Ben-Itzhak-Organized Cybercrime

Document Sample
Ben-Itzhak-Organized Cybercrime Powered By Docstoc
					    ISSA            The Global Voice of Information Security                                                         ISSA Journal | October 2008

Organized Cybercrime                                                                                                              Boss

By Yuval Ben-Itzhak
                                                                                                                   Capo           Capo          Capo

Cybercrime organizations bear an uncanny resemblance to Mafia
                                                                                                                 Soldiers       Soldiers       Soldiers
organized crime syndicates where each cybercriminal has his own
well-defined role and related reward system.                                                                                  Associates
                                                                                                                Figure 1 – Mafia organizational structure

         s we have seen during the last year, cybercrime has                       managing an operation without borders. He also has limited
         developed into a fast-expanding, global industry. Its                     or no face-to-face contact with his cybercrime workforce. He
         operations closely resemble the real business world,                      rakes in the highest revenues with the lowest risk of being
including profit-driven organized cybercrime. Targeted                            caught. Similar to a legitimate business owner, he outsources,
attacks against financial institutions, enter-                                           watches his profit and operational margins, and cuts
prises, and governmental agencies have sub-                                                costs.
stantially grown, and the resulting financial                                                 Directly under him is his second in command, the
damages keep on running into millions.                                                           “underboss.” He manages the operation, and
The individual hacker-for-fame, seek-                                                                 in case of cybercrime, provides the Tro-
ing the limelight, has been replaced                                                                       jans for attacks. He also manages the
by professional hackers and cyber-                                                                               Command and Control (C&C)
criminals, deploying sophis-                                                                                        of those Trojans similar to a
ticated cybercrime business                                                                                         business manager, operat-
models to maximize their                                                                                            ing behind the scenes.
profit while avoiding detec-                                                                                              In a Mafia family, there are
tion. On the operational                                                                                                 several “capos” operating
side, we see that they are                                                                                                beneath the underboss as
part of hierarchical cyber-                                                                                               lieutenants leading their
crime organizations were                                                                                                  own section of the opera-
each cybercriminal has his                                                                                                tion. With cybercrime, these
own well-defined role and                                                                                                 lieutenants are called “cam-
related reward system.                                                                                                    paign managers” and lead
                                                                                                                          their own attack campaigns
The organization                                                                                                          as part of the whole cyber-
The cybercrime organiza-                                                                                                  crime operation. Since cy-
tions bear an uncanny re-                                     Figure 2 – Cybercrime organizational structure              bercrime is highly sensitive
semblance to La Cosa Nostra or Ma-                                                                                 to location, language and regional
fia organized crime syndicates. In both cases, we see that the                         economic trends, these campaigns enable them to operate lo-
organization is headed by the “Boss.” He does not commit                                cally, focusing their attacks on specific geographic locations
the (cyber)crimes himself, but purely operates as a business                            (e.g., NYC, California) and target selected businesses (e.g.,
entrepreneur. Due to the nature of cybercrime, the boss is                              banks, health care providers). For example, the highly effec-
                                                                                        tive ZeuS Trojan stole $6 million from banks in the U.S., UK,
                                                                                        Spain and Italy. Each campaign manager was responsible for
 D. Carvajal, “The evolution of CyberCrime Inc.,” The International Herald Tribune
   (April 6, 008),
                                                                                        distributing the crimeware Trojan to specific “territories,”
   php.                                                                                 illustrating how today’s cybercriminals are deploying the
 B. Acohido, “Meet A-Z: The computer hacker behind a cybercrime wave,” USA Today       “think global, act local” business strategy.
  (August 5, 008),
  04-hacker-cybercrime-zeus-identity-theft_N.htm.                                  Mafia “soldiers” do the “dirty work.” A cybercrime organiza-
 J. Kirk, “Structure of Cybercrime Gangs Unlocked,” IDG News Service - (London    tion works in a similar fashion, using their own “affiliation
  Bureau (July 5, 008)),   networks” to perform the attacks and steal the data. These

Organized Cybercrime | Yuval Ben-Itzhak                                                                                           ISSA Journal | October 2008

