The new face of CYBERCRIME

Stefanie Hoffman

For decades, cybercrime has been the stuff of Hollywood thrillers and pulp fiction novels.

But the days when cybercrime was tantamount to a gaggle of teenage hackers creating viruses in their parents’ basements have long since died.

Now, the FBI reports that, for the first time ever, revenues from cybercrime have exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping in more than US$1 trillion annually in illegal profits.

Individuals or groups of hackers loosely tied together with common goals have coalesced into organised criminal hierarchies, and like multiheaded cyber Corleone families, they come complete with defined roles and systems of rewards.

They’re well-funded, well-managed businesses, and they are growing at breakneck speed, continuing to evolve by means of complex ecosystems and technologies that have become increasingly sophisticated and efficient.

And like any growing enterprise, they’re expanding their reach to smaller and more vulnerable targets, to the multitude of underequipped and cash-strapped SMBs and small mid-tier companies.

As more SMBs and midmarket companies struggle to protect sensitive data, solution providers are finding that many are beginning to re-evaluate their security environments and adopt what were once considered high-end solutions.

VARs selling these solutions to largely enterprise and upper midmarket customers are finding that they are making rapid inroads downmarket.

And while many SMBs still remain unaware of the threat, VARs are ready at arms to provide innovative and surprisingly affordable solutions to protect the SMB.

“Anybody who stores large amounts of data is most vulnerable. They’re all vulnerable,” said Kevin Newmeyer, worldwide principal for strategic security and counterterrorism for Unisys. “The ones who don’t think they’re vulnerable haven’t been hit yet.”

Cybercrime Inc. keeps growing

In August, 11 defendants were formally charged in last year’s high-profile T.J. Maxx data breach in which more than 45 million accounts were compromised over a couple of years.

The defendants included three U.S. citizens, as well as citizens of the Ukraine, Estonia, Belarus and the People’s Republic of China.

What’s become clear to investigators and security experts alike is that organisations perpetrating these kinds of attacks are not only increasingly global, they’re becoming nimbler, smarter and more efficient at wreaking havoc on company networks and profiting from their illegal activities.

They have names such as the Russian Business Network, Gray Pigeons and Honkers Union of China. And they’re growing – in numbers, power and reach.

“What we’ve seen is really a deep stratification of electronic crime into a growing, prosperous and responsive economy, with a number of specialty organisations, syndication and deepening organisation of peers, both within a vertical skillset and across the entire enterprise of electronic crime,” said Peter Cassidy, secretary general of the Anti-Phishing Working Group, a non-profit organisation dedicated to counteracting cybercrime.

“Increasingly, we see this is turning into big business.”

Members originate from all over the world, Cassidy said, with large concentrations in Russia and Eastern Europe, as well as parts of Africa – typically areas with access to technology coupled with political upheaval and limited financial opportunities.

In recent years, China has also emerged on the world stage as a global security threat as its population soared and economy exploded with a young and highly skilled volunteer labour force.

A recent McAfee report found that of 265 countries surveyed, Hong Kong was by far the biggest security risk, with almost 19 percent of websites with the .hk domain hosting malware.

Hong Kong was seconded only by the .cn domain out of the People’s Republic of China, followed by the Philippines, Romania and Russia.

Scott Henderson, a former U.S. military intelligence analyst with a specialty in the Chinese cyberthreat, said that there are about 280,000 to 300,000 individual hackers in China belonging to about 250 cybercrime organisations.

A shadow economy

It didn’t happen overnight.

According to a Q2 2008 web security trends report by Finjan, a San Jose-based security company specialising in web gateway security solutions, these cybercrime organisations – some claiming hundreds of members, others up to tens of thousands of members – have all emerged over the past two years to create a viable shadow economy, designed to mimic real-world economies financially and structurally.

“It’s a contemporary economy mediated by Internet workings.

It just happens to be illegal,” Cassidy said.

Just like a Mafia family, they’re organised into strict hierarchies.

They’re headed by a criminal boss, who is seconded by an underboss, providing Trojans for attacks while acting as the command and control centre of the operation.

Spearheading the malware attacks against businesses and individuals are the campaign managers, who direct their drones in affiliation networks further down the chain of command to actively steal the data from users’ computers.

Meanwhile, hacking tools aren’t just relegated to the cyberelite.

Affiliate and smaller hacker organisations can also propagate a malicious campaign by renting software and programs, ranging from botnets, to rootkits and phishing toolkits, in order to steal users’ data.

“People take over somebody’s computer, and then the computer is being controlled by someone in Mexico or Russia,” said Unisys’s Newmeyer. “The advantage in the cybercriminal world is that you don’t have to go into
a bank to rob.”

The stolen data – generally users’ credit cards and social security numbers – is often sold by cyber resellers, who specialise solely in buying and selling the stolen data.

“This is definitely an area of growing concern,” said Dave Marcus, security research and communications manager for McAfee. “Instead of accessing and stealing information, they’ll sell account information for a premium.”

