By Melissa Hancock
With cybercrime on the rise in the Gulf, a special unit has been created to fight back against the region's online fraudsters.
For most of us, the mantra ‘out of sight, out of mind', holds true. The 21st century pace of business life is so fast that we have little or no time to contemplate anything that isn't immediately under our noses. Sadly, it has taken a flurry of cybercrime attacks in the Gulf in recent weeks to alert the business community to the dangers of online fraud.
The two most high-profile attacks were foiled, fortunately, but caused enough damage to make people stand up and take notice. The first, an internet fraud ring in which criminals targeted investors by pretending to operate out of the Dubai International Financial Centre, was shortly followed by the thwarted hacking attempts on several eGovernment websites which resulted in service ‘downtime' as well as the loss of large amounts of data. Salem Al Shair, e-services director at Dubai eGovernment, concedes that while these instances were the first to be "successful", there have been a number of previous hacking attempts on its websites.
Internet security firm Symantec's latest threat report shows that the UAE is the regional leader for cybercrime in the Gulf. The country ranks 46th out of 180 countries monitored globally, both in terms of origination of cyber attacks, as well as being a regular target for online fraudsters.
"The UAE's high-profile economic position, twinned with the fact that it is among the first to adopt the latest technologies, makes the country even more prone to online attacks than other GCC countries," explains Kevin Isaac, regional director of Symantec.
Something has to be done, and fast, before the problem becomes unsolvable. And the authorities are reacting. In recognition of the fact that cybercrime has reached worrying levels, the UAE's Telecom Regulatory Authority (TRA) announced earlier this month it setting up a special anti-cybercrime body - the United Arab Emirates Computer Emergency Response Team. Dubbed aeCERT, the cyber security body will initially consist of ten people and operations will begin towards the end of 2007. The body's aim is to "facilitate the detection, prevention and response to cybercrime".
"aeCERT arose out of the need to safeguard the critical information and communication technology infrastructure residing under the government, business, and education sectors," Mohammed Al Ghanim, TRA director, tells Arabian Business. The TRA has already counteracted several attacks this year, mainly website defacement and phishing (mimicking an existing website to deceive investors), and Ghanim has openly admitted that "these caused great damage to businesses."
The government's first public stance against cybercrime came in February 2006 when it issued the Cybercrime Law No. 2 which states that cybercrimes in the UAE carry a maximum penalty of 10 years in prison and a US$55,000 fine. aeCERT will consolidate this law, says Al Ghanim.
"The new squad will no doubt enhance the Cybercrime Law and assist in the creation of new rules and regulations governing internet crime," he continued.
The creation of aeCERT, however, marks a crucial turning point for the region, as the TRA will now not only be a reactive body, but also act as a pro-active agency against cybercrime.
"aeCERT will provide a central trust point of contact for incident reporting as well as establish a national centre to disseminate information about threats, vulnerability and cyber security incidents. There will also be sector-based Computer Security Incidents Research Teams (CSIRTs) that will co-ordinate with domestic and international CSIRTs and related organisations," explains Al Ghanim.
Consequently, its existence will not only serve as a deterrent to hackers but also help to raise the profile of IT security in the country, an increasing concern given the huge percentage of the Arab population choosing to go online.
According to figures released by Madar Research, the number of internet users in the Arab world stood at 26.3 million at the end of 2005, a stark increase in comparison to 14 million users in 2004 and 4.5 million users in 2002.
This means the growth rate of internet use increased substantially over 2004 levels to average at around 55%, with a few countries where internet penetration is lowest witnessing triple-digit growth. This led to a pan-Arab penetration rate of 8.50 % in 2005, with the UAE having the highest rates, followed by Qatar and Bahrain.
Furthermore, Arab internet usage is forecast to double to 50 million by 2009 among the 290 million people in the region, according to Google chief Eric Schmidt.
This forecast is further reinforced by the fact that computer purchase orders in the region are soaring due to the high standards of living in parts of the Middle East.
