Organized Cybercrime Revealed
The shadow economy for stolen identity and account information continues to evolveSeptember 28, 2009
As if CSOs don’t have enough on their plates, they now need to beat back made men, capos and the other elements of the Mafia. Yes, the Mafia is formally involved in cybercrime, or so alleges the U.S. attorney for Florida, who filed charges against associates of the Bonanno crime family that included pilfering data from Lexis-Nexis.
The Mafia engaging in cybercrime might sound like your grandmother joining Facebook. In fact, “the majority of data breaches are the result of organized crime,” says Nick Holland, an analyst at Aite Group in Boston. That doesn’t mean it’s the conventional Mafia pulling the strings—though it can be. In fact, it’s hard to tell just who is in control sometimes. For the most part, cybergroups that become notorious, like the Rockfish or the old Russian Business Network, do so because very few cybercrime groups publicize themselves, says Steve Santorelli of Team Cymru. (Cymru, pronounced cumri, is the Welsh word for Wales.)
In fact, observers sometimes disagree on just who’s behind a crime. Take last year’s RBS Worldpay scam, which saw hackers not only make off with 1.5 million records from the electronic payments processor, but make fake ATM cards used to withdraw more than $9 million in 49 cities around the world in a one-hour period. Frank Heidt, CEO of Leviathan Security in Seattle, thinks this was a case of an extremely well-organized group with roots in Russian organized crime. Peter Cassidy, director of research at Triarche Consulting Group in Cambridge, Mass., says it looks like a franchise-style operation in which the data and details on how and when to use it was sold to groups operating in different regions.
Either way, it’s organized crime. Just a few years ago, most hackers either acted for the glory of spreading a virus they’d written, or handled all aspects of an operation, from phishing to building fake websites to cashing in on the fraud. Since then, cybercriminals have discovered Adam Smith. They specialize, they create markets and above all, they’re entrepreneurial. And because of the Internet, “you get radical distribution of labor and a radically fast ability to recruit skills,” says Cassidy.
These organizations adopt various structures. The crime family model obviously still applies when the Mafia is involved. Some groups that seem independent of the Mafia, like the people who ran Carder’s Market—an underground site for buying and selling credit card information—also use a Mafia-like structure and terminology. Phishing groups tend to work like Japanese keiretsu, says Cassidy, who is also secretary of the Anti-Phishing Working Group. Cybercriminals sometimes use a hub-and-spoke model, where a criminal mastermind puts together various tools and people needed to pull off a job. Want a botnet? A Symantec study found that on average, you could gain use of one for $225. Need a keystroke logger? Average price: $23. Want someone to host a phishing scam? That can be had for as little as $2. A specific vulnerability in financial sites might cost $3,000.
You can even get specialized versions of malware, websites, etc.—the Verizon 2009 Data Breach report found that 59 percent of the malware it saw was customized. Sometimes the criminals adopt models that look like the software business. You can literally buy “fraud as a service,” where criminals subscribe to hosted services—a story first illuminated in CSO’s September 2007 article, “Inside the Global Hacker Service Economy” (see www.csoonline.com/article/456863).
Between 70 percent and 80 percent of malware now comes from organized groups, estimates Bogdan Dumitru, CTO at BitDefender, an antivirus firm based in Romania. Lone hackers still break new ground: Dumitru says Twitter malware that’s popped up recently was “developed by a kid. But in the next two months we’ll probably see organized entities taking advantage of it.”
The fluidity of cyberorganizations can make them more difficult for law enforcement to penetrate than their real-world counterparts. But it’s not impossible. DarkMarket, a spam and phishing forum, eventually was taken over and hosted on FBI servers. J. Keith Mularski, the supervisory special agent at the FBI assigned to the National Cyber Forensics and Training Unit, ran this site undercover, posing as a spammer named MasterSplynter.
DarkMarket started leading to arrests of prominent spammers and phishers in May 2007. It eventually closed in October 2008, after the arrest of DarkMarket’s boss, a Turkish hacker whose handle was Cha0, leaving Mularski as the last leader standing. Ultimately, sixty people—most of them the most powerful members of DarkMarket—were arrested in at least four countries: Germany, Turkey, the U.K. and the U.S. The FBI also got six complete malware packages and may have prevented $70 million in losses at financial services firms. Plus, it arrested Cha0 and his seven-member gang in Istanbul before they could ship out about 1,000 ATM skimmers, which prevented an additional $33 million in losses.
