Today's cybercrime is a fast-expanding, global industry, operating in a major shadow economy that closely mimics the real business world, including profit-driven organised cybercrime.

Money is driving the driving force behind the growth of targeted attacks against financial institutions, enterprises and governmental agencies. Yuval Ben-Itzhak, CTO of Finjan probes the dark world of organised cybercrime.

The financial damages from security breaches will keep on running into millions - online fraud, partly caused by hackers stealing personal data through cybercrime attacks, currently amounts to £144 million.

With the transition of cybercrime from amateur hacker attacks to highly professional cybercrime business models, we see that the organisational structure of cybercriminals reflects this trend.

Individual hackers operating independently or groups of hackers with common goals have been replaced by hierarchical cybercrime organisations were each cybercriminal has his own well-defined role and reward system.

The cybercrime organisation and modus operandi

The current cybercrime organisations bear an uncanny resemblance to organised crime organisations such as La Cosa Nostra. In both cases, the boss is the head of the organisation. He operates as a business entrepreneur and doesn't commit the (cyber)crimes himself.

Directly under him is the underboss acting as the second in command and managing the operation. In case of cybercrime, he is the one that provides the Trojans for attacks and manages the command and control (C&C) of those Trojans.

Similar to the mafia, where several capos operate beneath the underboss as lieutenants leading their own section of the operation, campaign managers lead their own attack campaigns. These campaigns enable the criminals to operate in a market that is highly sensitive to location, language and regional economic trends.

Since they cannot use a one-scheme-fits-all approach, their attacks focus on specific geographic regions and target selected businesses. Each attack (called a campaign) incorporates crimeware toolkits, Trojans and command and control (C&C) servers. It enables the cybercriminal to drive traffic from a specific region, with specific characteristics, using Trojans designed for targeting selected businesses.

A recent example is the highly effective ZeuS Trojan that stole $6 million from banks in the United States, United Kingdom, Spain and Italy. Each campaign was responsible for distributing the crimeware Trojan to specific territories based on the type of compromised websites (e.g., financial), the location (e.g., banks located in the City of London), etc. It illustrates how today's cybercriminals are deploying the think global, act local business strategy.

They use their own affiliation networks to perform the attacks and steal the data, the same way soldiers are used in a mafia family to do the dirty work. These affiliation networks act as distribution channels, and are especially created to promote infections.

They provide incentives to attackers who hack into legitimate sites and insert a reference to malicious code operated by other attackers. Once the malicious code runs, participants are paid according to the amount of achieved infections. The rate usually depends on the country of origin of the infected computer.

The stolen data are sold by resellers, similar to the Mafia’s associates. These resellers are not involved in the crimeware attacks, but trade the stolen data similar to a fence dealing with stolen goods. They use pricing models for the different kinds of products they offer.

Commodities, such as standard credit cards are priced at a lower rate (e.g.,$15 for a US standard Mastercard or Visa credit card) than the more premium articles(e.g., $90 for a EU or UK Visa credit card).

Since credit cards and bank accounts are being commoditised, the prime targets are now healthcare related information, single sign-on login credentials for organisations, email exchanges, Outlook accounts and FTP accounts.

These are considered premium goods in the criminal economy, and can be traded for high prices. The resellers also provide service and give guarantees to their (potential) buyers, again uncannily similar to legitimate business practices.

Crimeware business models

For their operations, cybercriminals use sophisticated criminal-2-criminal (C2C) crimeware business models. These crime pros use robust and scalable crimeware that gives them maximum flexibility in terms of command and control for stealing and trading data. They use the latest Trojan technologies, silent installations and drive-by downloads for their attacks, successfully infecting PCs and networks around the world.

Crimeware toolkits consist of 'how to...' software packages that instruct its users step-by-step how to infect a system and then retrieve data for financial gain. Using such a $100-$200 of-the-shelf DIY toolkit, cybercriminals can easily gain access to the balance sheets of companies and manipulate stock behaviour; locate payroll information; get hold of corporate bank statements and transfer money from that business or make transfers between accounts; gain access to company’s budgets and private financial statements; steal company’s product roadmap and R&D work-plan for industrial espionage; capture company’s credit card numbers for purposes of fraud; or steal intellectual property.

Crimeware toolkits creators are also copying the SaaS (Software as a Service) business model – often referred to as CaaS (crimeware-as-a-Service). In the beginning of this year, we saw a new version of the notorious NeoSploit crimeware toolkit that contained a delivery system for the Trojan upon a successful exploitation. It could be configured to provide a different version of the Trojan according to the country where the victim was located.

Cybercriminals also deploy the data supplier model - criminals just need to log into their data supplier and download any information suitable for them to conduct their crime - being it financial fraud, industrial espionage or identity theft.

Once the data is stolen, hackers use crimeware servers as a command and control for the Crimeware that was executed on infected PCs. They also use these servers as drop sites for private information being harvested by that crimeware.

Effects of cybercrime

Although web attacks use security holes in internet browsers, the problem has become a major business one, compromising enterprises and organisations around the world. The damage that crimeware attacks inflict is widespread and long-lasting, for victimised organisations and individuals alike.

Financial damages resulting from cybercrime 2.0 will keep on running into millions of dollars, and no organisation, company, enterprise or business with Internet access is safe. This vision is confirmed by Marcus Alldrick, responsible for information protection and continuity at Lloyd's of London. He pointed out that targeted attacks perpetrated by organised crime are on the increase due to the high return on investment. http://tinyurl.com/4dpzmn

Successful data breaches can result in a wide range of business damages, including: loss of existing customers; difficulties in acquiring new ones; loss of intellectual property; loss of R&D data, including product designs and road maps; brand name and corporate image damage; negative impact on competitive position; loss of market share; potential lawsuits and class actions; non-compliance with rules and regulations; loss of productivity due to downtime, investigations, damage control.

According to the 2007 annual survey: cost of data breach, by the Ponemon Institute, the average cost per incident in 2007 amounted to $6.3M, while the cost of lost business per incident was estimated at $4.1million in 2007, an increase of 30 per cent compared to 2006.

The average cost of each compromised record was $197, while the average cost of a data breach in the highly regulated financial sector was $239 per compromised record. The average cost of a third-party breach (cybercrime attack) is estimated at $231 per compromised record.

The total amount of compromised records per data breach is on the rise as well. A recent example is the international gang of 11 cybercriminals who stole 45.7m credit/debit cards from customers in the UK, US and Canada by breaching TK Maxx’s computer systems.

Executives and managers need to deal with the risk of successful data breaches, which will impact the performance and profitability of the organisation. An excellent way for executives to protect themselves and their organisations against this kind of cybercrime is to opt for a multi-layered security solution, such as Finjan's active real-time content inspection.

To prevent crimeware and Web 2.0 attacks, malicious inbound and outbound content is detected based on the code’s intended criminal action; not on signatures, URLs or reputation attributes. With the use of real-time code inspection, enterprises can be sure that no malicious content enters their networks and steals their valuable business data.

www.finjan.com

This article first appeared in the Autumn issue of ISNOW.

October 2008