Battling the Underground World of Cybercrime

Ted Kritsonis dives deep into the underworld of cybercrime
Ted Kritsonis dives deep into the underworld of cybercrime

Much like the roots of organized crime over a century ago, the early 21st century has already seen a significant evolution in the tactics and capabilities of perpetrators in the online world who risk almost anything to make an illicit income. But unlike quasi-celebrity gun-toting gangsters, cyberattackers have proven to be stealthy, sophisticated and adaptable in the online cat-and-mouse game with law enforcement.

Organized crime syndicates may have long arms, but there is still a geographical element to how they do business, whereas cybersecurity experts agree that the shadowy underground of cybercrime is borderless, porous and unflinching in its objectives.

According to Symantec’s ‘Norton Cybercrime Report 2011’, businesses and individuals lose $114 billion to cybercrime each year, with another $274 billion lost by companies trying to recover after an attack.

Internet Untouchables

In tackling the problem on a global scale, Interpol is looking to streamline its response within its Global Complex for Innovation (ICGI), a new cyber R&D, training and forensics facility in Singapore. The new complex is slated to open in 2014 and will be part of the Interpol Singapore Center, although cybercrime monitoring will be round-the-clock with facilities in Lyon and Buenos Aires taking part as well.

For its part, the FBI in the US has been active in pursuing cybercriminals within its borders, while also partnering with other law enforcement agencies on transnational cases. A major obstacle is that the most serious and egregious cyberattacks sometimes “fly under the radar”, says Supervisory Special Agent James Harris of the FBI.

“You might get a lot of press from a distributed denial-of-service (DDoS) attack, like a popular website going down, but the really professional underground attackers who do really good coding don’t get the same attention for some reason”, says Harris, who is also a Liaison Officer with the US Department of Homeland Security (DHS) and the US Computer Emergency Readiness Team (US-CERT). “What gets a lot of visibility is often the amateurish stuff because it’s ‘sexy’ and flashy for the press, and it sounds exciting when people try to pull off an attack on some known entity.”

Harris cites Operation Ghost Click as an example of a successful two-year investigation that virtually went unnoticed. The multi-jurisdictional operation dismantled a fraud ring that infected four million computers in 100 countries using malware called DNSChanger, which allowed hackers to control DNS servers. The six Estonian nationals charged in the sting were alleged to have used the compromised servers to lure unsuspecting users to fraudulent websites, in the process stealing personal and financial information. Harris adds that they amassed $14 million in ill-gotten gains through the elaborate ring.

“Even six months after we executed this order and notified the public to check their computers if they were infected and get them fixed, there were still 350,000 infected machines up to mid-April”, says Harris.

Another recent operation, Wreaking hAVoC, was a coordinated effort by the FBI and US Justice Department with Britain’s Serious Organised Crime Agency (SOCA) that led to the seizure of 36 websites called “Automatic Vending Carts”, which are essentially sites cyberattackers use to sell stolen credit card numbers. Cybercrime units in Australia, Germany, Ukraine, Macedonia, Romania and the Netherlands all participated in the operation by making a number of arrests and seizures.

Who was behind these cybercrimes is not easy to distinguish in relative terms, Harris admits. While organized crime groups, particularly in Eastern Europe, have been known to engage in white-collar cybercrime, the perpetrators sometimes have no affiliation with any existing organization, either loose or established.

“In some cases they’re very organized groups, but other times they’re ad hoc in that they don’t even know each other in the real world”, he observes. “It’s an interesting phenomenon, but they all have developed these kinds of trust relationships in the black market economy. You break your word on something – you’re out, and it’s hard to get close with them online to begin with.”

If You Can’t Beat Them…

Thinking like cybercriminals is what Martin Voelk and his team at Cyber51 – a UK-based cybersecurity consultancy he co-founded – are hired to do by businesses of all types and sizes. With satellite offices in Germany, the US and “underground” associates in Argentina and Australia, Voelk says the company employs ethical hackers and IT experts with experience in both the private and public sectors.

Rather than go undercover and reach out to cybercriminals, Voelk says Cyber51’s job is to “put the hacker’s hat on” and do penetration tests at the behest of their clients, to probe for vulnerabilities that might be exploited for extortion purposes.

