H4x0rs! Stealing Carbon! Selby on Marketplace Tech Report

Posted on 26 February 2011 by



I got called the other day by Marketplace from American Public Media; their Tech Report wanted to talk about a scam that occured in Europe in which Eastern European criminal hackers stole more than $50m in carbon offsets, and temporarily shut down part of the European carbon trading system.

It was awesome being on NPR*, and speaking about the hack. Though they identified me as “Cyber-crime consultant,” not, “Police officer and cyber crime consultant”!

On the program, Anup Ghosh of Secure Command told carbon traders in Europe fell for a kind of phishing scam we’re all supposed to watch out for. The hackers sent fraudulent emails which tricked traders into “re-registering” their online credentials. As with personal banking phishing cons, the criminals then used the credentials provided by the duped victims to pose as them and sell the carbon credits.

These things are worth a whole lot of money. In Europe, NPR says, the carbon market is worth $118.5bn; in the US, pollution credits are similarly bought and sold by companies.

I told Marketplace that criminals often target the lowest hanging fruit, and attacks like this are simply the latest lateral movement to find good, profitable targets. Far too often we get caught up in the sophistication of the attacks when we should recognize that in this case and others, this was a garden-variety con-job: the victims were tricked into doing something that resulted in property being stolen.

I pointed out that, when you have relatively new markets like carbon trading, it’s easier for criminals to target the processes, because relatively few people know what good looks like. If you don’t know what “good” looks like, you’re less likely to recognize “bad” when it comes across the wire.

Here’re some of the things I discussed with Marketplace that didn’t make the story.

  • Part of the problem is that, when you use computer network attack techniques to steal real world assets, experts in either field are less likely to know about the other. Information security people and law enforcement people don’t have a common language, so until they can understand each other, criminals continue to exploit the delta in their understanding.
  • Cyber criminals know that their actions are, relatively speaking, low risk and high reward. If you stick up a gas station and get $500 you’re likely to be caught and do some time. If you steal digital assets worth thousands or tens of thousands or more, you’re really likely to fall into some of the jurisdictional cracks in the system. Now in this case, the theft was highly public, and so there will be increased pressure on law enforcement to effect an arrest. But journeymen cyber criminals currently enjoy a relatively better risk-reward ratio than many other types of criminals.
  • This is chickens coming home to roost time: analysts and law enforcement officials have been warning for years that when organizations choose to merely comply with industry and regulatory rulesets at the to the exclusion of truly understanding and addressing their risks and their threats, they leave both the auditors and the criminals happy. Rulesets like PCI (the Payment Card Industry Data Security Standard), HIPAA (the Health Insurance Portability and Accountability Act of 1996) and NERC (the North American Electric Reliability Corporation’s standards) are intended to create a minimum standard, but have become the maximum effort expended by businesses. That leaves exposed vulnerabilities that are exploited by criminals.

You can listen to the Marketplace report here.

* though a friend in a Texas sheriff’s office said he can’t listen to NPR because they’ll have, “Cyber crime consultant and police officer Nick Selby…but first, here’s 95 minutes of pan-flute music from Burkina-Faso.”