques
Financially motivated criminals use the online environment to launder illicit
money received through other cyber crime activities. A variety of techniques
exist for online money laundering including the use of money mules and
‘virtual’ currencies from online games.
Money mules are often benign Internet users, recruited via websites set
up to lure users into applying for work-from-home jobs as a ‘financial
officer’. They receive funds into their bank account from cyber criminals,
withdraw the money in cash and send the money back to the cyber criminals via a
wire transfer service. By withdrawing the money in cash, the sum of money
becomes very hard to trace. In return for this service the mule is given a
commission by the cyber criminal.
The Northern Territory Government suggested that immediate wire transfer
services such as Western Union were one of the main methods for mules to
transfer illicit cash.
Many online games have a virtual economy by which online players can
exchange items within the game for virtual currencies. A gamer may pay real
world dollars to receive a certain amount of the virtual currency for use in
the game. A money launderer may purchase virtual currency using illicit cash,
then exchange the virtual currency back into real world cash, thus reducing the
traceability of the illicit funds.
Interrelatedness of cyber crime techniques and tools
The different tools and techniques of cyber crime cannot be viewed in
isolation. Below is a brief summary of some key relationships:
n malware can create
botnets which in turn may scan other systems for vulnerabilities and infect
other computers with malware;
n botnets may be used
to send spam, which in turn delivers malware and extends the botnet;
n malware may steal
personal information which may then be used to create and disseminate spam, phishing
schemes and scam emails; and
n botnets (through fast
fluxing) may perpetuate the hosting of malicious websites which facilitate
further cyber crime such as phishing websites, mule recruitment websites or
underground cyber crime forums.
The cyber crime industry
Australian governments, businesses and home-users are being targeted by
a highly organised cyber crime industry. Below is a brief description of the
emergence and operation of the cyber crime industry and an examination of its
ramifications for cyber crime more generally.
The emergence and operation of the cyber crime industry
The current cyber crime industry is driven by an underground cyber crime
market place. Due to an increased number of people looking to commit cyber crime,
and a resulting increased demand for cyber crime tools and services, an
underground market has emerged where cyber criminals may purchase and supply
cyber crime goods (such as pre-packaged malware and stolen information) and
services (such as spamming or DDoS attack services). This market is often
referred to as the underground cyber crime economy.
The trade that occurs in this underground market is often carried out on
online cyber crime forums. In order to evade law enforcement, these forums are often
hidden and require membership. Detective Superintendent Brian Hay from the Queensland
Police Service described these forums as ‘an Aladdin’s cave of criminality’.
Figure 2.4 below shows a screenshot from an online cyber crime forum.
The row second from the bottom shows a cyber criminal advertising a DDoS attack
service, while the sixth row from the bottom shows a potential cyber criminal
inquiring as to the cost of having a website hacked.
Figure 2.4 Screenshot of an online cyber crime trade forum
Source Panda Security,
Cybercrime… for sale, blog post, Panda Security Forum, 24 April 2007,
viewed 13 January 2010, <http://support.pandasecurity.com/forum/viewtopic.php?f=16&t=608>.
The Symantec Global Internet Security Threat Report: Trends for 2008
listed the most commonly traded cyber crime goods and services, and the prices
of these goods and services, as observed by Symantec during 2008. Included were
credit card information (trading at between US$0.06 to US$30 per card), full identities
(trading at between US$0.70 to US$60) and scam design and delivery services (US$5
to US$20 for design, US$2.50 to US$100 per week for scam website hosting).
Forums such as these constitute an integral part of the underground
economy through enabling goods and services to be easily traded anywhere around
Ultimately, the emergence of this market place has resulted in the formation
of a cyber crime industry where each cyber criminal may provide a discrete input
in the process of targeting end users. For example, a spammer may charge a fee
for disseminating an email that provides a link to a phishing site, but may not
be involved in running or profiting from the phishing website itself.
The cyber crime industry and the evolution of cyber crime
The cyber crime industry has caused cyber crime more generally to evolve
in a range of ways.
The large financial incentives provided by the underground cyber crime
economy drive a development and testing process which leads to high quality
malware that evades new anti-malware defences and avoids detection by Internet
security companies thus increasing its profitability.