“Sure, they’ll reorganize, but with every law enforcement action, it’s a little bit harder to regroup,” says Mularski.
The DarkMarket operation has at least temporarily driven many cybercriminals off of Internet Relay Chat and bulletin boards, says Team Cymru’s Santorelli. They’ve opted instead for private instant messenger groups that they control, says Santorelli.
DarkMarket involved law enforcement groups working together across borders. That’s a good step in what remains a challenge. Cybercriminals “are good at finding cracks in international law,” says Yuval Ben-Itzhak, CTO of security firm Finjan. A group might be based in one country, use servers in a second and commit crimes in a third.
This problem has led to calls for better international law. For instance, Brazil has become a hotbed of bank fraud, phishing and Trojan activities since the penalties there are very light. Some are even calling for a group that can force Internet service providers to cut off servers that obviously house phishers.
More countries may be taking cybercrime seriously. While Eastern Europe is seen as a kind of Wild Cyber West, last year, Romanian police arrested 20 people in Ramnicu Valcea and Dragasani, towns known for organized eBay scams (one tried to auction off a Romanian city hall). Florin Talpes, BitDefender’s CEO, says joining the European Union in 2007 has changed attitudes in Romania and in Bulgaria, which have created stronger legal frameworks for fighting cybercrime.
Mularski, however, cites Romania as a country where traditional organized crime clearly has become involved in cybercrime. The FBI arrested 35 Romanians running a phishing and ATM skimming scam in Los Angeles, and Mularski says they were connected with Romanian organized crime. He concedes that the FBI did work with Romanian law enforcement to make 80 arrests in the two countries in a separate case. At least there are arrests in Romania. That rarely happens in a place like Russia, although two unnamed Russian hackers were recently indicted in the Heartland and Hannaford hacking cases—along with US-based alleged mastermind Albert Gonzalez.
Still, even cybercrime groups suffer from market forces. They’ve so flooded the cyber black market with credit card data that prices are falling. Organized crime has shifted its targets. They’re after medical records, which are valuable. They target company CFOs, aiming to get access to corporate bank accounts and wire money out of them. That tactic has had success: In late July, The Washington Post detailed how stealth Trojans had been used to infect a PC used by a county treasurer, a school district and the head of a small business. Hundreds of thousands of dollars were wired to money mules who then sent the funds on to bank accounts in the Ukraine and Russia.
Targeted industries are also shifting. While financial firms make the juiciest targets, Borenstein says that RSA is seeing more activity around the healthcare, manufacturing and government sectors.
Also on the rise are call center scams. Organized criminals may get access to someone’s bank or brokerage account but be unable to transfer money because of Web protections put in place by financial firms. So the criminals call customer service to complain and even bully, hoping to get help in transferring money out.
Meanwhile, social networks “are gold mines to social engineers, to someone who wants to get to the CFO of an organization to attack them,” says Joshua Corman, principal security strategist at IBM Internet Security Systems. Corman says CSOs need to tell employees not to answer things like those “25 Questions” surveys that run rampant on sites like Facebook because the answers often include information used as hints for account passwords.
BATTLING BACK AGAINST ORGANIZED CYBERCRIME
Even as cybercriminals get more sophisticated, the best ways to stop them are often the simple ones. Verizon’s report said that many credit card breaches occurred at firms with minimal PCI compliance. It also found that 51 percent of firms breached had never changed the default vendor passwords for equipment.
Equipment itself gets overrated by CSOs and CISOs, says Michael Levin, former deputy director of the National Cyber Security Division of the Department of Homeland Security. “They are wasting money on hardware and software,” he says. Instead, they should do things like tell employees not to click on e-mail attachments and other basics. Levin has cofounded the Center for Information Security Awareness in Fairfax, Va., which has prepared the free, online awareness training offered through Infraguard, the FBI’s regional effort to work more closely with private companies on cybercrime.
CSOs should get involved with groups like Infraguard or develop relationships with regional FBI or Secret Service agents and local law enforcement. They should also regularly assess their risk levels. “You have to assess every record and every piece of data in the place for its value to criminals,” says Cassidy.
CSOs should also be prepared to do much of their own forensics work before going to law enforcement. Levin says once law enforcement is involved, they may need a search warrant or even a grand jury subpoena to do things like explore company computers for malware, slowing the process.
Above all, talk to people outside of the security department or IT, and talk to peers at other companies, especially financial firms, which are on the front lines of the corporate cyberwars. The cybercriminals don’t cloister themselves, and CSOs can’t either.© CXO Media Inc.