the next generation of cyber crime

8/7/2019 The Next Generation of Cyber Crime

1/11

The Next Generation of Cybercrime

How its evolved, where its going

Executive Brief

Copyri ht 2010 SecureWorks, Inc. All ri hts rese

secureworks.com


2/11 Copyright 2010 SecureWorks, Inc. All rights reserved.Page | 2

Table of Contents

Executive Summary ...................................................................................................... 3

The First Generation of Cybercriminals ...................................................................... 4

The Second Generation of Cybercriminals ................................................................. 4

The Third Generation of Cyber-criminals .................................................................... 5

The Fourth Generation of Cybercriminals .................................................................. 6

The Current Generation of Cybercriminals ................................................................. 8

Next Gen Pay-Per-Install ...................................................................................................... 8

Malware Tech Support ......................................................................................................... 8

Point-and-Click Cybercrime............................................................................................. 9

APT: Advanced Persistent Threats ....................................................................................10

Recommendations for Business Leaders ................................................................. 11

About SecureWorksSecureWorks is exclusively focused on protecting our clients digital assets against cyberthreats. We dothat with intelligent defenses that combine our proprietary technology, global threat visibility andrecognized expertise. We are 100 percent focused on information securityits all we do.Thats why weare trusted in 70 countries by more than 2,900 clients, including more than 85 of the Fortune 500.SecureWorks offers a full suite of Managed Security, Threat Intelligence and Security and RiskConsulting services.

Copyright 2009-2011 SecureWorks, Inc. All rights reserved.SecureWorks, iSensor, Sherlock and Inspector are either registered trademarks, trademarks or service marks of SecureWorks, Inc.in the United States and in other countries. All other products and services mentioned are trademarks of their respective companies.This document is for planning purposes only and is not intended to modify or supplement any SecureWorks specifications orwarranties relating to these products or services. The publication of information in this document does not imply freedom from patentor other protective rights of SecureWorks or others. SecureWorks is an Equal Opportunity Employer.



This paper provides an executive-level primer on cybercrime by covering key profiles ofcybercriminals, their methods and their motivations. After reading this Executive Brief, a businessleader will understand the nature of the cybercrime threat.

Executive Summary

Cybercrime and cybercriminals have been aroundsince businesses first began using the Internet forcommerce. The rate of cybercrime and its cost tobusinesses have increased dramatically over time,transforming cybercrime from a minorinconvenience to a significant risk that must beappropriately managed.

News reports of large-scale data breaches at

brand name companies are more frequent thanever. According to a study conducted by thePonemon Institute, the average cost of a databreach in 2009 was $6.75 million. From the samestudy, the most expensive reported breach in 2009cost one organization nearly $31 million.

Clearly, organizations must take strong steps toprotect their IT assets from cybercriminals.Cybercrime is pervasive - todays businesses areconstantly being probed and attacked bycybercriminals searching for sensitive data andsystem weaknesses. It is critical that businessleaders in a position to drive positive securitychange understand the risks posed by cybercrime.

This Executive Brief sheds light on the risk ofcybercrime by profiling several generations ofcybercriminals over time, and pointing out how thecriminals, their methods and motivations haveevolved. The common adage, know youradversary, is as true forcybercrime as it is forwarfare. By understanding the motivations andmethods of cybercriminals, business leaders canbetter gauge risk and take decisive actions toprotect their organizations.

The average cost of a data breachwas $6.75 million in 2009.

The most expensive reported breachin 2009 cost nearly $31 million.

Source:2009 Annual Study: Cost of a Data Breach

Ponemon Institute

$0

$10

$20

$30

$40

$50

$60$70

$80

$90

$100

BankRobbery, etc.

ZeuS Group A

Millions

Losses due to a single cyber threat

Recovered

Net Loss

TraditionalCrime

ZeuS Trojan

Source:ZeuS Working Group


4/11



The Third Generation of Cyber-criminalsCybercrime goes big time

Two distinctions marked the third generation ofcybercriminals: organization and discretion.Cybercriminals matured, recognizing the value of

working together for ill-gotten gains while settingtheir sights on larger, more lucrative targets. Themethods worms, Trojans, DDoS, botnets, etc.were the same as previous generation, but theexecution reflected the influence of moretraditional criminal enterprises.

