Keep Your 40 Acres, Just Send the Mules


I suppose I can boil down my complaints about U.S. law enforcement's attempts to do something effective about rampant and metastasizing cybercrime to two things. The first is that our guys don't have good relations with Russia and other countries that are knowingly harboring the worst criminals. And the second is that they don't have bad relations with those countries–not bad enough to blow the whistle.

Instead, U.S. authorities are the co-dependents in a perennially depressing romance, always thinking that real change in their partner is right around the corner. Think about Lucy holding the football for Charlie Brown.

After spending a couple of vacation days this week at a cybercrime conference aimed mostly at bankers–'cause hey, that's how I roll–I'm still convinced that we are in much bigger trouble than people realize. The Zeus family of financial computer trojans, which are probably on millions of PCs and often escape the notice of antivirus software, is truly impressive. Even if your bank cares enough about you to hand over a gadget with ever-changing one-time passwords, Zeus can intercept them and do other neat tricks, like redirecting you to a "down for maintenance" page while it cleans out your account. It can then do math on the fly so that when you check your balance, it appears to be right where it should be. I'm pretty sure it can walk on its hands while juggling with its feet, but you should check with one of the people who have lost or nearly lost their businesses, like Karen McCarthy.

But I also spoke to the Secret Service and FBI delegates to the conference, and they gave me a glimmer of hope that I would like to fan into a faint glow. It wasn't their accounts of the five big cheese Ukranians detained recently in a $70 million Zeus case, though that was certainly a good thing. Those men still haven't been charged, let alone convicted and sent to jail; the FBI man grimaced when I asked about the chances for locking up Zeus' Russian author; and forensics maven Gary Warner reported this morning that new Zeus control servers are popping up every day.

What cheered me was that they showed more pragmatism and less bust-down-the-doors machismo than I have ever seen in high-level feds. They are making slow progress in tough spots like Ukraine, they said, in part because the criminals screwed up and started attacking their countrymen. If every other country starts cooperating, pressure on Russia will grow. In the meantime, they are seizing servers, building intelligence on 50 top criminals, and disrupting their networks when they can.

Looking at the big picture, they see that the current bottleneck for the mobsters is the mules–the tens of thousands of people in the U.S. alone who often unwittingly accept transfers from compromised accounts, take a cut, and wire the rest overseas. The cyber gangs have access to more bank money than they can get out of the country.

So that's why the FBI made a big deal out of picking up some dozens of mules a few weeks back. Arrests and news conferences get precious TV time and stories, which can alert people that those work-from-home payment processing jobs are a really bad idea. Like the occasional fall of one or another honcho or botnet, the removal of scores of low-level employees won't do much to stem the tide. But an amplified message could reduce access to some of the kingpins' most precious assets, and it's certainly a worthwhile thing to try.

Something else seems increasingly doable as well, but that calls for a broader effort from outside law enforcement. The recent Zeus cases depended on work by outside security researchers, who often know far more than the cops. I would really like to see more such collaboration. I don't see why thousands of people would work together on such open-source projects as Linux and Mozilla and not on something so core to defending the Internet as a reasonable place to exist.

This marks the end of my guest-blogging stint here at BoingBoing, and I want to thank my gracious hosts and all of you for reading. You can always follow me at @josephmenn.