Victimize one to victimize another is one interesting characteristic of cyber-crime over physical world crime. There is the victim of the crime (i.e. the one who lost the money) and the victim who unknowingly gets used to execute the crime. These unknowing victims range from home computers which have been botted, to Service Provider’s whose bandwidth is used, to company computers who are broken into, to people who get duped into being eMules. Brian Krebs of the Washington Post’s Security Fix blog (‘Money Mules’ Help Haul Cyber Criminals’ Loot) has a really nice write up on eMules, how the crime operates and the consequences to the people who are used for the crime. What we’re seeing is a major characteristic of the cyber-criminal economy (i.e. the miscreant economy).
What is scary with this characteristic is that the victims used to execute the crime are being held liable. We’ve seen this where the industry blames the people owning violated computers. We’ve seen it with eMules (read Slashdot’s commentary on Brian Krebs’ article). We’ve seen it with Phishing. It seems that our law enforcement and liability practices are focusing on the tool of the crime vs the perpetrator of the crime. So these tools of the criminals are dual victims – the criminals use them to perpetrate the crime – then law enforcement holds them liable for the crime. A shield for the criminal. Low hanging fruit for law enforcement. 🙁