Back in 2010, the FBI joined law enforcement agencies across the globe in shutting down a criminal operation that stole some $70 million from U.S. banks. The gang’s weapon of choice was not a machine gun or a set of safe-cracking tools. Instead, the gang relied on the infamous ZeuS Trojan to break into the accounts of customers.
The activity of the gang points to a larger trend in the world of security. Gone are the days where hackers were plying their trade for fun. In today’s cyber underworld, the motivation for attackers largely revolves around getting their hands on credit card numbers, email credentials, logins for banking sites and other information that can be turned into quick cash.
In this marketplace of illicitly-obtained information, a mix of independents and organized groups driven by money, and in some cases, politics, has emerged. Whether cybercrime is driven by hacktivists or cyber gangs targeting brokerage firms, two things are for certain: these groups have changed the reality of security for businesses, and understanding them is critical to taking them down.
Understanding the structure of these groups offers security experts an opportunity to disrupt them by targeting various links in the chain of hacker activity. This can include everything from monitoring sites where credit card information is sold, to targeting rogue Internet Service Providers (ISPs) known to be friendly to criminal groups with takedown efforts like the operations against McColo and 3FN/Pricewert.
It’s good to keep in mind that criminally-motivated hacking crews come in all shapes and sizes. Some even feature operations you might expect to see in a legitimate enterprise, like a QA team and project managers. Others even have members with marketing skills – where threats and information can be easily propagated across social media sites and forums where they can promote their botnets and malware.
In most cases, these different teams work independently, with central figures overseeing the operation as a whole to keep it on track. But not everyone involved in the cyber-underground is part of a group. Some stick to themselves and rent out portions of botnets they’ve assembled. Others make money doing what they are good at – uncovering new software vulnerabilities and making offensive tools for other hackers.
These vulnerabilities, known in security circles as zero-days, could easily be called cash cows for those who can find and exploit them. Depending on the software they target and their reliability, these exploits can fetch anywhere from $10,000 to $500,000 on the black market.
Both zero-days and older exploits often make their way into attack toolkits available on web forums for as little as $40, with the higher-end versions going for prices in the thousands. These kits typically rely on the reality that many users do not stay up-to-date with the latest versions of software, and use well-known vulnerabilities as opposed to zero-days. In some cases, attackers will compromise legitimate websites and then try to redirect users to malicious sites serving up the exploit kit. The effect of these attack kits has been tremendous.
In general, the goal of attackers remains valuable data. These days, however, credit card data shares space on the shelves of virtual hacking stores with items such as Facebook logins and email credentials. Some of this is due to banks using multi-form authentication to verify online transactions, which requires hackers to have more information in order to compromise an account. Cybercriminals have evolved their malware with this in mind, including web injection forms that now phish for information such as the International Mobile Equipment Identity (IMEI) number on a person’s mobile phone so that the attackers can contact the person’s service provider to trick them into sending hackers a new SIM (Subscriber Identity Module) card. With the SIM card, attackers can now intercept communication between the bank and the customer meant to prevent fraud.
Not surprisingly, the more information attackers have about a target, the more tailored their attack is — and the greater the likelihood of its success. For example, a man named John Smith may pay more attention to an email addressed specifically to him than one that says, “Attention Sir.” This technique is known as spear phishing, and has been tied to some of the most severe corporate breaches in recent memory, including the well-publicized attack against EMC’s RSA security division. The fight against cybercrime, in part, requires educating users about some of the tell-tale signs of suspicious emails, starting with messages containing unusual requests for information or key words that lure people to download a potentially malicious attachment.
With hackers focused on data, it is imperative for enterprises to focus there as well. Businesses need to identify their critical data and put the proper safeguards around it, from firewalls to encryption to activity monitoring technologies. To borrow a quote from the famed Chinese military strategist Sun Tzu: “If you know neither yourself nor your enemy, you will always endanger yourself.”
Paul Comessotti (pictured) is regional director for Canada and Tomer Teller is a security evangelist and researcher at Check Point Software Technologies.