The New Face Of Cybercrime
By Stefanie Hoffman,
For decades, cybercrime has been the stuff of Hollywood thrillers and pulp fiction novels. But the days when cybercrime was tantamount to a gaggle of teen-age hackers creating viruses in their parents' basements have long since died. Now, the FBI reports that, for the first time ever, revenues from cybercrime have exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping in more than $1 trillion annually in illegal profits.
Individuals or groups of hackers loosely tied together with common goals have coalesced into organized criminal hierarchies, and like multiheaded cyber Corleone families, they come complete with defined roles and systems of rewards. They're well-funded, well-managed businesses, and they are growing at breakneck speed, continuing to evolve by means of complex ecosystems and technologies that have become increasingly sophisticated and efficient. And like any growing enterprise, they're expanding their reach to smaller and more vulnerable targets, to the multitude of underequipped and cash-strapped SMBs and small midtier companies.
As more SMBs and midmarket companies struggle to protect sensitive data, solution providers are finding that many are beginning to re-evaluate their security environments and adopt what were once considered high-end solutions. VARs selling these solutions to largely enterprise and upper midmarket customers are finding that they are making rapid inroads downmarket. And while many SMBs still remain unaware of the threat, VARs are ready at arms to provide innovative and surprisingly affordable solutions to protect the SMB.
"Anybody that stores large amounts of data is most vulnerable. They're all vulnerable," said Kevin Newmeyer, worldwide principal for strategic security and counterterrorism for Unisys. "The ones that don't think they're vulnerable haven't been hit yet."
Cybercrime Inc. Keeps Growing
In August, 11 defendants were formally charged in last year's high-profile T.J. Maxx data breach in which more than 45 million accounts were compromised over a couple of years. The defendants included three U.S. citizens as well as citizens of the Ukraine, Estonia, Belarus and the People's Republic of China. What's become clear to investigators and security experts alike is that organizations perpetrating these kinds of attacks are not only increasingly global, they're becoming nimbler, smarter and more efficient at wreaking havoc on company networks and profiting from their illegal activities. They have names like the Russian Business Network, Gray Pigeons, and Honkers Union of China. And they're growing—in numbers, power and reach.
"What we've seen is really a deep stratification of electronic crime into a growing, prosperous and responsive economy, with a number of specialty organizations, syndication and deepening organization of peers, both within a vertical skillset and across the entire enterprise of electronic crime," said Peter Cassidy, secretary general of the Anti-Phishing Working Group, a nonprofit organization dedicated to counteracting cybercrime. "Increasingly, we see this is turning into big business."
Members originate from all over the world, Cassidy said, with large concentrations in Russia and Eastern Europe, as well as parts of Africa—typically areas with access to technology coupled with political upheaval and limited financial opportunities.
In recent years, China has also emerged on the world stage as a global security threat as its population soared and economy exploded with a young and highly skilled volunteer labor force. A recent McAfee report found that of 265 countries surveyed, Hong Kong was by far the biggest security risk, with almost 19 percent of Web sites with the .hk domain hosting malware. Hong Kong was seconded only by the .cn domain out of the People's Republic of China, followed by the Philippines, Romania and Russia.
Scott Henderson, a former U.S. military intelligence analyst with a specialty in the Chinese cyberthreat, said that there are about 280,000 to 300,000 individual hackers in China belonging to about 250 cybercrime organizations.
Next: A Shadow Economy A Shadow Economy
It didn't happen overnight. According to a Q2 2008 Web Security Trends Report by Finjan, a San Jose, Calif.-based security company specializing in Web gateway security solutions, these cybercrime organizations—some claiming hundreds of members, others up to tens of thousands of members—have all emerged over the past two years to create a viable shadow economy, designed to mimic real-world economies financially and structurally.
"It's a contemporary economy mediated by Internet workings. It just happens to be illegal," Cassidy said.
Just like a Mafia family, they're organized into strict hierarchies. They're headed by a criminal boss, who is seconded by an underboss, providing Trojans for attacks while acting as the command and control center of the operation. Spearheading the malware attacks against businesses and individuals are the campaign managers, who direct their drones in affiliation networks further down the chain of command to actively steal the data from users' computers.
Meanwhile, hacking tools aren't just relegated to the cyberelite. Affiliate and smaller hacker organizations can also propagate a malicious campaign by renting software and programs, ranging from botnets, to rootkits and phishing toolkits, in order to steal users' data.
"People take over somebody's computer, and then the computer is being controlled by someone in Mexico or Russia," said Unisys' Newmeyer. "The advantage in the cybercriminal world is that you don't have to go into a bank to rob."
The stolen data—generally users' credit cards and social security numbers—is often sold by cyber resellers, who specialize solely in buying and selling the stolen data.
"This is definitely an area of growing concern," said Dave Marcus, security research and communications manager for McAfee. "Instead of accessing and stealing information, they'll sell account information for a premium."
Marcus said that the resellers typically post the stolen information onto Web sites, then it is offered for sale to hackers based on brand, location and additional value-added features. Marcus said that one Web site discovered by McAfee Avert Labs offered stolen bank accounts for sale with significantly higher prices from U.S. financial institutions such as Citibank and Bank of America than for smaller credit unions and more obscure foreign banks. Criminals who want to use the information can then contact the resellers to negotiate a price.