Similarly, the market for malware has driven malware to become more
user-friendly. Cyber criminals produce pre-packaged off-the-shelf style software
packages (known as toolkits) which allow users to commit cyber crime acts (such
as infiltrating a system with spyware or creating a botnet) with minimal
Figure 2.5 shows a screenshot from a popular toolkit called the ‘Zeus
Crimeware Toolkit’ which enables entry-level cyber criminals to create their
Figure 2.5 Screenshot of ‘Zeus Crimeware Toolkit’
Source P Coogan, Zeus,
King of the underground crimeware toolkits, blog post, Symantec Security
Blogs, Symantec Corporation, 25 August 2009, viewed 14 January 2009 ,<http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits>.
This toolkit enables unskilled cyber criminals to create their own
tailored botnets through the use of an automated trojan to exploit computer
vulnerabilities. As can be seen, the toolkit provides an up-to-date country-specific
summary of the number of computers that are infected, the number of bot
computers that are online and a ‘remote commands’ option through which the
botnet can be directed. 
The lucrative cyber crime economy has also driven criminals to move from
committing large indiscriminate cyber attacks to committing several smaller
targeted and low level attacks in order to avoid detection by Internet security
and law enforcement organisations.
Finally, the underground cyber crime economy has led cyber criminals to increase
the efficiency of the links between different areas of cyber crime (such as the
links between scam operators and money launderers) to the point where organised
criminal networks have emerged.
Below is a case study that provides an example of a cyber attack on
German banks which incorporates all of the above mentioned aspects of the cyber
Case study: German example of
the operation of the cyber crime industry
In August 2009, a group of coordinated cyber criminals
first purchased a toolkit from an online cyber crime forum. This toolkit was
then used to infect legitimate and fake websites with a trojan. When a user
visited one of the infected websites the trojan would automatically install
on the visiting computer. When this infected computer was used for online
banking, the trojan would store the details. The trojan was then instructed
to automatically log into the bank account and transfer money to a money
mule’s bank account for laundering. The trojan was automated to only transfer
small amounts of money to avoid detection by banks’ anti-fraud systems. This
operation ran for two weeks and generated almost €1200 per day.
Malicious Code Research Centre, Cybercrime intelligence report, Issue 3,
Finajn Malicious Code Research Centre, 2009.
Who commits cyber crime?
A variety of different people commit cyber crime including individual
hackers, organised crime groups, corrupt company employees and foreign
Witnesses suggested that, currently, perpetrators of cyber crime tend to
be financially-motivated organised criminal networks with decentralised and
flexible structures, and consisting of members from a variety of different
countries. The majority of these attacks are said to originate from outside of
Organised cyber criminal networks differ from traditional ‘real world’ organised
crime groups in that there is not necessarily a hierarchical structure where
all cyber attacks committed through the network are coordinated from the top. These
criminal networks have a decentralised structure where members are anonymous
and relatively independent. When a cyber criminal, or group of cyber criminals,
wishes to commit a cyber attack, they may use the network to source the
resources and skills for that particular operation.
These cyber crime networks may consist of members from many different
countries. The Committee heard that most cyber attacks appear to originate from
America, China, Europe and Russia. It was also stated that organised criminal
networks are appearing in South-East Asia. It was suggested that cyber
criminals may find it easier to operate in countries were governmental institutions
or the rule of law is not as strong, or where cyber crime makes a significant
contribution to the growth of a developing economy.
Cyber crime networks also target users from other countries in order to
take advantage of traditional law enforcement boundaries that make it much
harder for their crime to be investigated.
Who are the victims of cyber crime?
All aspects of Australian society including Australian government,
private businesses and home users, are victimised by cyber criminals.
Australian governments, whether federal, state or territory, are
potential targets of cyber attacks. Cyber attacks may target governments for a
variety of reasons including to conduct protests or for cyber espionage.
However Governments are also increasingly being targeted by financially
motivated cyber criminals. Government agencies are
increasingly using the Internet to provide information to, and exchange
information with, the public. This makes government organisations a target for
financially-motivated cyber attacks aimed at illegally obtaining funds or
information, illustrated in the case study below.
