Computer Crime Research Center


Inside the cybercrime economy

Date: July 31, 2008

T security is in a state of flux because hackers are developing an organised, systematic approach to committing online fraud, warned security expert Steve Gold at the recent B2B Centre ebusiness seminar.

Citing research from specialist security firm Finjan's Q2 2008 Web Security Trends Report, Gold said, "Criminals now use similar applications to those you find in the business world and supply their customers as a service."

"The chances of being caught are extremely low and the profit from a $10,000 investment can be as much as 2500%. It's more profitable and less risky than prostitution or drug smuggling," he said.

"Fraud will take the path of least resistance and this is certainly true when it comes to electronic threats."

Finjan's chief technology officer Yuval Ben-Itzhak confirms that the cybercrime market has been maturing rapidly during the past 18 months. "It has evolved into a booming business, operating in a major shadow economy with an organisational structure that closely mimics the real business world."

According to Finjan's recent report, loosely organised clusters of hackers trading stolen data online are being replaced by hierarchical organizations with sophisticated pricing models and internal processes. The cybercrime "boss" operates as an entrepreneur and does not commit the cybercrimes himself. Underlings will distribute Trojan horse viruses through their campaign managers with networks of affiliates who carry out the attacks and steal data.

The wave of Asprox attacks that attempted to inject minute iframes into SQL Server-based websites during May 2008 was an example of this new, mature approach, according to Ben-Itzhak. Finjan detected more than 1,000 domains that were compromised by this attack, inluding a number of government and corporate websites. Each of the compromised domains pointed to a virus that was served by an expanding network of 160+ malware domains.

The return for promoting malicious code works out to a couple of cents per iframe, Finjan reported. The rest of the crimeware server business model is built up around a toolkit for distributing Trojan horse viruses that costs between $100-$700, and a command and control (C&C) application that typically costs around $700. But these tools can also be obtained online for free.

When faced with what Gold described as "hybridised, multi-vector attacks" (combining different techniques such as website hacking and phishing emails, and coming at the organisation from a variety of directions), what are organisations supposed to do?

Gold's advice was based on the need to maintain multiple layers of defence. And here, he said, the skills of the auditor were particularly appropriate. "Audit and security is a state of mind," he said. "Don't be complacent, you should review your systems and conduct a risk analysis."

While cybercriminals had access to commercial tools, so did the good guys, he continued. "Auditors now have access to a wide range of data about what is happening on their organisation's network. This is particularly important when it comes to defining and enforcing security policies on the IT resource."

Among these programs was a security technology called behavioural analysis, where the software could breakdown all computing activity into information blocks that travelled across the internet and spot unusual behaviours.

Behavioural analysis can act as a safety net for picking up previously unknown threats, but is not the be-all and end-all of IT security, Gold continued.

"It's all about building blocks into the wall," he said.

"One of those bricks are IT skills. Developing IT security skills in house will make you far more secure than if you rely on third parties. It isn't rocket science. You can learn this. I did and have evolved my understanding in the same way I approached accountancy - from basic principles upwards."

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo