The Wild, Wild Web: How To Catch Cybercrooks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.newsweek.com/wild-wild-web-how-catch-cybercrooks-296380

Black markets for computer-hacking tools, services and by-products,
including stolen credit card numbers, continue to grow, posing threats to
businesses, governments and individuals. A prominent recent example was the
capture of an estimated 40 million credit card numbers and 70 million user
accounts in the December 2013 breach of retail giant Target. Within days,
those data appeared—available for purchase—on black market websites.

The markets for cybercrime products and by-products have become so
pervasive and accessible that the malicious hacking trade today can be, in
certain respects and for some, more lucrative and easier to carry out than
the illegal drug trade. Once the domain of lone hackers, cybercrime has
become a burgeoning powerhouse of highly organized groups, often tied to
drug cartels, mafias, terrorist cells and even nation-states.

It has matured into specialized markets, in which those who have gained the
greatest access deal freely in the tools and spoils of the trade: exploit
kits (software for creating, distributing and managing attacks), botnets
(remotely controlled computers used for sending spam or flooding websites),
"as-a-service" offerings (hacking for hire), compromised hosts and a
continually flooded market for stolen credit card numbers and other
personal credentials.

Consumers and businesses have fortified their data systems in response, but
hackers have come back stronger. Increased arrests, meanwhile, spur
increased media attention, which advertises the lucrative markets to those
once unaware of the possibilities and reveals the tactics and techniques of
law enforcement to those already in the markets, causing them to adapt. As
more participants enter the market, and as current participants upgrade
their methods of conducting business, the increasingly competitive and
resilient hackers go after bigger targets and become harder to take down.

Everything from cars to toasters will offer hackers points of entry.

As a result, the ability to attack is outpacing the ability to defend.
Hyper-connectivity—particularly through the rise of the "Internet of
Things"—will create even more opportunities for attack, as everything from
insulin pumps and pacemakers to cars, toasters and refrigerators will offer
malicious hackers networked points of entry. Exploitation of social media
networks and mobile devices will also grow. Crime will increasingly have a
networked or cyber component.

Sketching the current and predicted landscape for cybercrime can lay the
groundwork for exploring options to minimize the harmful influence of these
markets. As part of ongoing studies on the future security environment, we
examined these markets with support from Juniper Networks, a Silicon Valley
manufacturer of networking equipment.

Our findings could help private firms, public law enforcement agencies and
network security vendors gain a better understanding of the cybercriminal
activity they aim to suppress. Without studying this activity and exploring
the options to subdue it, very little is likely to change.

There are YouTube videos for "where to buy credit cards."

The black markets for cybercrime are a collection of activities that range
from simple to extremely sophisticated and that operate all over the world,
from New Jersey to Nigeria to China. There is no single location from which
the markets emanate; a unique aspect of operating in cyberspace is that it
is simultaneously nowhere specific yet everywhere. Goods and services are
usually reliable.

Implementation and transactions are quick and efficient. Cybercrime black
markets are comparable to other underground markets for illicit goods, such
as drugs, with the difference being that digital goods carry less risk and,
for some, offer greater profit. Some organizations can make hundreds of
millions of dollars per year.

The number of participants in cyber black markets is likely to rise,
because it is easier to get involved than it was 10 years ago. This is due
to the proliferation of websites, forums and chat channels where goods can
be bought and sold. An increased number of YouTube videos and Google guides
for "how to use exploit kit X" or "where to buy credit cards" also
facilitates entry into the market, especially for buyers.

Figure 1 shows the proliferation of exploit kits over the past decade. Too
numerous to name them all, the kits tend to go by feisty names such as
Fiesta, Liberty, Lucky, Nuke, Siberia, Sploit, Tornado, Blackhole,
Whitehole, Sweet Orange and Cool. The price for kits varies based on
whether they are purchased outright or rented. Do-it-yourself kits can cost
as little as $15; high-end rentals can command $10,000 per month.

Originally, the major players in the cyber black market were former state
employees of Eastern European countries who were well educated but found
themselves searching for gainful employment after the Berlin Wall fell in
1989. Since then, the entrepreneurial savvy of the players has soared with
the entry of a whole new generation of "digital natives" who can do more
things for themselves. (They do not have to, for example, hire anyone to
reverse-engineer a program or create an exploit.)

In terms of quantity, the leaders in malware attacks today operate out of
China, Latin America and Eastern Europe. In terms of quality, the leader is
Russia. There are Vietnamese groups that focus on e-commerce, while a
majority of Russian, Romanian, Lithuanian, Ukrainian and other Eastern
European groups focus on attacking financial institutions.

Chinese hackers are believed to focus on seizing intellectual property, as
underscored in May 2014 by the U.S. Department of Justice's accusations
against five members of the Chinese military who have allegedly stolen
trade secrets from five American companies and the United Steelworkers.

Some groups have partnered across international lines. As one expert put
it, "Groups that would traditionally never work together are working
together." One Vietnamese group partnered with Nigerians on a fraud scheme
involving stolen e-commerce accounts. A Colombian group set up
money-laundering "villages" in China.