Hacker groups had been around for years,seeking power and influence throughoutunderground hacking communities. However, thisnew wave of cybergangs had one purpose: profit.For these gangs, cybercrime was just a means toan end an easier way to extort and conduct

fraud.

This generation targeted businesses handlinglarge sums of money, such as financial institutionsand gambling services. In October 2003, U.K.bookmakers were extorted by a cybergang usingDDoS attacks to shut down their operations. Totallosses were estimated at $3M (2.2M).

In perhaps the largest attempted heist at the time,a cybercriminal worked with insiders at the Londonbranch of Japans Sumitomo Mitsui Bank to planta Trojan in the banks network. He then used the

Trojan to steal credentials and attempt to transfernearly $300M (220M) to accounts he controlledaround the world.

The cybercriminals in both these cases wereeventually arrested, but not before causingsignificant damage and financial loss to theirvictims.

Maria Zarubina and Timur Arutchevwere part of a Russian cybercrimegang which attacked a number ofBritish bookmakers, resulting in

approximately $3M in losses.

Yaron Bolondi used a Trojan andhelp from bank insiders to attemptthe theft of 220M from the Londonbranch of Japans Sumitomo Mitsui

Bank.



The Fourth Generation of CybercriminalsWant to buy an exploit kit?

The rise of criminal-to-criminal activitydistinguished the fourth generation ofcybercriminals. A robust and efficient underground

economy emerged, providing the opportunity forcybercriminals to buy and sell goods and servicesto each other. Distinct, specialized cybercrimebusinesses came into prominence, including:

Exploit Auction Houses, such asWabiSabiLabi, that provide a marketplacewhere cybercriminals buy and sell exploitcode including exploits for softwarevulnerabilities not publicly known.

Malware Distribution Services, such asIFRAMES.BIZ, specialize in pushing out

malware to infect thousands of hosts. Theseservices typically have an establisheddistribution medium, such as a network ofcompromised websites or infected onlineads, they use to quickly infect large numbersof computers.

Botnet Rentals, such as 5Socks.net,maintain one or more botnets that are hiredout to other cybercriminals. The rentedbotnets can be used to send spam, hostillegitimate sites, steal sensitive information,execute DDoS attacks and conduct many

other criminal activities.

Next Generation Identity Sellers, such as76Service.com, brought buying and sellingstolen identity data to a new level. Thesenew services gave cybercriminals an onlineplatform for buying, selling and managing aportfolio of stolen records taking cues fromonline stock trading platforms to help thehackers maximize their investments.

Licensed Malware, such as the StormWorm, became prevalent in this generation.

Malware authors adopted licensing models,forcing other cybercriminals to pay for theirmalware. This provided more funding formalware authors, and enabled othercybercriminals to quickly purchase high-endmalware instead of having to develop itthemselves.

76Service.com is one of manycybercriminal websites designed for

buying, selling and managingportfolios of stolen identity data.

Sites such as dark0de serve asmarkets for buying and selling

malware.

Malware Distribution Services, likethe full-service pay-per-install siteinstallconverter.com, specialize inpushing out malware and infectingthousands of computers in a short

amount of time.



Social Networks for Cybercriminals alsoemerged, with sites providing reputationalrankings of buyers, sellers and partners inthe cybercrime marketplace. This includedtrusted entities performing escrowfunctions when one or more untrusted

parties are involved in a cybercrimeoperation.

As the cybercrime economy matured, it broughtcybercriminals the benefits of specialization anddistributed risk. Cybercriminals talented in findingnew vulnerabilities and writing exploits couldspecialize in that area and easily fund their workby selling their exploits. The same dynamicapplied to malware authors, distributors, botnetowners, and others in the cybercrime supplychain. As a result of this specialization, thesophistication of cyberattacks increased acrossthe board and everything sped up.

With greater specialization and distribution offunctions, cybercriminals were able to distributethe risk of getting caught. For example, malwareauthors no longer had to steal data and conductfraud to make money they could sell theirmalware for profit without engaging in higher riskactivities. This also made it more difficult forauthorities to track and prosecute all of thoseinvolved in cybercrime operations.

Exploit

ResearchMalware

Development

Distribution /Installation

Command &Control

Harvest Data Package & Sell

$$$

Specialists developed for everyfunction in the cybercrime supply

chain



The Current Generation of CybercriminalsHow can I serve you malware today?