Case study: Fake Australian Taxation
Office phishing website hosted in Ukraine
The ATO reported that recently a number of Australian tax
payers had been lured to a fake website hosted in Ukraine. The website, a
mirror image of the ATO’s legitimate website, asked visitors to enter a range
of personal details in order to receive a tax refund of $9500. ATO submitted
that this website was aimed at harvesting passwords and credit card numbers.
Taxation Office, Submission 58, p.5.
Similarly, Australian businesses, whether small, medium or large
organisations, are potential targets of cyber crime. Australian businesses may
be the target of a variety of attacks including online fraud, theft of
information and extortion.
Home users are also vulnerable to cyber attacks due to low levels of
online security. Cyber criminals seek information and money from home users through
the use of scams, phishing schemes and malware. Due to their low level of
security, home computers are highly vulnerable to being recruited to botnets.
Additionally, home users that fall victim to an online scam are more likely to
be targeted by further scams. Cyber criminals note users who have responded to
scams and place them on a ‘sucker list’ which may then be used to distribute
further scams to these vulnerable home users.
As the Internet is a resource shared among several different sectors of
society, attacks on one section of Australian society may have flow on effects
for other areas of society. For example, due to the
vulnerability of home users, botnets are often comprised predominantly of home
computers. These botnets can then be used to launch attacks against businesses
Prevalence of Cyber Crime
Witnesses emphasised that while the majority of Internet activity is
legitimate, cyber crime has touched a significant number of Australians and is
This section examines the current level of cyber crime both globally and
in Australia, and the current trends of cyber crime.
There is a wide variety of often incomparable information on cyber crime,
all of which inevitably suffers from some degree of inaccuracy. However, despite
these variations and inaccuracies, all information supports the same
conclusion: cyber crime is highly prevalent and is growing at an increasing
Current level of cyber crime threat
Tables 2.2 and 2.3 below summarise the statistics made available to the
Committee, including global statistics and statistics that focus solely on
Table 2.2 Global statistics
illustrating the high incidence of cyber crime
In 2008, Verizon observed the compromise of over 180 million business
records due to hacking.
Symantec has detected a total of approximately 2.6 million different
malware programs, 60 per cent of which were detected in 2008.
Malware infections via legitimate websites
A 2007 study of 4.5 million web pages by Google found that one out of
every ten websites contains malware.
McAfee estimates that nearly 40 million computers were recruited to
botnets in the first three quarters of 2009.
The Internet Society of Australia submitted that estimates of the number
of bot computers range from five percent of all computers connected to the Internet
(over 20 million) to twenty five per cent of all computers connected to the Internet
(over 250 million).
Telstra submitted that the size of the largest DDoS attacks increased
a hundredfold between 2001 and 2007, from 0.4 gigabits per second to 40
gigabits per second.
Cyber crime industry
Verizon reports that 91 per cent of the data breaches it observed in
2008 were linked to organised criminal networks.
Phishing and spam
In the year 2008, Symantec observed 349.6 billion spam messages across
Symantec claim that in 2008 approximately 90 per cent of spam was sent
Anti-Phishing Working Group, an international consortium of organisations
against phishing, identified over 210 thousand unique phishing websites in
the first half of 2009.
2009 Data Breach Investigations Report, Verizon Business,
2009, p.2; Australian Communication and Media Authority, Submission 56,
pp.4,7; Symantec Corporation, Symantec Global Internet Security Threat
Report: Trends for 2008, Symantec Corporation, April 2009, pp.10,16,90 ;
McAfee Inc, McAfee Threats Report Third Quarter 2009, McAfee Inc, 2009,
p.3; Internet Society of Australia, Submission 45, pp.3-4; Telstra, Submission
43.1, p.2; Anti-Phishing Working Group, Phishing Activity Trends Report:
1st Half 2009, APWG, 2009, p.3; BBC News, Google searches web’s
darkside, online news article, 11 may 2007, viewed 19 January 2009, < http://news.bbc.co.uk/2/hi/technology/6645895.stm
Table 2.3 Australian
statistics illustrating the incidence of cyber crime
A 2008 AusCERT survey of 1,001 Australian adults reported that 23 per
cent of respondents had confirmed malware infections on their home computers.
