The Rise of the Digital Thugs

Computers crimes get more savvy as 'digital thugs' turn to extortion, attacks on competitors


Investigators said their examination of the stalkers communications indicated that he was much more than a hacker on a joy ride. That would be consistent with what law enforcement authorities and computer security specialists describe as the recent evolution of computer crime: from an unstructured digital underground of adolescent hackers and script-kiddies to what Mr. Bednarski describes in his study as information merchants representing a structured threat that comes from profit-oriented and highly secretive professionals.

Stealing and selling data has become so lucrative, analysts say, that corporate espionage, identity theft and software piracy have mushroomed as profit centers for criminal groups. Analysts say cyberextortion is the newest addition to the digital Mafias bag of tricks.

Generally speaking, its pretty clear its on the upswing, but its hard to gauge how big of an upswing because in a lot of cases it seems companies are paying the money, said Robert Richardson, editorial director of the Computer Security Institute, an organization in San Francisco that trains computer security professionals. Theres definitely a group of virus writers and hackers in Russia and in the Eastern European bloc that the Russian mob has tapped into.

Mr. Richardson is a co-author of an annual computer-security study that his organization publishes with the F.B.I. The latest version said that while corporate and institutional computer break-ins increased slightly last year from 2003, average financial losses stemming from those intrusions decreased substantially in all but two categories: unauthorized access to data and theft of proprietary information.

Among 639 of the surveys respondents, the average loss from unauthorized data access grew to $303,234 in 2004 from $51,545 in 2003; average losses from information theft rose to $355,552 from $168,529. The respondents suffered total losses in the two categories of about $62 million last year. While many cyberextortionists and cyberstalkers may be members of overseas crime groups, several recent prosecutions suggest that they can also be operating solo and hail from much less exotic climes like the office building just down the street.

In March, a federal judge in San Francisco sentenced a Southern California businessman, Mark Erfurt, to five months in prison, followed by three and a half years of home detention and supervised release, for hacking into the databases of a competitor, the Manufacturing Electronic Sales Corporation, and disrupting its business. In June, the F.B.I. in Los Angeles arrested Richard Brewer, a former Web administrator for a trade show company, accusing him of disabling his employers Web site and threatening further damage unless he was paid off. And last month in New York, the Westchester County district attorneys office charged a Tarrytown businessman, Gerald Martin, with hacking into a competitors computer network in order to ruin its business by tampering with its phone system.

Small-fry stuff, some of this, except that even local law enforcement officials say the episodes are multiplying. We have 590,000 people in our county, but were seeing lots of examples of lax or lackadaisical computer security, said Sgt. Mike Nevil, head of the computer crimes unit of the Ocean County, N.J., prosecutors office. Weve seen lots of examples of people going onto a competitors computer network and clearing out whatever information they can get.

For its part, MicroPatent initially believed that its problems were the work of a competitor. It sued one company that it suspected but later dropped that lawsuit. After Ms. Howells team joined the fray in late 2003, MicroPatent and its consultants began to isolate the stalker, using a small list of candidates distilled from earlier investigative work.