The perpetrators of organised cybercrime can be loosely divided into two categories.
The first consists of traditional crime organisations that have discovered there is value to be had by leveraging cybercrime. These groups operate like legitimate businesses in terms of offering goods, services and trade.
However, their business is illegal and in terms of cybercrime they may be trafficking in corporate secrets, identity information, extortion, committing various frauds and scams, money laundering and distributing illegal materials.
These groups can be global, highly structured, crime syndicates and drug cartels or some less ordered, less fantastic variant.
They can be found virtually anywhere, but are commonly based in areas of political, economic or social transition where government communication is poor and laws are not enforced. Some examples of organised crime groups are the Italian Mafia, Russian Mafia, Colombian and Mexican cartels, Asian Triads, and Nigerian criminal enterprises.
The second category consists of individuals that have banded together in an effort to reduce personal risk and increase revenue opportunities. As with any business, criminal or otherwise, organising helps to nurture growth and push the risk versus reward pendulum closer to reward.
These individuals tend to approach cybercrime from being technically sophisticated first and criminals second. By working collectively towards a common goal, usually money, they can be more efficient and effective.
There are a number of crimes that can be perpetrated by organised cyber criminals. Perhaps one of the most prolific mechanisms for committing these crimes is through botnets.
Botnets (also called bots, robots, zombies and botnet fleets) are malicious software programs that are loaded on a target system unbeknownst to the victim. There are hundreds of botnets and botnet variants.
Once installed, these botnets can be controlled through a Trojan horse backdoor by whoever controls the botnet controller, which is like a central management system for the botnet fleet. With the controller, one or many systems can simultaneously act on command.
Common uses for botnets are to forward transmissions such as phishing scams and spam, to distribute more malicious software such as viruses and keyloggers to perpetrate distributed denial-of-service (DDoS) attacks. Because of their prevalence and capabilities, many security experts agree that botnets pose a bigger risk than even worms or viruses on the internet.
Some of these botnet fleets number in the hundreds of thousands, which make them a formidable adversary for an organisation and a lucrative revenue stream for a criminal that rents out the botnets as an hourly service to other criminals.
Impact of botnets on business
Given that the organised cyber criminals that put these botnets in place can attack, relatively anonymously, from virtually anywhere, and move their base of operations around, they can be difficult to stop.
Additionally, they have the resources to continue research into new methods of exploitation once the vulnerability they currently use to install the bot becomes broadly patched or the attack is otherwise protected against with safeguards like firewalls and malware detectors.
The way that organised cyber criminals can attack businesses using botnets vary. An attack on a single target business can spread like a pandemic across an organisation's global footprint. Because the attacks are targeted, they will spread more quickly and relentlessly than opportunistic attacks.
Businesses have to consider cybercrime when evaluating risk. This isn't the old risk model where concerns were around web defacements and viruses that were more of a nuisance than criminally motivated. While traditional attacks like these haven't gone away, the more critical threats are related to the exploitation of sensitive information, fraud and extortion.
Botnets are one vehicle to commit these crimes quickly and on a large scale. Risk must be evaluated in these terms and security safeguards need to consider these threats.
Five steps for businesses to protect themselves.
- Participation in information sharing liaisons with government agencies, law enforcement and organisations in similar vertical markets helps businesses understand threats more holistically across their industry.
- Employee background checks with annual employee reviews and investigations into partners should be thorough. This will reduce exposure to criminal activity from inside and unwittingly getting into a partnership with an organisation that is a front for organised crime.
- A combination of incident prevention, detection and management solutions need to be deployed organisation-wide. Technology needs to be considered as part of the equation, but should not be the only factor addressed. In security, it is about people, process and technology. Sensitive data should be secured with need-to-know access, separation of duties, strong authentication and other preventative measures.
- Monitoring technology should be deployed to overlap the prevention capabilities and fill in any gaps that prevention may leave.
- Employee awareness programmes, policies and procedures need to be implemented, updated and communicated. Education needs to be repeated at regular intervals to be effective.
- Defence-in-depth best practices should be followed to ensure that the perimeter and the internal network are resilient to botnet attacks. This includes patching, malware detection, intrusion detection, access control, real-time event correlation and analysis, incident management procedures, network segmentation, automated remediation capabilities, etc.
The internet is simply a new medium to commit old crimes, and botnets are a vehicle. An individual doesn't have to belong to an organised crime syndicate to create and use botnets.
However, these organisations have the funds, technology and human resources to develop exploits faster than lone criminals do. Their actions are not about being recognised by their peers as great hackers nor done out of general malice, but carried out around deriving profits.
Ways that organised cyber criminals can leverage botnet-based attacks
Online gambling organisations have been a popular target of attacks and exploitation. The business will be contacted with some form of extortion demanding money to prevent DoS attacks that will shut down its websites.
This typically comes before a major sporting event such as the World Cup, where an outage of just a couple hours could cost millions in lost revenue. As a demonstration of power, the criminals may crash a couple servers to help create a compelling event. A fleet of botnets that is either owned or rented by the criminals provides most of what is needed for this type of attack to work.
Spam and phishing
Botnets can be used by organised crime to target businesses with spam and phishing scams. Exploits of this nature can also lead to compliance-related fines and litigation costs. Just as individuals can be targeted to divulge sensitive information, or download malicious code, individuals within a specific business may be targeted.
The organised criminals may not be looking for identity information and account numbers, but rather intellectual property such as new marketing strategies, customer contact lists, employee salaries, product development plans and so forth.
There are potentially competitive organisations that would pay for this valuable information and the fact that industrial espionage can be conducted with a simple email makes for an inexpensive information extraction method. Also, botnets can target virtually every person in the business so even if only 1 per cent of the targets respond, it is still a success.
Botnets may deliver a spam message that tricks the victim into downloading malware. Also, the botnet itself can compromise a system if it is vulnerable and exposed.
Once behind an organisation's perimeter defences, these types of attacks tend to spread quickly when the proper safeguards are not in place. Keystroke loggers and sniffers can capture information and forward it back to the criminal.
Since the botnet allows for the criminal to control the bot, they can control the target machine, or at least issue a predetermined set of commands to cause further chaos.