Taking Down the Underground Economy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/taking-down-underground-economy-a-6783

As news of the Target Corp. data breach started to spread, the company was
working to mitigate the situation while cybercriminals were apparently
already busy trying to sell the compromised information to fraudsters
online.

Following a breach, sensitive information, including credit card data, is
often sold through the online criminal economy. The underground economy is
a complex ecosystem where compromised data is sold for use in committing
fraud.

In addition to credit card data, information being sold includes Social
Security numbers, along with names, addresses and phone numbers. While
federal agencies and the security industry have been monitoring these
underground online criminal forums for quite some time, it's proven
difficult to shut them down.

Kyle Adams, a chief software architect at Juniper Networks, a network
solutions provider, says cyber-attackers use several tactics to avoid law
enforcement interference with underground forums, including anonymization
technologies, bullet-proof hosting and anonymous currency, such as Bitcoin.

"Things like anonymous proxies and virtual private networks are used to
hide the identity of customers to avoid sting operations, or feds posing as
hackers and targeting customers," Adams says. "These services are also used
by the criminals to hide their identity when communicating on the Internet,
hacking and transferring money."

Criminals are using these highly sophisticated tools to anonymize their
efforts, and this has made it extremely difficult for law enforcement to
crack down on fraud, Adams says. "These tools tend to be so well-designed
that there are no known techniques for breaking through them," he says.
"The only strong technique law enforcement has at their disposal is to
'hack back,' which is not always legally permissible, and not always
technically possible because the target is likely better at security than
[the good guys] are."

Data's Journey

Following a security incident, like the Target breach for instance, credit
card information quickly floods the underground markets, says JD Sherry,
vice president of technology and solutions at Trend Micro. "The quicker you
can flood the market, the higher the price [per card] you'll get," he says.
"The clock is ticking as law enforcement or credit agencies will begin to
shut down those assets. As time lapses, your chance of actually leveraging
those assets for fraud decreases."

"After a breach, the freshest data is typically available on the
harder-to-access sites, ones where you need to get vetted to get in," says
Lillian Ablon, information systems analyst at RAND Corp.

As time goes on, the data starts to trickle down to the sites that are more
open and easier to find, she says. "Prices decrease the longer the goods
are on the market, as there's a higher likelihood that the banks/customers
have shut down those cards," Ablon says.

In 2011, a typical credit card number was selling for $2.50 on black market
forums, Sherry says. That price dropped to $1 in 2013 because of an
increase in supply. Today, depending on the size of a credit card breach,
prices can range from $20 to 75 cents per card, according to research
conducted by Juniper Networks.

"Not only is the cost going down to acquire tools to create cybercrime,
you're also seeing, because of supply-and-demand economics, stolen asset
values go down," Sherry says.

"When you go and look on black market [online] forums, usually prices are
based on how complete the information is," says Juniper Networks' Adams.
"If the stolen record has been tested and works, criminals will charge more
money for it."

If cybercriminals have all the pieces, they can sell what's known as a
whole identity, which can include Social Security numbers, names, addresses
and credit card information, Adams says. "The more information you have,
the more valuable it is because when you have a whole identity, you can use
that to get driver's licenses and passports, among other things," he says.

And it's not just credit card numbers or Social Security numbers that are
being sold. Credentials for social media accounts can cost more to purchase
than a stolen credit card because the credentials could serve as an entry
point to launch attacks on victims' other online accounts, including online
banking or e-commerce accounts, according to a study by Juniper Networksand
RAND Corp. That study found that hacked social media and other online
accounts can be worth anywhere from $16 to $325, depending on the account
type.

Selling Stolen Information

Ablon of RAND Corp. says stolen information can be sold online in multiple
ways. For instance, some underground sites just offer advertisements where
the buyer will have to reach the seller directly for more details.

"Some sites sell directly, and have drop-down menus or point-and-click for
easy purchase," Ablon says. Some purchasing, she says, is conducted on IRC,
or Internet Relay Chat, channels, which are designed for group
communication in discussion forums.

A majority of the forums or websites selling this information are open to
the public. "You or I could find these sites, sign up and be a buyer right
away," Ablon says. "We don't need much vetting to get in or to buy the most
basic stuff."