Marcus said that the resellers typically post the stolen information onto websites, then it is offered for sale to hackers based on brand, location and additional value-added features.

Marcus said that one website discovered by McAfee Avert Labs offered stolen bank accounts for sale with significantly higher prices from U.S. financial institutions such as Citibank and Bank of America than for smaller credit unions and more obscure foreign banks.

Criminals who want to use the information can then contact the resellers to negotiate a price.

“If you’re trying to get inside and trying to get the information, you’ve got to know the secret handshake,” Newmeyer said. “If you don’t have the right responses, they’ll identify you as a cop.”

Driven by the laws of supply and demand, the price of an average identity has dropped in recent years from US$100 to somewhere between US$10 and US$20 apiece, with the commoditisation of data such as credit card and bank account numbers with pins.

However, other information is deemed more valuable.

Experts say that prime real estate for cybercriminals surrounding health-related data, internal corporate notes and Outlook and FTP accounts that can provide access to intellectual property go for much higher prices on the black market.

As a result, attackers will increasingly be targeting health and government organisations, as well as corporate intellectual property, security experts say.

Cybercrime 2.0

With any flourishing industry come technological advancements.

Viruses and worms from a decade ago have been replaced by sophisticated password-stealing Trojans and keyloggers that are designed to silently sit on a user’s computer and funnel important data into remote foreign servers.

The malware is often distributed through malicious links sent via email, directing people to an infected website.

As of late, security experts have also seen a rise in malware attacks on legitimate, but vulnerable websites, which stay for a short period of time before they’re detected and removed.

During that time, however, attackers can identify thousands of potential victims.

Often the victims are individuals and employees encouraged to click malicious links by some kind of enticing social engineering tactic delivered through email.

Some of the most popular tactics include malicious eVites or ecards, and links to web pages or videos impersonating high-profile news events or celebrity sensationalism.

Henderson said that, in particular, Chinese hackers have perfected the art of creating effective social engineering techniques with highly researched and biographically targeted messages.

“They’re very skilled at going out online and collecting biographical information from myriad sources and going out and planning attacks,” he said.

Once a user’s computer is infected, it will generally become part of a larger network of infected computers, or botnet, which will, in turn, become a vehicle to distribute malware onto other systems.

“They’re constantly changing their methods of getting you to click,” Henderson said.

Meanwhile, cybercriminals are honing techniques to circumvent most standard security measures.

They can create malware that bypasses or breaks the anti-virus signatures, and encrypts or obfuscates the payload, security experts say.

“And you cannot create a signature to block it,” said Yuval Bet-Itzhak, chief technology officer for Finjan. “It will never block MySpace or Yahoo pages. The combination of serving malicious code and encrypting it, manages to bypass security techniques most enterprises are using today.”

Attacking the SMB

With more cybercrime organisations creating malware at breakneck speeds, businesses can only expect to see their networks afflicted with more security breaches.

Yet, as enterprises build up their security environments, cybercriminals are now looking elsewhere for easier targets.

Those who will likely be most at risk will be the small business and midmarket segments – companies with fewer or limited resources and outdated or inadequate security infrastructures.

And while many SMBs may not have heard of the Russian Business Network, many undoubtedly will feel the ill effects of malware distributed via the web.

“When it comes to vulnerability management, smaller firms have a bigger challenge,” said Nic Alicandri, managing director at New York-based information security firm CipherTechs Inc.

Security experts have begun warning companies that the threat is definitely growing.

A July McAfee study, “Does Size Matter? The Security Challenge of the SMB,” found that one in five small businesses have suffered a security attack, with a third of those suffering more than four IT breaches in the past three years.

One in five respondents said that a security attack could put them out of business.

Additionally, the 10th Annual CSI/FBI survey released last October found that U.S. businesses lost an average of US$350, 424 in 2007 as a result of cybersecurity incidents – a number that more than doubled from losses incurred from 2006.

“I think that the people who think because they’re not a household name, they’re not going to be an attack target [are] going to be mistaken,” said Ken Phelan, chief technology officer for Gotham Technology Group, an IT consulting VAR, with specialties in access management and information security.

Phelan said that one of his SMB clients with fewer than 100 people was given a sheaf of confidential company data that was lifted from the company.

The client was told they needed to pay the attacker, or run the risk of losing the information to their competitors.

Gotham Technology points SMB customers to pre-existing regulatory security solutions, such as those outlined by Payment Card Industry standards, Phelan said.

Among other things, PCI standards recommend that all businesses encrypt data, authenticate users and secure networks with an array of endpoint protection software.

SMB company networks “are being pounded,” and “a lot of them don’t even know it’s happening,” said Stephen Nacci, regional account manager for TLIC Worldwide Inc., a VAR specialising in security solutions and network management.

Nacci recommends that his clients extend their security solutions beyond the perimeter.

“(SMBs) are getting killed. These guys are bleeding and they don’t even know it,” Nacci said. “We need to counter that.”