A September 2009 ACCAN survey of 141 Australian home users indicated
that one in five respondents had been a victim of cyber crime.
average over the 2008-09 financial year, ACMA received 4,291 reports per day
of Australian computers infected with botnet malware.
ACMA submitted that the number of Australian computers recruited to
botnets in June 2009 may have been considerably greater than 10,000 computers
ACCC received 12,000 online scam complaints in the 2007-08 financial year.
Eighty-six per cent of respondents to a 2009 online survey by the
Australian Consumer Fraud Taskforce claimed to have been invited to
participate in a scam, 73 per cent of whom were targeted via email.
The Australian Institute of Criminology report that fourteen per cent
of Australian businesses experienced one or more computer security incidents
in the 2006-07 financial year.
Online credit card and bank card fraud
2007 Personal Fraud Survey by the Australian Bureau of Statistics (ABS) inferred
that, in the twelve months prior to the survey, 76,000 Australians were the
victim of online credit card or bank card fraud.
The Australian Payments Clearing Association report that in the
2007-08 financial year the Australian payments industry, including banks and
credit unions, lost $63.5 million due to online credit card and bank card
Phishing and spam
2007 Personal Fraud Survey by the ABS estimated that, in the twelve months
prior to the survey, 30,400 Australians were the victim of online phishing
Commonwealth Bank of Australia receives 3,000 spam and phishing related
reports per day, with the highest reporting period being May last year when
30,000 reports were being received per day.
Communication and Media Authority, Submission 56, pp.4,7; Australian
Competition and Consumer Commission, Submission 46, p.3; Internet
Society of Australia, Submission 45, pp.3-4; K Richards, The Australian
Business Assessment of Computer User Security: a national survey,
Australian Institute of Criminology, 2009, p.xi; Australian Bureau of
Statistics, 2007 Personal Fraud Survey, ABS, Cat. No. 4528.0, 2007, pp.14,
21; Australian Payments Clearing Association, Submission 50, p.5; Mr
John Geurts, Commonwealth Bank of Australia, Transcript of Evidence, 8
October 2009, p.59; J Dearden, Comparing the 2008 and 2009 ACFT online
survey results, powerpoint presentation at Australian Consumer Fraud
Taskforce Forum 2009, 8 October 2009, p.8; AusCERT, AusCERT Home Users
Computer Security Survey 2008, AusCERT, 2008, p.3.
These statistics, whilst varying and sometimes imprecise, provide a
number of insights into the current level of cyber crime:
malware and botnets are widespread and facilitate significant DDoS attacks,
data breaches and phishing schemes;
it is very common for trusted and legitimate websites to be inadvertently
hosting and propagating malware;
significant number of Australian computers are infected with malware and are
part of botnets; and
significant number of Australian businesses and home users are the target of
online scams, phishing schemes and identity fraud.
It can be seen that cyber crime is highly prevalent and directly affects
a significant number of Australians.
In 2006 and 2008 the Department of Broadband, Communications and the
Digital Economy (DBCDE) commissioned KPMG to carry out cyber security threat
and vulnerability assessments for home users and small businesses.
These reports are not publicly available. However ACMA informed the Committee
that there are potentially tens of thousands of compromised Australian
These concerns were reiterated to the Committee by Mr Mike Rothery, the
First Assistant Secretary, National Security Resilience Policy Division, Attorney
General’s Department (AGD):
We are concerned that there are many thousands of compromised
machines out there … in many cases … being used as part of botnets to do other
things—launch spam attacks, denial of service, phishing attacks and a whole
range of things, … many tens of thousands.
The outlook for cyber crime in Australia
Throughout the inquiry witnesses continually reinforced to the Committee
that cyber crime is a rapidly evolving phenomenon. The Committee heard that the
cyber crime industry, driven by the lucrative underground cyber crime economy,
will continue to adapt in order to exploit new technologies and in order to
respond to new anti-cyber crime measures.
Mr Graham Ingram, General Manager of the Australian Computer Emergency
Response Team (AusCERT), summarised the outlook for cyber crime in Australia:
[Cyber crime in Australia] is getting out of control and we
are losing. And I think that, with the pressures coming on us over the next few
years, if nothing is done to change the current direction we will lose faster.
The future of cyber crime in Australia can be predicted by observing a
range of trends in Internet and technology use, malware and cyber attacks.