Moving beyond the fourth generation to thepresent --- cybercriminals today are continuing torefine and fine-tune each element of the

cybercrime supply chain. The current batch ofsuccessful cybercriminals are moreentrepreneurial and business-savvy than pastgenerations, fueling the growing cybercrimeeconomy with cash. As a result, attacks continueto grow in sophistication and frequency.

Next Gen Pay-Per-InstallPay-Per-Install (PPI) malware distributionschemes have been a key area of growth. Thebusiness model for these scams has matured intoa system in which a single PPI site may partner

with thousands of affiliates who distributemalware. These affiliates are paid based on thenumber of malware installs they produce, withtypical affiliates reporting more than 10,000 installsa month. A PPI scam with a thousand affiliatescan easily infect millions of systems every month.

PPI sites are now taking steps to improve theproductivity of their affiliates. Some sites offer helpdeveloping content for affiliate scams. Manyprovide guidance or tutorials on how to make theirmalware less detectable by antivirus software, orFUD (Fully Un-Detectable). Even live support is

available for affiliates of certain PPI sites.

A key player in the PPI cybercrime business isPay-Per-Install.org. While this site has set upaffiliate programs, it primarily serves as a forumand marketplace where cybercriminals candiscuss which PPI programs are yielding thehighest profits. The Pay-Per-Install organizationgets referral bonuses from other affiliate programsand provides a full range of help guides andtutorials.

Malware Tech SupportBuilding on the previous generations trend oflicensed malware, todays malware is increasinglycommercialized. Malware kits now include techsupport for paying cybercriminals to help thembetter utilize the tools. Of course, most malwareauthors sell their tools with a disclaimer that theyshould be used for research only.

Pay-Per-Install.org is a forum andmarketplace for the PPI business where

cybercriminals discuss the bestaffiliate PPI programs and how to

make money installing malware.

Nuclear RAT and Bondook RATmalware tools have been used in boththe Better Business Bureau (BBB) andInternal Revenue Service (IRS) targeted

email scams. Developed by the NuclearWinter Crew, the tools boast a long list

of features, English interfaces andsupport forums.



There are few legal consequences for sellingmalware as long as the author does not use themalware himself to compromise a computer, it isgenerally notillegal. Most malware authors alsooperate in countries that shield them from civilactions, removing that risk as well. This allowsmalware authors to provide instructions, supportforums and other technical support for theirproduct. In turn, this lets them sell their malwareto any cybercriminal willing to pay not just thosesavvy enough to operate it without guidance. As aresult, they can sell their malware to a largermarket and make more money.

Point-and-Click CybercrimeThreats in the current generationare increasingly automated, allowingcybercriminals to be moreproductive in less time.Cybercriminals take advantage ofmalware tools and scriptingtechniques to automate variousstages of their schemes.

Less skilled hackers can purchasetools to easily identify vulnerabletargets, compromise systems andsteal data. More sophisticatedcybercriminals may buy tools ordevelop custom tools and scripts ontheir own. In some cases,integration across multiple tool sets

that perform distinct functions hasbeen observed in larger cybercrimeschemes.

An investigation into a checkcounterfeiting ring known asBigBoss revealed a highlyautomated system for check fraudthat encompassed:

Creating a botnet Stealing credentials to

online services, especiallycheck image archival

services Stealing check images from these

services Printing counterfeit checks using

commercial-grade check printing software Scraping job websites to find job-seeker

email addresses Spamming those addresses to recruit

money mules to cash the forged checks

BigBoss Check Counterfeiting Operation

The BigBoss cybercrime ring uses a highly automatedsystem to steal digital check images and commit large-

scale check fraud. In the last year, it is estimated that thisgroup printed more than $9M worth of counterfeit checks of

small amounts less than $3 000.



Recruiting money mules to cash thechecks and wire the funds to thecybercriminals accounts.

Shipping forged checks to the mules

The high degree of automation allowed the

BigBoss ring to operate at a much larger scale.The forged checks were always for an amountbelow $3,000 to avoid holds that are usuallyplaced on larger check deposits, yet it is estimatedthat the BigBoss crime ring printed more than $9Mworth of counterfeited checks in the last year.

APT: Advanced Persistent ThreatsThe term Advanced Persistent Threat, or APT inshort, became prominent in 2010 as a name fortargeted attacks on specific organizations bydetermined, well-coordinated cybercriminals. In

the cybersecurity community, APT most oftenrefers to sophisticated attacks aimed atgovernments and corporations to gatherintelligence or achieve specific nonfinancialobjectives.