networks act as distribution channels, especially created to                        ran into a classic business problem – it had difficulty sus-
promote infections. Incentives are provided to attackers to                         taining its new customer acquisition rate, while its existing
hack into legitimate sites and insert a reference to malicious                      customers were not generating enough revenue to sustain its
code operated by other hankers. Once the malicious code runs                        operations. The Neosploit development team was forced to
successfully, participants are paid according to the amount of                      abandon its product, sending an “out of business” announce-
achieved infections. Their reward rate varies, depending on                         ment.5
the country of origin of the infected computer. This struc-                         Cybercriminals also deploy the data supplier model – cus-
ture is highly effective in avoiding the chance of detection,                       tomers need only log into their “data supplier” and download
since multiple players are operating as stand-alones, having                        any information suitable for them to conduct their crime, be
no contact with their “colleagues.”                                                 it financial fraud, industrial espionage, or identity theft. The
Similar to the Mafia’s “associates,” “resellers” in the cybercrime                  availability of user data provides a “customer” service.
organization trade the stolen data. They are not involved in                        Once the data is stolen, hackers use crimeware servers that
the crimeware attacks themselves, but act as a “fence” dealing                      function as the “drop zones” of organized attacks. These serv-
with stolen goods. Since credit cards and bank accounts have                        ers are populated with the harvested (stolen) data and often
become commoditized, the prime targets are now health                               also contain the crimeware Trojan C&C, enabling manage-
care-related information, single sign-on login credentials for                      ment of campaigns, remote control of the infected machine,
organizations, email exchanges, Outlook accounts, and FTP                           as well as management of the stolen data itself.
accounts. These are considered premium goods in the crimi-
nal economy and can be sold for high prices. Similar to the                         Effects of cybercrime
legitimate business world, these resellers provide services and
give guarantees to their (potential) customers. Various pric-                       The damage for both organizations and individuals result-
ing models are used for the different kinds of products for                         ing from successful crimeware attacks is widespread and
sale. For example, stolen standard U.S. Master or Visa credit                       long-lasting – no organization, company, enterprise or busi-
cards can be purchased for $5 each, while a stolen EU or UK                        ness with Internet access is safe. This vision is confirmed by
Visa credit card for sale is prized at $90 each.                                    Marcus Alldrick, responsible for information protection and
                                                                                    continuity at Lloyd’s. He pointed out that targeted attacks
Tools of the cybercrime trade                                                       perpetrated by organized crime are on the increase due to the
                                                                                    high return on investment.6
Cybercriminals use an arsenal of highly-effective crime tools,
deploying sophisticated Criminal--Criminal (CC) business                          According to the 2007 Annual Survey: Cost of Data Breach, by
models for their operations, heavily borrowing and copying                          the Ponemon Institute,7 the average cost per reported inci-
from the legitimate business world. A notorious example is                          dent in 007 amounted to $6. million, while the cost of lost
the RBN (Russian Business Network), a multi-faceted cy-                             business per reported incident was estimated at $4. million
bercrime organization catering exclusively to cybercrimi-                           in 007, an increase of 0% compared to 006. The average
nals.4 These kinds of crime pros also use robust and scalable                       cost of each compromised record was $97, while the average
crimeware that gives them maximum flexibility in terms of                           cost of a data breach in the highly regulated financial sector
command and control for stealing and trading data. They                             was $9 per compromised record.
are highly successful in infecting PCs and networks around                          The total amount of compromised records per data breach
the world using the latest Trojan technologies, silent installa-                    is on the rise as well. A well-documented example is the in-
tions, and drive-by downloads for their attacks.                                    ternational gang of  cybercriminals who stole 45.7 million
Cybercrime attacks are made easy due to the availability of                         credit/debit cards from customers in the UK, U.S. and Can-
crimeware toolkits. These toolkits are “how to…” software                           ada by breaching TK Maxx’s computer systems. TJX, parent
packages that instruct users step-by-step how to infect a sys-                      company of TK Maxx, had to increase its estimate of pre-tax
tem, followed by how to retrieve data for financial gain. Such                      charges for the compromise to nearly $6 million from an
$00-$00 off-the-shelf “Do It Yourself” toolkits enable cy-                        earlier projection of approximately $68 million. According
bercriminals to easily gain access to a wide array of sensitive                     to some experts, the company may end up spending more
and valuable information.                                                           than $500 million, including litigation fees and government
Crimeware toolkit creators also deploy Crimeware-as-a-
Service (CaaS). A classic example is the notorious NeoSploit
                                                                                    5 D. Danchev, “The Neosploit cybercrime group abandons its web malware exploitation
toolkit that contained a delivery system for the Trojan upon                          kit,” ZDNet (July 9, 008),
a successful exploitation. It could be configured to provide a                      6 M. Alldrick “Cyber crime provokes new security concerns,” Lloyd’s News Center
different version of the Trojan according to the country tar-                         (March , 008),
geted. In mid-July 008, the NeoSploit’s profitable business
                                                                                    7 “007 Annual Survey: Cost of Data Breach,” The Ponemon Institute (November 9,
4 B. Krebs, “Shadowy Russian Firm Seen as Conduit for Cybercrime,” The Washington   8 J. Vijayan, “TJX says breach costs may exceed $50 million,” Central IT (August 6,
  Post (October , 007),              007),
  article/007/0//AR0070046.html.                                            html.

Organized Cybercrime | Yuval Ben-Itzhak                                                                                         ISSA Journal | October 2008

                                                                                    data, making law enforcement complicated since it is unclear
Cybercrime and punishment                                                           which jurisdiction applies – the F.B.I. with its Cyber Crime
Fighting cybercrime is problematic in many aspects. In con-                         Unit when the victim is located in the U.S.? or the CSIS in
trast to classic crimes such as drug offences or fraud, cyber-                      Canada where the cybercriminal is operating from? Even if
crime has a vast scope, consisting of all kinds of actions de-                      a cybercriminal is convicted, the punishment seldom fits the
signed to steal data for profit. A legal definition of cybercrime                   crime. It is only recently that prison sentences of a few years
is difficult since it should incorporate related terms such as                      and substantial fines have been handed out.0
“computer,” “access,” “authorization,” “malware,” or “spy-
ware.” 9 Many actions are currently not defined as illegal,                         About the Author
such as CC activities, writing crimeware, malicious code or                        Yuval Ben-Itzhak, CTO at Finjan, has over
Trojan programs for other criminals.                                                15 years of high-level management expe-
Location is a problem as well; crimeware servers are often                          rience. Yuval was selected as InfoWorld’s
in a different country than the criminals that operate them.                        “Top 25 Most Influential CTOs of 2004”
The same applies to the victims as well as the buyers of stolen                     and Computerworld’s “40 Innovative IT
data – they are located all over the world and often reside                         People To Watch, Under the Age of 40” for
in a different country than the cybercriminals who stole the                        2007. He may be reached at tel: +972-9-
                                                                                    864 8200 or
9 K.C. Jones, “Congress Extends Cybercrime Laws,” InformationWeek (September 7,
  008),   0 Corinne Iozzio, “The Cyber Crime Hall of Fame,” PC Magazine (September 8, 008),
  jhtml?articleID=0608.                                                 ,87,9605,00.asp


Shared By: