Digging Up the Hacking Underground

The dark tunnels of the hacking underground are driven by money, information, and reputation
The dark tunnels of the hacking underground are driven by money, information, and reputation
Well-funded, highly skilled cybercriminals sit at the top of the hacking hierarchy. Next step down are the script kiddies, and the 'borderline criminals' bring up the rear
Well-funded, highly skilled cybercriminals sit at the top of the hacking hierarchy. Next step down are the script kiddies, and the 'borderline criminals' bring up the rear

Back in the days of prohibition, you knew where you were with crime. Underground economies were based on physical goods (such as illegal booze), and the economies really did operate underground. Al Capone frequented the tunnels of Moosejaw, Saskatchewan, in Canada, which he used to produce his goods.

These days, the tunnels are encrypted links that stretch between continents, and the product is information. The underground cybercriminal economy is awash with things that don’t physically exist. Illicit code, credit card numbers and banking details have taken the place of moonshine, and the players take pains to separate their digital identities from their physical ones. Today’s underground hacker might be a disgruntled systems admin for a large corporation by day, and a database coder for phishing operations with a digital ‘handle’ by night.

Early virus writers were technically proficient, and wrote their code for kicks, rather than cash. In today’s commercially motivated underground economy, however, things are far more fragmented. The technical experts need other players to help them monetize their work.

“Things have moved to a service model concept”, explains Lee Graves, threat communications specialist at anti-malware firm eSoft. “Instead of doing everything themselves, they’ll contact someone else to help them. They will pay a percentage of whatever they make in correlation with that.”

"Illicit code, credit card numbers, and banking details have taken the place of moonshine"

These specialists include everyone from spam specialists who understand how to get email onto unwitting recipients’ computers, search engine optimization gurus who can craft text designed to appear at the top of search results pages, network hackers who specialize in poisoning websites, and brokers who can harvest and sell sensitive credentials such as credit card numbers or banking passwords. Cybercrooks even use designated online hosting services, known as ‘bullet proof’ hosting firms, who will happily host everything from botnet command-and-control servers through to child pornography sites, while refusing takedown requests from authorities outside their borders.

Crime, at Your Service

In this way, the cybercrime underground has adopted the same capitalist characteristics as the legitimate one. Karl Marx probably wasn’t thinking about phishing scams when he wrote his theory of alienation, but it certainly applies.

Typically, these services are paid for via ‘virtual currency’. Don Jackson, director of threat intelligence at managed security company SecureWorks, cites Webmoney, ePassport, and eGold as examples. Someone wanting bulletproof hosting services, or a range of credit card numbers to produce cloned cards, would exchange credits with their service provider this way.

"Eastern Europe is where the best hackers are, even though there is more infrastructure in the US"
Catalin Cosoi, BitDefender

This modular economy is mirrored in code, says Catalin Cosoi, senior anti-spam and anti-phishing researcher at BitDefender. He has seen a marked change in malware architecture for years, as it, too, becomes more modular.

This modularization of code is closely linked to the services economy. Additional, separately charged modules designed to be plugged into crimeware toolkits can be sold for thousands of extra dollars. The licensing operations for the software have become so sophisticated that some products even ship with keys designed to protect copying. Modules for crimeware kits have included Windows 7 compatibility modules, form grabbers designed for the Firefox browser, instant messaging notification from compromised PCs to crimeware users, and even VNC modules that let criminals take full control of a victim’s machine.

A Criminal Medusa

Apart from making cybercrime operations and code more efficient, this trend toward compartmentalization in the underground economy also has another benefit for online crooks: it makes them harder to track. Compartmentalized operations are a classic means of counter-intelligence. Terrorist groups use this all the time, restricting communications between individuals or small cells as much as possible, so that minimal information is exchanged on a need-to-know basis. In that way, if one cell is compromised, the health of the entire, loosely coupled organization is preserved.

Jackson sees such techniques emerging in the more organized cybercrime groups, which are generally well-funded and highly professional.

“They have an organizational structure and a chain of command. And there’s a longevity structure, in that if the head gets cut off, the chain of command can heal itself”, he says.

Much attention is paid to the masterminds of these operations, many of whom seem to reside in Eastern Europe and Russia. It is certainly true that many of the brains behind modern malware come from Eastern Europe, says Cosoi. “Eastern Europe is where the best hackers are, even though there is more infrastructure in the US. Much of that is probably due to the strong mathematical background there”, he explains.

