Ever wondered where the money lost to cybercrime goes? Would you believe frozen chicken cutlets in one instance? Photo by wikipedia user Ocdp
Written by Insecurity of Everything
A cybersecurity column by Kate Fazzini and John Shegerian
If you’ve ever lost money to a computer crime, or done business with an entity who paid a ransom or lost a wire of funds to fraud, you may have wondered where the money went. The answer is complex: to many far flung corners of the world, or right in your own backyard, invested in frozen chicken, expensive cars or rogue nuclear weapons programs. When you know, however, the consequences of this fraud, it can be one of the most motivating factors in creating the best cybersecurity program you can have.
From the financial heart of the world to all corners
Recently, at the Fordham University/FBI International Conference on Cyber Security (ICCS), Kate had the pleasure of moderating a panel with the Hon. Damian Williams, U.S. Attorney for the Southern District of New York; and Carolyn Pokorny, First Assistant U.S. Attorney for the Eastern District of New York. Combined, these districts include the five boroughs of New York City, as well as huge outer suburbs of that metropolis. As the world center of the financial services industry, it’s ground zero for cybersecurity crime and a location where many of those victimized by cybercriminals reside.
The discussion was wide-ranging, but one topic of critical interest to local businesses was the idea of where the money lost to cybercriminals goes. The prosecutors characterized this money trail as something that should be a motivating factor for businesses, especially on “cyber hygiene,” aka those basic security practices that — when executed correctly — stop the vast majority of attempted wire frauds, ransomware attacks or ATM cash-outs, among other problems.
We wholeheartedly agree with this assessment. In one case, Pokorny discussed the exploits of a man who called himself “the King of Fraud,” a moniker that made him easier to prosecute, she said. Alexander Zhukov was convicted of running a $7 million scam known as “Methbot,” which created “bots” that tricked websites including those belonging to The New York Times and The Wall Street Journal into appearing as if millions of people were reading ads when they weren’t.
In the Zhukov case, proceeds from the scam were re-invested into yet more fraudulent businesses under the guise of advertising services, a common tactic used by cybercriminals, emphasizing the proceeds of these crimes just lead to more crime. Zhukov and his co-conspirators directed payments outside their New York operations, then, to locations as varied as the Czech Republic and New Zealand to re-invest into new botnet schemes.
Other criminals launder their money in a variety of ways — through buying expensive cars, homes in the U.S. and abroad, or investing in other types of criminal enterprises like narcotics and human trafficking. More alarming, governments that sponsor malicious activity use these proceeds to fund illicit war programs, like North Korea’s proliferation of nuclear weapons, according to several reports by U.S. government agencies.
In another ICCS panel, Sagar Ravi, who helps oversee the New York Southern District’s Complex Frauds and Cybercrime Unit, described a complex scheme involving frozen chicken — yes, frozen chicken — purchased with the proceeds of a series of cybercrimes, then shipped to Ghana where frozen chicken is in very high demand.
The group of men from Ghana used common frauds including “romance scams,” which often target elderly people and involve tricking someone into believing an online love interest desperately needs money for one reason or another; as well as business email compromise schemes, which cause business owners to wire vendor payments to fraudulent accounts.
Then, they used the proceeds to buy millions of dollars in frozen chicken from major U.S. suppliers and ship it overseas, a move that even disrupted Ghana’s own domestic farms while the scammers raked in enormous profits on the low-overhead, high-profit purchase.
Often, when we investigate cybercrimes that occur on a small scale against individuals or corporations, we de-emphasize the “who” of the crime, because knowing the perpetrator is often secondary to the emergent issue of fixing the problem, clawing back lost funds or restoring damaged computer equipment.
But when it comes to the big picture of how you as a business owner approach cybersecurity, losing even a small amount of money to crime should not be written off as merely a “cost of doing business.” That’s why we encourage everyone to be vigilant against all of these types of crime.
Preventing them means less money in the hands of criminals, rogue governments and those who want to simply build even bigger illicit money-making machines. The solution is simpler than it appears: patching, good training of employees, sound password strategy and frequently updated hardware, among other essentials.
Kate Fazzini is Director of Security Operations and Engineering at Ziff Davis; an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.