Those looking for better fraud tools and more up-to-date information,
however, must take steps to build up their reputation in the forums, she
says. "As [the criminal] buys more, participates more ... in the form of
leaving comments or posting content and tutorials, they will get more
access, especially to protected sections of the forum."

Tom Kellermann, managing director for cyber protection at Alvarez and
Marsal, a business management firm, says the vetting phase is a security
mechanism for these forums. "The forum will try to identify if you're a
ripper [someone who does bad deals] or if you're a law enforcement
officer," he says. "They even do some things like require a phone number so
they can assess your status through hacked telecommunications accounts."

Rather than using the forums, some cybercriminals who have stolen a
relatively small number of records may try to use the compromised
credentials themselves, Adams points out.

"But if they compromised a whole lot, then the next step is to try and sell
all that information in bulk on one of the black market forums," he says.
"Someone will buy it from the cybercriminal. They, in turn, ship over [the
stolen credentials], and then there's payment in Bitcoin [or some other
virtual currency]."

Some underground forums function for extended periods, experts say, while
others may pop up just for one specific batch of stolen cards.

If an underground forum is hosted on the public Internet, it may continue
to function for as long as a year, Adams says. Forums can also be hidden
using Tor, which directs Internet traffic through a network consisting of
thousands of relays to conceal a user's location or Internet usage, Adams
says.

Avoiding Detection

Criminals will utilize bullet-proof hosting - using hosting firms that are
lenient in the types of information customers are uploading - for their
underground forums, which are used to sell stolen content, distribute
cracked software and communicate with one another, Adams says. And website
hosting providers for these forums, often based in Eastern Europe, rarely
keep paper trails of their customers and almost never respond to foreign
law enforcement requests, he says.

"Many of these forums are set up in regions of the world where law
enforcement does not have much influence," says Jon Clay, Trend Micro's
director of global threat research. "The other challenge is many of these
forums are set up on public forum sites where they live in parallel with
legitimate forums, so even if one gets shut down, a new one is easily
created."

Etay Maor, senior fraud prevention strategist at IBM, says law enforcement
agencies in other parts of the world may not take part in takedowns of
these underground sites, making it more difficult to target these
operations. "It may be a matter of priority, but taking down a site in
specific regions and countries may be close to impossible - and the
cybercriminals know this," he says.

The use of anonymous currency, such as Bitcoin, allows for the exchange of
money in the black market without leaving any paper trail, Adams says.
"Technologies such as Bitcoin and disposable credit cards make it much
easier for criminals to conduct business without extremely complicated
laundering schemes," he says.

Because of the huge demand for stolen data to support fraud, cybercriminals
will always find ways to communicate with one another, Maor says. "This is
not limited to forums and also happens in private messaging and instant
messaging," he says. "When the demand is so high, taking down a site or
two, or 10, will not suppress the demand."

Law Enforcement Progress

Security experts cite recent botnet takedowns as key examples of how law
enforcement is going after the underground economy and fraud.

In June 2013, Microsoft, the Federal Bureau of Investigation and the
Financial Services Information Sharing and Analysis Center shut down more
than 1,400 botnets responsible for spreading the Citadel malware that
compromises online credentials and identities (see: Microsoft, FBI Take
Down Citadel Botnets).

Then there was the arrest of Aleksandr Andreevich Panin, a primary
developer and distributor of the SpyEye malware. SpyEye has infected more
than 1.4 million computers in the U.S., and was the dominant malware
toolkit used from 2009 to 2011 (see: SpyEye Developer Pleads Guilty).

> From 2009 to 2011, Panin allegedly developed, marketed and sold various
versions of the SpyEye virus, along with co-defendant Hamza Bendelladj.
SpyEye was sold for prices ranging from $1,000 to $8,500.

But working to fight fraud that's facilitated through these underground
forums is an ongoing battle. "The government is spending a lot of time
trying to track down these websites [and fraud operations]," Adams says.

Extensive information sharing helps spread the word about these forums and
the latest fraud trends. "It's sharing of content, information and breach
data around how someone was penetrated, and what were the tactics, tools
and procedures," says Sherry of Trend Micro.

And while some organizations are hesitant to share information on breaches,
such sharing is crucial, Maor says. "Communication is getting better [and]
they're talking about it more openly."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!