During the inquiry a range of trends in Internet and technology usage were
viewed as increasing the prevalence of cyber crime. For example, witnesses
argued that the increased uptake of high speed ‘always on’ broadband services will
increase the threat of cyber crime in Australia (a 2009 ABS survey estimated
that Australian household broadband connections grew 18 per cent to 5 million
during 2008-09). Similarly, the Committee
heard that the uptake of new computer systems, software and hardware (such as
cloud computing, social networking and wireless systems) will lead to new
vulnerabilities. An additional concern
was that as technologies become more user-friendly, computer users will require
less computer knowledge and will therefore be more vulnerable to cyber crime.
Trends in malware were also identified as an area of concern. For
example, Symantec reported that malware is being produced at an ever increasing
rate (refer to Figure 2.6), with detected malware levels jumping 60 per cent in
2008. Additionally it was
argued that cyber criminals are increasingly propagating malware via popular
and trusted websites, and that this malware
is increasingly surreptitious, specialised and targeted.
The Committee also heard that botnets continue to grow (refer to Figure 2.7)
and are likely to become more versatile in exploiting new vulnerabilities and
in responding to anti-botnet measures.
Figure 2.6 Number of new malware programs detected
globally per year, 2002 to 2008
Corporation, Symantec Global Internet Security Threat Report: Trends for
2008, Symantec Corporation, April 2009, p.10.
Figure 2.7 Average number of IP addresses that are part of
botnets reported to ISPs via ACMA’s Australian Internet Security Initiative per
day July 2008 to 2009
Note: AISI figures
do not accurately identify how many Australian computers are compromised due to
multiple computers that operate under the same IP address and due to computers
that may be missed or not identified during the reporting process. ACMA submits
however that the number of Australian computers compromised is likely to be
considerably greater than shown in AISI reports.
Communication and Media Authority, Submission 56, p.5.
Other acts of cyber crime were also said to be increasing. Submitters
stated that organised cyber criminals are committing increasingly low profile
attacks against identified vulnerable users including small businesses, home
users and prior scam victims. Also, it was argued that
as the cyber crime industry supplies increasingly user-friendly malware and
skilled hackers-for-hire, the skills needed to carry out complex cyber attacks
will gradually decrease. The Committee also heard
that cyber criminals are increasingly targeting victims in other countries in
order to reduce their risk by taking advantage of jurisdictional barriers to
law enforcement investigations.
Mr Alistair MacGibbon, Director, Internet Safety Institute, told the
Committee that cyber criminals have, and continue to compile, large stockpiles
of stolen information but are not efficient at converting this stolen
information into money. Mr MacGibbon stated that his main fear is that cyber
criminals will improve their techniques for monetising this information thus
leading to a new wave of cyber attacks.
Economic impact of cyber crime
Cyber crime has many current and potential negative economic impacts on
Australians. Contributors to the inquiry outlined a range of ways in which
cyber crime threatens the Australian economy:
n widespread cyber crime
may undermine confidence in aspects of the digital economy thus inhibiting the
growth of the Australian economy;
n continued cyber
attacks against particular businesses may damage their reputation and result in
a loss of customers and revenue;
n the development of
measures to combat and respond to cyber attacks imposes a significant cost on
n cyber attacks cause
direct financial losses to consumers and businesses resulting from the theft of
information and money, or extortion; and
n cyber attacks
targeting Australia’s critical infrastructure may lead to immediate and long
term economic losses.
These impacts are described below.
Economic loss from diminished confidence in Australia’s digital economy
Australia’s economy is currently benefiting from the increased
development and use of new information and communication technologies. This
area of our economy is referred to as the ‘digital economy’. DBCDE define the
digital economy as:
The global network of economic and social activities that are
enabled by information and communications technologies, such as the Internet,
mobile and sensor networks.
The digital economy consists of devices such as computers and phones as
well as the infrastructure that enables the sharing of information such as
telephone lines and mobile phone towers. The digital economy enables all
aspects of Australian society to carry out a range of activities with increased
ease and efficiency such as accessing government information, conducting
financial transactions or communicating in real time with geographically
distant friends or family.
Ultimately, the digital economy opens up new opportunities for the
Australian economy as a whole to increase its efficiency and to grow.