“These guys are good at leaving no trace, so finding the actual point of origin of an attack takes work, unless you’re dealing with an amateur”, Voelk contends. “What is known is that countries with really good broadband, like the US, Canada, the UK, Germany, Japan, among others, are used as relays. The attacks aren’t necessarily launched in those countries, but they’re used as relays because the broadband connections can do more damage by pushing malicious traffic through.”

"What gets a lot of visibility is often the amateurish stuff because it’s ‘sexy’ and flashy for the press"
James Harris, FBI

He adds that clients are usually not proactive until after they’ve suffered a breach, while concerns over compliance with government regulations and audits is another key reason for the increased volume his firm has seen over the last few years. One victim that recently became a client was a British sports gambling site that was hit with a DDoS attack after it refused to pay a ransom. The attack crippled the site on a Saturday afternoon, which is peak time for the English Premier League, leading to considerable revenue losses that day.

“We identified the holes and helped them implement DDoS solutions in order to mitigate those threats in the future, but they also wanted to know more about how cyberattackers might think if they were to try again”, Voelk recalls.


While stealing information or crippling websites is one pillar of cybercrime, the other lies in the black market economy underground that sustains the buying and selling of stolen data, and the tools to get them. Discussion forums show brazen conversations between cybercriminals over opportunities and developments, but there are aspects of these sites that are used to market malware products or even security holes that were otherwise undetected.

Moreover, amateur hackers – or ‘script kiddies’ – could utilize search engines and YouTube to learn how to use free malware tools like BackTrack. Voelk says these aren’t a significant threat to businesses with security deployments, but individuals using the tools can still attack other users without needing background knowledge or an understanding of the technology behind the malware.

This illicit trade in services and methodologies is actually growing more pervasive, notes Jean-Loup Richet, an information systems researcher who is a research associate at the Canada Research Chair in Identity, Security and Technology at the University of Montréal. He is also a member of the Postgraduate Committee at the British Society of Criminology.

“We’re in the era of the advanced persistent threat, and cybercrime is an increasing business with flourishing underground marketplaces that are feeding the professionalization of malware authors and hackers to the point where the Zeus malware even had professional tech support”, Richet tells Infosecurity. “These are opportunists who know where to look, and the huge growth of mobile devices is making them an attractive target for cybercriminals moving forward.”

From Booze and Gambling to Smartphones

The International Telecommunications Union (ITCU) recently released a report suggesting that mobile broadband penetration had reached 1.2 billion subscriptions worldwide in 2011. The bulk of this number is smartphones, which have accounted for 45% increases in each of the last four years.

“These are ‘computers on the go’ that are now subjected to attacks like phone flooding, smishing, SMS bombing and, particularly in developing countries, money laundering scams”, Richet advises. “Smartphones and tablets will provide potential access points to corporate networks if they aren’t integrated into the security infrastructure, but individuals will be equally targeted because of the personal information stored on these devices.”

"Cybercrime is an increasing business with flourishing underground marketplaces that are feeding the professionalization of malware authors and hackers"
Jean-Loup Richet, Université de Montréal

A key reason why cyberattackers have their sights set on smartphones and tablets is because user behavioral patterns mimic those of computers, albeit with a higher level of comfort and trust in the technology, the FBI’s Harris adds. The numbers seem to support that, with Symantec’s report indicating that 10% of victims in 2011 had been hit on their mobile devices.

“There’s a lot more effort going into mobile malware development than there was five years ago”, Harris says. “There’s an obvious opportunity for intrusion because so many people log on to their bank accounts on smartphones without even thinking about it. This is why we’re beginning to see ongoing underground activity going into mobile malware, but on the other side, we also see vendors doing more in mobile anti-virus and security software.”

While the range of attackers varies widely from underground professionals, organized crime and street gangs, to the curious amateur hacker, it’s virtually impossible to estimate just how many are engaging in cybercrime worldwide.

“Some of the attacks don’t make for good stories in the press”, Harris says in parting, “and professional cyberattackers also have a vested interest in keeping them as quiet as possible”.

What’s hot on Infosecurity Magazine?