APTs are frequently attributed to nation-states oragents of nation-states. On some occasions, APTshave been linked to terrorist and fringe politicalgroups.

The most recent high-profile APT cyber-attack wasOperation Aurora, which targeted Google andseveral other organizations. The attacks were

sourced to China and used a combination ofsophisticated reconnaissance and targeting,advanced Zero-Day exploits, commercial malwareand custom-developed malware. The intent of theattacks was to gain access to enterprise andgovernment networks, create a multipurposebotnet and carry out cyber-espionage.

APTs are not unique to the current generation ofcybercriminals; these kinds of threats have beenactive for years, executing operations such asTitan Rain to gather intelligence. However, theskill and sophistication of APTs has evolved along

with the cybercrime community, and feworganizations are prepared to fend off a highlycoordinated and determined attack from an APT.

ADVANCED using the best methodsavailable to penetrate systems, gatherintelligence and evade detection.

PERSISTENT focused on a specificobjective and target, not fast financialgain.

THREAT organized, coordinated andsophisticated operations by skilledagents.

Evidence Found for Chinese Attack on

Google

By JOHN MARKOFFPublished January 19, 2010

SAN FRANCISCO - Now, by analyzing thesoftware used in the break-ins againstGoogle and dozens of other companies, JoeStewart, a malware specialist withSecureWorks, a computer security company

based in Atlanta, said he determined themain program used in the attack contained amodule based on an unusual algorithm froma Chinese technical paper that has beenpublished exclusively on Chinese-languageWeb sites.


11/11

Copyright 2010 SecureWorks Inc All rights reservedPage | 11

Recommendations for Business Leaders

Cybercriminals are constantly evolving with changing methods, tools and motivations. The only constantis that tomorrows cybercriminal will pose a greater threat to businesses than todays. Business leadersmust assume that the defenses in place now will not be sufficient next year, and they must be strategic inhow they allocate their security resources.

Business leaders should consider these next steps:

Conduct a comprehensive information security risk assessment. Similar to a classic SWOTbusiness analysis, strategic management of information security risk is based on understandingstrengths, weaknesses, opportunities and threats. A full risk assessment should identify thestrengths and weaknesses in your security posture, compare them to confirmed and likelythreats, and provide prioritized recommendations for reducing risk.

Investments in security products should be made where necessary to support risk-basedinformation security policy. Simply buying the latest security technologies without strategicdirection results in wasted capital and high opportunity costs. Security investments based onpolicy with organizational acceptance have a much higher likelihood of success and consistently

yield better performance.

Security technology alone is far from sufficient. Expertise, either in-house or via a strategicsecurity partner, is essential to staying ahead of cybercriminals. Mature processes are also key,enabling more effective day-to-day security operations as well as mid-to-long term functionalmanagement.

Most businesses should forego bleeding-edge security technologies unless they are the onlyviable option available to mitigate high-risk threats. Not only are second- and third-generationproducts more effective, they are usually less expensive and easier to operate. Businessesshould consider cost-effective ways (such as real-time monitoring and management services) toimprove the performance of their existing technologies before making large investments in first-generation products.

Establish a threat intelligence function to monitor trends and emerging threats that impact yourbusiness. To compensate for limited visibil ity across the cyberthreat landscape, leadingorganizations establish relationships with peers, industry groups, government agencies andvendors to source intelligence.

Learn MoreSecureWorks offers comprehensive information security services to help protect businesses fromcyberthreats, including Managed Security Services, Threat Intelligence, and Security and Risk ConsultingServices. For more information about information security solutions offered by SecureWorks, please call877-905-6661 (toll-free), [email protected] visit us at www.secureworks.com.

Copyright 2009-2011 SecureWorks, Inc. All rights reserved.SecureWorks, iSensor, Sherlock and Inspector are either registered trademarks, trademarks or service marks of SecureWorks, Inc.in the United States and in other countries. All other products and services mentioned are trademarks of their respective companies.This document is for planning purposes only and is not intended to modify or supplement any SecureWorks specifications orwarranties relating to these products or services. The publication of information in this document does not imply freedom from patentor other protective rights of SecureWorks or others. SecureWorks is an Equal Opportunity Employer.
mailto:[email protected]:[email protected]:[email protected]:[email protected]

the next generation of cyber crime

Documents