Many contributors to the inquiry warned of the significant negative
economic impact which would be caused by cyber crime undermining confidence in
Australia’s digital economy. Ms Loretta Johnson,
General Manager, Policy and Government Relations, Australian Information
Industry Association (AIIA), provided a summary of this concern:
The productivity, efficiency and economic growth advantages
that can be delivered by our rapidly developing digital infrastructure are
recognised by governments and users alike. The secure and safe use of that
infrastructure should be a focus for governments which are concerned with
enhancing their nation’s GDP for the benefit of their own citizens. If that
focus is lost, users will lose confidence in the internet as a business and
commercial tool, leading to a consequent decrease in the efficiencies and
productivities that digital engagement can deliver.
It is difficult to quantify the negative economic impact caused by a
loss of confidence in online services. However, Mr Paul Kurtz,
Executive Director of the US-based Cyber Security Industry Alliance, has
suggested that a loss of consumer confidence in the digital environment is a
billion dollar problem.
ACMA’s 2009 publication Australia in the Digital Economy: Trust and
Confidence concluded that, while Australians are aware and concerned about
the risks of using the Internet, these concerns do not currently stop people
from using the Internet. However, the 2008-09
ABS Household Use of Technology Survey estimated that over one million
Australians refrain from purchasing goods or services on line due to concerns
over online security or privacy. Similarly, the Australian
Communications Consumers Action Network (ACCAN) informed the Committee that
they have encountered a large number of consumers who are refusing to use the Internet
because of fears they will lose money to cyber crime.
Financial loss to business from damaged reputation
Where a business is the target of persistent or high-profile cyber
attacks, their reputation among clients and share holders may suffer, thus
resulting in lower share prices, fewer clients and lower revenues.
For example, in January 2009, US-based payment processor Heartland Payment
Systems experienced significant divestment which halved its stock price
following a malware-enabled data breach which potentially compromised tens of
millions of credit and debit card transactions.
Cost of anti-cyber crime measures and cyber crime complaints
Many private businesses that supply ICT goods and services, or conduct
business over the Internet, must direct significant resources towards dealing
with cyber crime. A 2009 AIC survey
estimated that the annual cost of computer security measures for Australian
businesses is between $1.37 billion and AU$1.95 billion.
Direct financial losses to Australian businesses and home users
Australian businesses and home users continually suffer direct financial
losses from cyber crime. Cyber criminals use scams, fraud and extortion to
illegally obtain money from these victims. The loss to home users and business
is difficult to quantify; however, the AIC estimate Australian businesses lost
between $595 million and $649 million in the 2006-07 financial year.
Economic loss from disruption to Australia’s critical infrastructure
Australia’s national information infrastructure supports a range of
computerised control mechanisms that govern other aspects Australia’s critical
infrastructure. Contributors argued that there is real potential for cyber
criminals to highjack, damage or inhibit these systems which in turn could
cause longer-term disruptions to economic development.
Cyber crime crosses many technological, conceptual and institutional
boundaries, and, through its high prevalence, has real and increasing impacts
on many Australians. Australia’s public policy response must take account of
several key factors:
n organised criminal
networks consist of members from, and commit attacks across, several different
traditional law enforcement and regulatory jurisdictions thus challenging
traditional law enforcement and regulatory methods and procedures;
n cyber crime is
rapidly evolving and responsive to anti-cyber crime measures, thus any
legislative, regulatory, technological, intelligence and educational
initiatives must be kept under constant review;
n the interrelated
nature of different aspects of cyber crime makes it important to take a
strategic and holistic approach to intervention; and
n the complex nature of
cyber crime makes the reporting, gathering and analysis of data and
intelligence an important element of the national and international effort to
combat cyber crime.
While it is probably impossible to eradicate all cyber crime (just as it
is in the offline environment) it is possible to ensure that Australia
maintains an understanding of the threats and builds capacity to prevent cyber
attacks. It is clear to the Committee that the many different aspects of cyber
crime are interrelated and Australia’s response cannot deal with these various aspects
of cyber crime in complete isolation.
The following chapters canvass some of the options for expanding the
current national strategy and building a broader, and more integrated response
that takes account of the needs of consumers.