Cybercrime groups have begun to operate like the Mafia

by Michael Smith

Cybercrime is evolving more and more. The lone hacker who steals and resells credit card numbers is being replaced by a well-structured business model. The game is no longer simply about hacking for fame, but rather about creating a business where you have frequent customers who buy your stolen product. In addition to that there is the “Fraud as a Service” model as well where criminals can hire the services of the hacking Mafia to do their dirty business.

Cybercrime activities on the Internet are booming as never before.

In 2006, vulnerabilities were being sold online to the highest bidder. In 2007, software packages that provided various ways of attacking websites and stealing valuable data were sold by professional hackers. These toolkits started to contain multiple exploits for new vulnerabilities and became more sophisticated, including update mechanisms for new software flaws and Trojans that adapt to the country of the victim. By the first quarter of 2008 criminals began to log into their "data supplier" and could download any information need for their illegal activities.

Now the situation has gotten even worse. Cybercrime companies that work much like real-world companies are starting to appear and are steadily growing, thanks to the profits they turn. Forget individual hackers or groups of hackers with common goals. Hierarchical cybercrime organizations where each cybercriminal has his or her own role and reward system is what you and your company should be worried about. Targeted attacks against financial institutions, enterprises, and governmental agencies, coupled with excellent management of stolen data, makes these "businesses" highly successful, and makes any organization using the Internet vulnerable.

The employee structure that these cybercrime companies employ is very similar to that of the Mafia. In both cases, there is a "boss" who operates as a business entrepreneur and doesn't commit the crimes himself, with an "underboss" who manages the operation, sometimes providing the tools needed for attacks. In the Mafia, several "capos" operate beneath the underboss as lieutenants leading their own section of the operation with their own soldiers, and in cybercrime, "campaign managers" lead their own attacks to steal data with their "affiliation networks." The stolen data are sold by "resellers," similar to the Mafia's "associates." Since these individuals did not partake in the actual cybercrime, they know nothing about the original attacks. They do, however, know about "replacement rules" (for example, stolen credit cards that have been reported) and other company-specific policies, just like the sales representatives you talk to in your average store.

Commodities (stolen credit cards and bank accounts) are priced low, while prime articles (stolen healthcare related information, single sign-on login credentials for organizations, e-mail, and FTP accounts) are much more expensive. Not too long ago, credit card numbers and bank accounts with PINs were selling for $100 or more each, but prices have since dropped to $10-20 per item.

Successful attacks can cause long-term damage to the company's victim: loss of valuable data, loss of IP, loss of productivity, impact on profits or stock price, brand damage, law suits, and class actions. Finjan suggests deploying innovative security solutions (such as real-time content inspection) designed to detect and handle recent threats. These solutions analyze and understand what the code intends to do before it does it, without relying on signature updates or databases of classified URLs, therefore assuring that malicious content will not enter the network, even if its origin is a highly trusted site. It's not a surprising suggestion, given that Finjan offers such products, but that said, the company's 21-page report is an informative read, although you'll have to fill out a survey to gain access to it.

It is a dangerous world out there but that should not stop us from doing our things on the Net, including doing business. We must, however, use street sense, a kind of cybersense and become savvy to what may be a trap. Above all we must secure our own PCs (and companies must secure their networks and websites). The unsecured PCs and networks are what spread a lot of the Trojans and malware about, in addition to compromised websites and spoof sites.

Having recently been at the RSA Europe 2008 I have learned from many of the experts as to the things that are going on out there in cyberland and it can, I know, be very worrying indeed.

However, protection softeware (and hardware) is available and in the case of good software this is often available for free even, such as BitDefender, ThreatFire, and other programs, that there is no excuse for anyone not to have such software on his or her PC. The most important thing, however, that users seem to forget is to actually keep their software updated. Many people that I have dealings with when i ask them as to anti-virus and anti-malware software on their computers are totally oblivious to the fact that it is no good to have the program still in the same state as it was when the machine was purchased. Your protection is only as good as your latest update. Hence, update all of the programs in your defensive arsenal once a day at least. If the programs have an auto-function, as does BitDefender and TreatFire of checking at regular intervals throughout the day when online then have that enabled. Thus your protevction is always as up-to-date as the program's latest visit to it mother ship.

Now, let's be careful out there and have our shields up at all times.

© M Smith (Veshengro), November 2008