"If you're trying to get inside and trying to get the information, you've got to know the secret handshake," Newmeyer said. "If you don't have the right responses, they'll identify you as a cop."
Driven by the laws of supply and demand, the price of an average identity has dropped in recent years from $100 to somewhere between $10 and $20 apiece, with the commoditization of data such as credit card and bank account numbers with pins.
However, other information is deemed more valuable. Experts say that prime real estate for cybercriminals surrounding health-related data, internal corporate notes and Outlook and FTP accounts that can provide access to intellectual property go for much higher prices on the black market. As a result, attackers will increasingly be targeting health and government organizations, as well as corporate intellectual property, security experts say.
Next: Cybercrime 2.0 Cybercrime 2.0
With any flourishing industry come technological advancements. Viruses and worms from a decade ago have been replaced by sophisticated password-stealing Trojans and keyloggers that are designed to silently sit on a user's computer and funnel important data into remote foreign servers.
The malware is often distributed through malicious links sent via e-mail, directing people to an infected Web site. As of late, security experts have also seen a rise in malware attacks on legitimate, but vulnerable Web sites, which stay for a short period of time before they're detected and removed. During that time, however, attackers can identify thousands of potential victims. Often the victims are individuals and employees encouraged to click malicious links by some kind of enticing social engineering tactic delivered through e-mail. Some of the most popular tactics include malicious eVites or e-cards, and links to Web pages or videos impersonating high-profile news events or celebrity sensationalism. Henderson said that, in particular, Chinese hackers have perfected the art of creating effective social engineering techniques with highly researched and biographically targeted messages. "They're very skilled at going out online and collecting biographical information from a myriad of sources and going out and planning attacks," he said.
Once a user's computer is infected, it will generally become part of a larger network of infected computers, or botnet, which will, in turn, become a vehicle to distribute malware onto other systems. "They're constantly changing their methods of getting you to click," Henderson said. "Most people will be blissfully unaware that their computer is infected and is attacking the Pentagon."
Meanwhile, cybercriminals are honing techniques to circumvent most standard security measures. They can create malware that bypasses or breaks the antivirus signatures, and encrypts or obfuscates the payload, security experts say.
"And you cannot create a signature to block it," said Yuval Bet-Itzhak, chief technology officer for Finjan. "It will never block MySpace or Yahoo pages. The combination of serving malicious code and encrypting it, manages to bypass security techniques most enterprises are using today."
Attacking The SMB
With more cybercrime organizations creating malware at breakneck speeds, businesses can only expect to see their networks afflicted with more security breaches.
Yet, as enterprises build up their security environments, cybercriminals are now looking elsewhere for easier targets. Those who will likely be most at risk will be the small business and midmarket segments—companies with fewer or limited resources and outdated or inadequate security infrastructures. And while many SMBs may not have heard of the Russian Business Network, many undoubtedly will feel the ill effects of malware distributed via the Web.
"When it comes to vulnerability management, smaller firms have a bigger challenge," said Nic Alicandri, managing director at New York-based information security firm CipherTechs Inc.
Security experts have begun warning companies that the threat is definitely growing. A July McAfee study, "Does Size Matter? The Security Challenge of the SMB," found that one in five small businesses have suffered a security attack, with a third of those suffering more than four IT breaches in the past three years. One in five respondents said that a security attack could put them out of business. Additionally, the 10th Annual CSI/FBI survey released last October found that U.S. businesses lost an average of $350,424 in 2007 as a result of cybersecurity incidents—a number that more than doubled from losses incurred from 2006.
"I think that the people that think because they're not a household name, they're not going to be an attack target [are] going to be mistaken," said Ken Phelan, chief technology officer for Gotham Technology Group, a Montvale, N.J.-based IT consulting VAR, with specialties in access management and information security.
Phelan said that one of his SMB clients with fewer than 100 people was given a sheaf of confidential company data that was lifted from the company. The client was told they needed to pay the attacker, or run the risk of losing the information to their competitors.
Gotham Technology points SMB customers to pre-existing regulatory security solutions, such as those outlined by Payment Card Industry standards, Phelan said. Among other things, PCI standards recommend that all businesses encrypt data, authenticate users and secure networks with an array of endpoint protection software.
SMB company networks "are being pounded," and "a lot of them don't even know it's happening," said Stephen Nacci, regional account manager for TLIC Worldwide Inc., an Exeter, R.I.-based VAR specializing in security solutions and network management.
Nacci recommends that his clients extend their security solutions beyond the perimeter.
"(SMBs) are getting killed. These guys are bleeding and they don't even know it," Nacci said. "We need to counter that."
Next: Tracking Chinese Hackers Tracking Chinese Hackers
Chinese hackers are the largest group of hackers in the world, said Scott Henderson, former military intelligence analyst and administer of the Web site www.thedarkvisitor.com, which tracks hackers throughout China.
They also don't hide in the shadows, said Henderson. In fact, they maintain the most open Web presence of any group of hackers globally. "Some even have hardware and software companies as advertisers on their Web sites," he said. "Chinese hackers are very entrepreneurial," said Henderson. "It's a real subculture."
As their numbers and profiles grow, some have achieved rock star-style popularity. Many have taken advantage of their high profiles and are becoming more professional, even conducting recruiting efforts, he said.
So, expect many more in the not-too-distant future. Henderson said a recent study found that one in three Chinese middle-schoolers wants to grow up to be a hacker.