U.S.-based participants in the market are becoming more involved. In 2007,
the majority of participants were from Russia, with the United States
having only a small representation. By 2013, almost a fifth of the market
was U.S.-based, ranked third behind Ukraine and Romania.

Although English is the universal language of commerce, it is not
necessarily the universal language of this commerce. The Web forums are
generally in Russian or Ukrainian. There are reports of English-only,
Mandarin-only, German-only and Vietnamese-only sites, among others. At the
same time, the victim-deception campaigns of "phishing," "spear-phishing"
and other social engineering operations are typically conducted in English,
because a majority of the targeted victims know that language.

A stolen Twitter account now costs more than a stolen credit card.

The product slate keeps evolving with the technology. Malware for mobile
devices has been growing, in part because attacking mobile devices now
brings in money faster than attacking personal computers.

A stolen Twitter account now costs more than a stolen credit card, because
a Twitter account potentially has a greater yield, for two reasons: A
Twitter account can be used to target friends and family through
spear-phishing schemes, and many unsuspecting consumers use the same
password for their social media accounts as they do for their online
banking and e-commerce accounts. Twitter is also becoming a channel of
choice for the everyday transactions of malicious hackers, who are
increasingly using private Twitter accounts to make deals rather than using
open online forums or chat rooms.

Whatever is new or novel for the traditional consumer—from mobile devices
to cloud computing to social media platforms—offers new entries for attack
and will thus elicit a counterpart exploit on the black market. The trend
will accelerate, because more and more of the world will have a digital
component: By 2020, the number of connected devices will outnumber that of
connected people by a ratio of 6:1, compared with about 3:1 today, doubling
the avenues of potential exploitation.

Law enforcement "takedowns" (or arrests) have had little effect on the size
or composition of the black market. As one entity goes down, another takes
its place, often within days. As the enduring entities implement
countermeasures (such as stronger encryption, more vetting and increased
stealth), the market just hiccups, becoming somewhat less accessible and
less open but mostly returning to normal.

More of the market's transactions simply move to the "darknet"—that is, to
anonymous private networks that use encryption and proxies to obfuscate who
is communicating with whom. Illicit websites are also starting to accept
only digital cryptocurrencies, with their anonymity, non-traceability and
other security advantages.

As one entity goes down, another takes its place, often within days.

The consequences of takedowns are transitory not only because of the market
behaviors cited above but also because many countries condone hacker
activity that is illegal in the United States. One Russian hacker was
arrested, released on a technicality, given an apology and now has ties to
the government. China tends to turn a blind eye as well. On the other hand,
Vietnam is very helpful to law enforcement groups, and Romania, Ukraine and
Poland have been selectively helpful.

Despite the transitory effects of cybercrime takedowns, they have recently
been on the rise, for three reasons. First, law enforcement has gotten
better over the past 10 to 15 years. Those entering the profession today
have grown up comfortable with technology and computers, and training in
the digital world has improved for law enforcers all over the world.

Overseas partnerships and cross-pollination of ideas have also strengthened
law enforcement—although perhaps more so at the federal level. Leadership
in law enforcement, intelligence and the U.S. Department of Defense has
accorded cybercrime top priority and moved resources accordingly.

Second, suspects are going after bigger targets and thus are attracting
more attention. Since around 2002, attacks have shifted from opportunistic
one-offs (against whichever individuals may have been unsecure) to
companies. Now that companies understand they are targets, they are more
willing to work with law enforcement, and the public-private partnership
has tightened.

Third, because almost every aspect of crime today involves a digital
component, law enforcement has a multitude of opportunities to encounter
crime in cyberspace and to learn from these encounters. (Figure 2
illustrates the biggest data breaches in history as a result of malicious
hacking.)

However, as mentioned above, law enforcement could also become a victim of
its own success. More arrests and takedowns lead to more media coverage,
drawing more perpetrators into the black markets and compelling those
already in the markets to grow smarter.

Today, malicious hackers appear to have the upper hand. The maturation of
cybercrime markets threatens individuals, businesses, law enforcement
agencies, national governments and military services around the world. The
deleterious effects on cybersecurity suggest the need for coordinated
efforts across the private and public sectors, nationally and
internationally, to suppress the black market activity.

In the private sector, computer security companies, device manufacturers,
Internet service providers and defense contractors should routinely
collaborate on developing updated approaches to thwarting online attacks.
Beyond the technical solutions (such as ever-thicker firewalls and
ever-stricter access controls), there are intriguing possibilities for
private firms to harness the power of their legitimate markets to fight
illegitimate ones.

For example, more private firms could sponsor "bug bounty" programs or
related contests, which offer financial rewards to anyone who finds or
reports a bug, virus or other vulnerability in a particular computer
software product. Google's bounty program pays $3,000 to $5,000 for
ordinary, easier-to-find bugs, with bounties in the range of $20,000 or
even upward of $200,000 or more for exotic and exceptionally nefarious
bugs, or those that affect a large market segment.

