Microsoft leading the fight to counter cybercrime

Set up in 2013, its Digital Crimes Unit is staffed by a 100-strong team of specialists


It’s 1pm and a pensioner, at home alone, picks up the phone on the third ring. On the other end of the line is a well-spoken man who says he is ringing from Microsoft.

“There’s a problem with your computer,” he explains. “If you give me remote access, we can get it cleared up quickly.”

It seems genuine, so the access is granted – it’s just a click or two on a pop-up box that appears on the screen – and the man at the other end of the phone gets to work. Except he isn’t helping to update software and weed out bugs; he is looking through the files on the computer to see if there is anything worth stealing, such as financial data or other confidential information.

That’s one of the typical scenarios that is described by Microsoft’s Patti Chrzan, senior director of strategic programmes for Microsoft’s Digital Crimes Unit. Most at risk from this particular type of fraud are older users, more likely to have landlines and be home during the day, less likely to question the seemingly professional caller who just wants to help them out.

Set up in 2013, the Digital Crimes Unit has taken on the task of trying to fight the tide of online crime, ranging from spam attacks spreading malware through zombie computer networks to software piracy that impacts Microsoft’s own bottom line. Located in a restricted area of Microsoft’s Redmond campus in Washington, the unit works with companies and organisations to track down and eliminate threats.

“This is about people,” Chrzan says. “Every single second, 12 people are victims of cyber crime online.”

When you look at it, the statistics are frightening. In the US alone, the type of scenario described above affects 3.3 million people each year, with consumer losses of around $1.5 billion.

And that’s only the tip of the iceberg.

If you’ve ever been online, it’s unlikely that you have escaped untouched by digital crime. Whether it’s a simple virus in your machine or full-blown identity theft that ends in some sort of financial loss, most people will have been exposed in some way.

While companies and consumers are a bit more clued in about the threats in general, the malware creators are always upping their game.

Chrzan says industry statistics reveal the average number of days that malware can sit on a network before being detected is 200 –- that’s three quarters of a year where it can be working quietly in the background.

Gather evidence

An applet running on a screen in the hallway shows infected devices tried to communicate with Microsoft’s sinkhole 886 million times in two days. It’s split into countries too; with India it was B106 – financial and identity theft – that was trying to communicate the most. In Ireland, it was Conficker that came out on top, with the majority of the infected devices located in Dublin, followed by Tramore, Cork, Carrigaline and Galway.

The DCU partners with private entities to help fight security threats too, including companies that have been dragged into spam campaigns through the unauthorised use of their trademarks. But managing these partnerships requires a careful balance. Unlike traditional crime, there’s more risk the greater the number of people who are in the know. “It’s easy for criminals to pick up their infrastructure and move it, and then you have to start all over again,” says Chrzan.

Among the investigations the unit has been involved in is the disruption of several high-profile botnets, including Dorknet, the battling against a spam campaign involving the misuse of Pfizer’s trademarks and logos, and taking down an organised crime group’s counterfeiting of video games.

Regardless of the type of crime though, big data and the cloud are starting to play a larger role in fighting it. In Microsoft’s case, it uses Azure, which allows it to scale its operations according to the amount of data coming in. It means that the Digital Crimes Unit can process the incoming data reliably and faster than before, and the unit can react to any developments more speedily than before.

Microsoft can also use the service to further protect customers, using the IP addresses connecting to the botnet sinkhole to run against those trying to access some of its clients’ services, for example. “We’re always looking for ways to continue to scale to ensure cleaning and notification happens faster,” explained Chrzan.

It all requires an crack team of experts though, and the unit is staffed by experts that include more than 100 lawyers, data scientists, investigators, analysts, engineers and business professionals. Among those working in the Evidence Room on the day we visit is Irishman Donal Keating, senior managers in cyberforensics. He worked in the company’s Irish operations, before relocating to Redmond a couple of years ago. Standing in front of a large video screen, Keating demonstrates how data visualisation can be used to pinpoint risk for companies.

Big business

“You may be buying cheap IT, and as a rule cheap IT is free like a puppy – it tends to come with some problems,” he says.

It’s big business; a recent theft of activation codes for Windows 7 from within the company’s supply chain in China was worth millions of dollars to the perpetrators – now behind bars as a result of the DCU investigation.

Again, it’s not just financial risk though. There’s a convergence between unlicensed, unmanaged software and malware, Chrzan says.

The unit carried out a study with IDC that revealed on average 30 per cent of the time, unlicensed software is preinfected with malware. That rate can be as high as 70 per cent in some areas. So the stakes are high for all involved.

It’s not just about financial loss though. Microsoft’s unit is also helping to fight the exploitation of children through its Photo DNA project. A partnership with the National Centre for Missing and Exploited Children that began six years ago, it allows agencies to scan and log abusive images of children, giving each photo a unique “fingerprint” that can then be scanned for on devices and services, even if it has been slightly altered.

It’s not facial recognition but a complex algorithim, Chrzan explains. To date more than 125 million victim images have been scanned, and the database is available to law enforcement. The original tool was on premises, but last year, MSFT announced for enterprise organisations, it was available as a cloud service.

Things change though, with criminals turning to video and live streaming. It’s an ongoing challenge for both law enforcement and tech firms, but one Microsoft is adapting to. “We constantly work to see where criminals are going so we can start to look at tools and technology to make an impact in that space as well,” says Chrzan.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection


Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.