The Vancouver Police Department is one of the few in Canada with a dedicated computer investigative unit. (Photo: Martin Dee)

Cybercrime is a big term, covering everything from fraudulent spam, to hacking, to the theft of information from computers. It’s also a big problem, expanding at a pace that makes the dot-com madness of the '90s look positively lethargic.

In the first quarter of 2007, a staggering 23,864 new threats from malware — malicious computer code designed to commit crimes — were identified globally, according to Ron O’Brien senior security analyst at IT security solutions provider Sophos.

That's more than twice the number discovered in the same period in 2006.

As cybercrime evolves, law enforcement in Canada is struggling to manage a problem that is not only growing, but which operates freely across international borders. To make matters worse, the bad guys are constantly upgrading their skills and technology.

In Canada, there’s no single agency charged specifically with handling cybercrime, but a frontline resource against some types of online crime is the Canadian Anti-Fraud Call Centre. Also known as Phonebusters, it’s a joint operation of the Ontario Provincial Police, the RCMP, and the Federal Competition Bureau that serves as a central clearinghouse to collect mass-marketing fraud complaints.

Phonebusters doesn't actively investigate complaints. Instead, it analyses them and refers them to the appropriate law enforcement agency. The operation has 20 civilian staff taking calls, and four police officers in the analytical unit who filed more than 50,000 reports in 2006.

Det. Const. John Schultz, an OPP officer with Phonebusters, says the organization's role allows it to identify patterns across police jurisdictions to find groups that may be operating scams across Canada: "You can’t do that unless you have a central sourcing database."

As fraud artists increasingly turn to the web to perpetrate their scams, Phonebusters is referring more and more internet-based cons to local and national agencies. Non-fraud-related complaints, including "pure" internet crimes such as Distributed Denial of Service (DDOS) attacks, are usually reported directly to local police services or the RCMP.

Law Enforcement Under-resourced

However, while a central reporting mechanism for some types of web crime is helpful, it barely scratches the surface in addressing the growing plague of cybercrime.

Once a complaint lands with local law enforcement, outcomes vary. Not all police services have officers trained to deal with online crime, and many departments may have to refer a case elsewhere — typically to other police services or RCMP specialists — or simply place it on the backburner.

"There are very few online fraud investigators in Canada," says Det. Const. Mark Fenton of the computer investigative unit in the Vancouver Police Department. "A lot of people write these files off because they don’t have the knowledge and they think it’s too hard to investigate."

'There are very few online fraud investigators in Canada. A lot of people write these files off because they don’t have the knowledge and they think it’s too hard to investigate.'

— Det. Const. Mark Fenton

Where the expertise does exist, resources are being stretched to the limit.

Arne Stinnissen, manager of the Ontario Provincial Police electronic crimes division in Orillia, says that his unit — which specializes in recovering data from computers used in crimes — is seriously short of resources.

"We’re bringing in a case and a half a day, and clearing about half a case a day, so we’re continually under the gun," he says.

Training officers in high tech isn’t quick or cheap: Staff Sergeant Wally Hogg, head of the Waterloo Regional Police fraud branch, says that it can take a year to get someone up to speed and, with technology continually evolving, that training has to be a continuous process.

Prosecutions relatively rare

Once a case has been investigated, securing a conviction is another hurdle. Prosecutors are often reluctant to move forward with cybercrime cases, which can be complex and expensive to prosecute.

"It’s very frustrating," Fenton of the Vancouver police says. "The Crown counsel workload is very high. They have a hard enough time getting through files in the real world, and if all of a sudden they say ‘yes we’re going to accept these type of [cybercrime] files,' they think it’s going to open up an avalanche of investigations. And from a technical side, they aren’t set up to do investigations for cyber prosecutions."

The other problem, he says, "is that there’s no international law for this kind of stuff."

Since internet criminals aren’t bound by borders, crimes are often committed outside the jurisdiction of Canadian prosecutors. Pursuing these cases can involve administrative red tape at best, and out-and-out lack of co-operation from foreign authorities at worst.

There is also a perception that sentences for convicted cyber crooks may not be as serious in Canada as in other jurisdictions.

Digital threats

BOTNETS are networks of computers that have been hijacked by malicious groups or individuals. Their owners are usually unwitting victims who have no idea their machines have been infected and turned into so-called "zombies" or "bots." The zombie computers are typically used to distribute spam or phishing (see below) e-mails, or viruses and Trojans that are used to hijack other computers. Botnet operators often rent time or bandwidth on their networks to spam e-mail marketers and phishing scam artists.

MALWARE is a catch-all term for malicious software such as computer viruses and spyware, that compromise the security or function of personal computers.

PHISHING is a technique in which criminals try to trick people into disclosing sensitive information, such as online banking names and passwords, and is often conducted through e-mails.

PHARMING is an attack in which malicious individuals try to redirect traffic from one website to a false one. This is sometimes done to collect a person's login or password information.

TROJANS are programs that appear to perform a useful function in order to hide a malicious one. Like the Trojan horse of Greek myth that such programs are named after, the deception tricks people into granting crooks access to a computer.

ZOMBIES are computers that have been hijacked to perform commands and functions issued to them by the attackers, often without the owners' knowledge. They are typically infected by Trojans, a type of software that enables attackers to use them in a botnet. An infected computer is sometimes referred to as a bot — short for robot.

"Some [cybercriminals] in the U.S. are getting $2 million in restitution and 20 years on a deal," says John Schultz of Phonebusters. Here, they’re not getting that in a full blown trial."

The net effect is that cybercrime is a relatively low-risk endeavour for crooks in Canada.

"Criminals aren’t that dumb," says Bessie Pang, executive director of the Vancouver-based Society for the Policing of Cyberspace. "They can work out what are the chances of me being caught, and when I do get caught what are the chances of me having to pay for my crime. It’s a business equation."

Public-Private Partnerships

POLCYB is looking for ways to step up the national fight against cybercrime without breaking the bank, specifically by building broad-ranging interdisciplinary partnerships whereby police agencies, government, academia and the private sector can share information and resources.

Law enforcement agrees with the strategy.

"I’m relying more on public-private partnerships," Fenton says. "The [frequently targeted] financial institutions and corporations need our help, and we need their help to solve this stuff as well."

Experts also say that fighting cybercrime has no simple "made-in-Canada" solution.

Transnational co-operation is essential to catch mobile and flexible bad guys who can change servers and cities at the drop of a hat. To that end, there is the Convention on Cybercrime, an international agreement designed to make it easier to investigate and prosecute cases across borders by harmonizing cybercrime legislation in different countries. Canada signed on in 2001, but has yet to ratify the treaty or put its provisions into place.

Finally, experts say, public education is ultimately the key to winning the battle against online criminal activity. Police say that the computer-using public must learn how to protect themselves, not just with firewalls and antivirus software, but also with simple common sense about things such as responding to spammed e-mails or giving banking information to unknown websites.

"When you arrest someone, there’s always going to someone willing to take their place," Phonebusters’ Schultz says. "You’re never going to catch all the bad guys, so the goal has to be to have the best-educated consumers in the world."

[an error occurred while processing this directive]