The U.S. government could funnel money to security vendors to help with
their bug bounty programs, or even create its own. As for computer hacking
contests, one good example is the annual Pwn2Own competition, which began
in 2007 and paid out $850,000 of prize money in 2014.

Companies could offer pay to lure hackers away from illicit markets.

Commercial companies, defense contractors and government agencies alike
could also offer better pay and incentives to lure talented hackers away
from the illicit markets and into legitimate business and government
operations (especially those targeting the activities of other hackers).

All of these strategies could work in tandem: The bug bounty programs and
recurrent contests could serve as recruiting programs for permanent hires.
With better pay and incentive packages, the savviest hackers would
gravitate toward legitimate work, and the private firms and government
agencies would reap the benefits while removing the dangers. Over time,
this approach might even stop the arms race between security vendors and
those trying to render their products obsolete.

When hackers succeed in stealing customer data and placing the data on the
open market, banks or other merchants could possibly buy back their
customers' stolen information. This strategy would raise valid ethical
questions about legitimate businesses participating in the black market for
the implicit purpose of paying "ransom" for data "hostages."

But if the information is already stolen, this strategy might be a viable
way to protect it. On the other hand, this strategy could backfire by
alerting the attackers to what merchants believe is most important, or most
vulnerable, thereby bidding up the price for this particular kind of stolen
data and enticing the thieves to seize even more.

Law enforcement agencies could pursue several strategies, some of which
would benefit from advice from computer security firms. For instance, law
enforcement agencies could explore the costs and benefits of establishing
fake credit card shops, fake forums, fake websites or other cyber sting
operations to boost the number and quality of arrests, while simultaneously
tarnishing the reputation and confidence of the black markets.

These agencies could also explore the ramifications of hacking back—or
including an offensive component within law enforcement—to deny, degrade or
disrupt black market business operations. The lessons learned from
infiltrating, disrupting and combating the black markets for illegal drugs
and illegal arms could also be applied to the black markets for cybercrime.

Law enforcement could establish fake credit card shops, fake forums, fake
websites.

Law enforcement and other government agencies could perhaps use the black
market to their advantage in their own offensive operations: By using black
market cybergoods, such as exploit kits and encryption tools, a government
officer would appear online as just another criminal, would not stand out
and would reduce the risk of being "fingerprinted."

Public opinion could collapse, however, if word got out that the U.S.
government were involved in the black market. Therefore, this tactic might
be allowed for only highly sensitive operations or extremely targeted
attacks.

Law enforcement agencies will also need to determine whether it is more
effective to pursue the small number of top-tier cybercriminals or the
large number of lower-tier participants. Worldwide, law enforcement
agencies will need to work together to prosecute and extradite the most
wanted criminals, coordinating their arrests and indictments.

> From a regulatory standpoint, both private companies and law enforcement
agencies should inform legislators about the costs and benefits of
implementing various potential mandates: for encryption on point-of-sale
terminals (cash registers and online shopping carts), for safer storage of
passwords and user credentials, for worldwide adoption of credit cards with
embedded computer chips and personal identification numbers and for regular
checks of websites to prevent common vulnerabilities. All such mandates
would be intended to put a dent in the black market or to force major
changes in how it operates.

The urgency of these strategies will grow over time. In their absence, not
only will very little likely change to deter the criminals, but the victims
will stand to lose more and more.

A Glossary of Cybercrime

As-a-service: pertaining to outsourced hacking.

Botnet: a collection of compromised computers remotely controlled by a
central authority to send out spam, spread malware, launch attacks or
support illegal websites.

Bug bounty: a reward given for finding and reporting a bug or vulnerability
in a computer software product.

Cryptocurrency: a digital currency that incorporates codes and often offers
anonymity.

Darknet: an anonymous private network that uses encryption and proxies to
obfuscate who is communicating with whom.

Distributed denial of service: an attack by multiple compromised systems on
a single system.

Encryption: the process of encoding messages or information in such a way
that only authorized parties can read it.

Exploit kit: a tool that can be used to create, distribute and manage
malware to control user Web traffic, infect users or manage networks of
infected machines.

Fraudware/fakeware: malicious software that poses as legitimate but is
really not; it may falsely notify a user that a computer is infected with
(other) malware.

Hacking: gaining access to a computer surreptitiously.

Malware: software intended to damage or disable computers or computer
systems. Types of malware include viruses, worms, and Trojans.

Phishing: the attempt to capture usernames, passwords, and financial
information by masquerading as a trustworthy entity using email or other
electronic communications.

Rippers: people who do not provide the underground goods or services they
advertise.

Spear-phishing: phishing attempts directed at specific individuals or
companies.

Watering-hole attack: an attack on a popular website to infect all
legitimate visitors.

Zero-day vulnerability: an exploitable vulnerability unknown to a software
vendor and for which no patch has been created.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!