While web security professionals have hailed aeCERT as a positive move, however, this is not a green light for either individuals or companies to bypass the implementation of proper security. "There are two ways to fight cybercrime," says Patrick Hayati, regional managing director for internet security firm McAfee.
"One is to have the right tools in place to prevent attacks, and the other is to catch the bad guys and remove them from circulation. The TRA team will help with the latter."
Hayati also expresses his desire for the aeCERT team to act as an advisory body in issuing guidelines to companies on the necessary level of threat protection. Justin Doo, managing director of Trend Micro MENA, also believes similar guidelines need to be issued.
"Due to incomplete awareness, I would estimate that there are double digit percentages of poorly secured websites and webservers in the UAE," observes Doo. "It's very common when I'm deploying our technology to discover a high degree of infections on sites that thought they were protected.
"To be honest, that is part of the day-to-day environment nowadays, and some of that is because the technology being used is no longer up to the threats that they are often being exposed to," he continues.
Doo believes that the cost of securing an IT network is a small price to pay when you consider the potential financial ramifications of internet fraud.
"Our solutions start from US$650 to secure a small business with around five or 10 connected PCs, right the way through to upwards of a third of a million dollars for large distributed organisations with networks all around the world."
The need for both individuals and companies to improve their IT security is becoming more pressing now that phishing attacks are increasingly originating within the region.
Ivor Rankin, Symantec's senior security consultant for MENA, reveals that his investigation teams traced a significant number of phishing attacks back to perpetrators in the region in 2006. In a typical week, the study found, one attack originated in Jordan, one in the UAE, four or five in Saudi Arabia, eight in Egypt and up to three attacks originated from within Morocco.
While previously attacks were from other areas, such as Russia and Eastern European countries, Rankin claims that crime syndicates have enlisted Arabic-speakers to help tailor their attacks. "The unique aspect of the region is the Arabic language," he points out. "Therefore, although there are a lot of crime syndicates operating in South East Asia and Eastern and Western Europe, increasingly we're seeing that they need assistance and co-operation from people in a country or region with good Arabic skills, in order to be able to draft the emails and do all the necessary grammatical checks."
In November 2006, Emirates Bank's customers were sent an email containing a link to an illegal replica of the Emirates Bank website, through which users were asked to enter their confidential user names and passwords.
While a small number of account holders responded, no customers lost money in the attack owing to the fact that a new security measure - which ensures new beneficiary details cannot be entered online - had protected them. The fact that the attack mirrored an earlier incident in July alerted the bank to its being targeted and so it was able to send out a warning to its thousands of at-risk customers and clients.
Other banks that have been targeted by phishers include HSBC, National Bank of Abu Dhabi and Mashreqbank. Rankin, who has been working with several major banks across the region, providing instant response, anti-phishing services and forensic investigation, says that aside from the growing incidence of attacks, they are becoming more refined.
"If we look back at 2006, there has not only been a very dramatic increase in the number of phishing attacks launched against both financial and non-financial institutions within the GCC region, but also in the level of sophistication."
Middle Eastern countries, however, are wisening up to the fact that they need to ramp up their IT security. Mohammed Gheyath, manager of technical affairs at the TRA, points out that a similar initiative to aeCERT is already in place in the emirate of Qatar and that other countries in the region are also considering instigating similar measures.
Saudi Arabia, which is in the process of implementing new laws to combat cybercrime, is one such example of a country adopting a no-nonsense approach to the problem.
While the country already has strong controls in place regarding access to certain types of online content, including pornography, the proposed new law will cover specific cybercrime offences such as internet hacking and even using mobile phones to take unauthorized pictures.
Those found guilty of committing a cybercrime within the kingdom could be punished with a fine in excess of US$130,000, or alternatively face a one-year jail sentence.
Doo, however, firmly believes that we cannot afford to solely rely on the region's governments to combat the threat. Instead, he urges the public and private sectors to work together to find a viable solution: "Institutions need to start helping themselves, and one of the best ways is by collaborating with the government to launch awareness campaigns that are broadly aware, and use multilingual messaging."