Newbies: A Feast for Crooks

That said, however, anyone with an internet connection and a deficit of scruples can attempt to set themselves up as a cybercriminal, thanks to the shadow services economy that has developed. Those that write exploits have packaged them into toolkits that can be used by relative novices. “You don’t have to be an expert – you just have to buy a crimeware kit”, says eSoft’s Graves. “That’s the big shift from five years ago.”

These would-be criminals work their way into the underground hacking scene using two main avenues: convert IRC channels, or underground hacking websites. “These give you access to the invitation-only tiers”, Graves says. Newbies gaining access to these communities are able to buy the tools and services necessary to carry out their crimes.

"There’s a longevity structure, in that if the head gets cut off, the chain of command can heal itself"
Don Jackson, SecureWorks

For various reasons, many newcomers fail in their attempts to become cybercriminals. Many underestimate the money that they need to get started. After all, as in any services economy, those providing the necessary tools and facilities must be paid.

The new would-be criminals can also be ripped off just as badly as the people they hope to exploit. For example, in the past, phishing kits have been designed to secretly relay the credit card credentials that they gather for clients back to the author. Similarly, the cheaper bullet-proof hosting services might happily decide to ditch a client for any number of reasons, and those customers will have little recourse to law enforcement.

Reputation is Everything

“Money buys loyalty”, says Jackson. But, the other currency in the criminal underground is reputation. Criminals work their way up in the underworld by honing and demonstrating their skills. Being able to procure lists of legitimate credit card numbers or banking details, for example, or publishing code that successfully compromises a new exploit, will increase a criminal’s kudos among their peers, to the point where they may be able to form or join a crew of cybercriminals, each with their own skill to offer.

Social capital plays a large part in the transactions between these quasi-anonymous parties. “Handle and crew names are important”, says Jackson, who adds that the social dynamic in such crews can be complex and volatile, especially if someone wants to fill a niche in a crew’s skill set that has already been filled. “They may become competitive in their own ecosystem.”

This was the case with SpyEye, a banking trojan that competes with the Zeus botnet.

“There’s a guy called ReboDemon, who knows how to write malware. He’s pretty capable”, says Jackson, who explains that he wanted to customize the Zeus code to make his own derivative kits, but was refused by the Zeus author, who wouldn’t bless him as a reseller. “So instead, he branched out and formed his own crew, where he sold SpyEye. Then, it becomes a marketing battle as much as a technical one.”

In that particular case, the rivalry extended into the technical realm, as later versions of SpyEye were programed to neutralize Zeus, creating the same kind of botnet turf war that the security community saw with the Bagle and Netsky worms.

A Dark Hierarchy

This carefully orchestrated, reputation-based criminal underground has become stratified with a high level of well-funded organized activity at the top, says Kevin Hogan, senior director, Symantec Security Response. This top level of cybercriminals are highly skilled, and will write sophisticated exploits designed to take advantage of zero-day vulnerabilities in code.

The middle tier is populated by ‘script kiddies’, running the crimeware tools with Zeus and Neosploit, and targeting limited numbers of people. These exploits are often used once by individuals with a lack of expertise, and then abandoned.

“The third layer consists of stuff that’s borderline criminal”, says Hogan. This is where misleading applications such as fake anti-virus programs thrive. “Fake anti-virus tools are driven by affiliate programs. You have a vendor that signs up someone and they get installs, and they get paid.”

Often, the shady, semi-legal third tier can be combined with the first. Criminals can reap the relatively easy, immediate financial gain from gullible ‘customers’ driven by fear to buy fake AV programs, but those applications can drop malware on machines that will then harvest more valuable sensitive credentials in the medium-term.

Where the Virtual and the Physical Meet

Are there any links between these various tiers of cybercrime player and the ‘bricks-and-mortar’ world of organized criminals who profit from drugs, prostitution and racketeering? The real links happen at the very back end, says SecureWorks’ Jackson, because the physical and the digital crime may draw funding from the same people.

“A lot of the infrastructure is paid for up front. They seek out investors and borrow the money. The cyberoperations are separate, and there won’t be a lateral link with physical crime, but the investors at the top of the chain may be a link.”

As with all organized criminal activity, then, the hacking underground is hierarchical. Those at the top of the chain distance themselves from those at the bottom through intermediaries, anonymity, and geographical separation. A money mule relaying stolen cash from an account via Western Union to a city in Eastern Europe will be the first to be apprehended by law enforcement. The real brains of the cybercrime operation are buried far up the chain, where they are difficult to apprehend and charge.

For this elite tier of the hacking underground, Al Capone’s eventual fate is unlikely. He was eventually sent to Alcratraz on tax fraud charges. But in a virtual world without financial borders, such considerations are moot.

What’s hot on Infosecurity Magazine?