Rick Orloff, CSO at endpoint data recovery specialist Code42 looks at the professional nature of online crime in 2016, and what is being done to battle it.
With estimates that hackers who steal just 50 credit card numbers can make up to $1 million, there is little doubt that cybercrime pays. However, cybercrime is not just big business when it comes to revenue lines. Over the last five years we have seen this underground economy reshape itself into a sophisticated enterprise, adopting the same hierarchy, sales models and marketing practices as legal businesses.
A peek behind the scenes of this black market is like holding up a mirror to the practices of legitimate businesses. The core exception is that, free of the regulation and reporting that encumber legal organizations, cyber-criminals are free to innovate faster. This enables them to remain a step ahead of our defenses, making it difficult to catch the perpetrators or crash the market. However, it is only by understanding how these criminal enterprise operate that we can hope to challenge them through a combination of law enforcement, technical defenses, pro-active intervention (human behavior), and secure operational business models.
Cybercrime Inc.
The days of the hooded lone hacker posing the greatest threats are long gone. While the lone hackers still make a huge impact, today’s cyber-criminals operate with corporate structures and are more likely to include C-suite of Armani-clad entrepreneurs leading hierarchies of middle managers, low-level employees and contractors.
In fact, a large organized workforce can be employed to manage the many layers of a cyber-attack, from coding and distributing malware to identifying infection points and managing comprised endpoints or accounts. Further, specialists will be leveraged to mine through data hackers acquire, assessing how it can be monetized.
An in-depth Google report into the underground economy found that the cybercrime industry boasts a thriving freelance model where specialists offer ‘crime-as-a-service’. Examples include exploit writers who discover vulnerabilities and create exploit packs, malware testers who validate software, bot herders who lease and infect zombie computers and tool providers who spread spam and malware. At the bottom of the pile are the money mules who—sometimes unwittingly—transfer illegal money into legitimate accounts.
More traditional business roles are also flourishing in this black market. There are specialist recruiters who source the subject matter experts required by cybercrime entrepreneurs. There is also a strong market for content creators who develop spam emails, blogs and phishing sites, ensuring that these look legitimate in any language.
It is also worth noting that, as with any industry, competition is rife and merger and acquisitions are common. In 2010, it was reported that two competing malware giants, Zeus and SpyEye, merged. The well-known banking Trojans continued to operate until summer 2015, when Europol took down the Ukrainian syndicate suspected of operating them.
Marketing and Sales Channels
Cyber-criminals are making use of the same tools as legitimate businesses when it comes to marketing and selling their wares. According to a RAND report into the cybercrime market, increasingly sophisticated e-commerce stores are launching supported by email marketing campaigns. However, these sites are invite-only and communication is hidden underground on anonymous networks like Tor and Freenet. The laws of supply and demand also rule on the black market according to further insight from Google.
With an increasing supply of goods for sale—be it credit card numbers, personal health information or employee data—sellers have to stand out. Some offer money-back guarantees that their malware will go undetected for months or offer refunds if a stolen credit card gets cancelled, and while “bad sellers” may be able to hide from law enforcement, they cannot hide from their customers: they are often shamed on black market trading forums.
Research and Development
Innovation is at the core of the cybercrime enterprise. Competition and commercial gain drives organizations to invest in research and development at a number of levels. Firstly, as the number of connected devices, cloud services and social platforms increases, the black market is determined to keep pace. Each of these consumer and business solutions offers new entry points for cyber-criminals to access and exploit data.
However, beyond finding new access points, these businesses are also constantly developing and testing new scams, from compromising office devices like printers, to setting up domain names similar to those of known brands to peddle counterfeit goods. Finally, the most sophisticated, headline-grabbing attacks require intense investment in both attack vectors and social engineering techniques to be successful.
Financial Trading Systems
Any commerce relies on a currency system. The introduction of virtual currencies like Bitcoin, for all the advances it has brought to fintech, also made it easy for cyber-criminals to remain hidden from law enforcement. Commerce like Bitcoin make traditional investigative approaches e.g. ‘follow-the money’, very difficult. Before it was shut down by the U.S. Treasury Department in 2013, the Liberty Reserve digital currency service was used by one million people worldwide to launder about $6 billion over seven years. Digital payment services such as PayPal and Alibaba are also exploited by hackers to transfer funds.
Tackling the Cybercrime Enterprise
Given the sophistication of today’s cybercrime enterprise, there is no simple solution to preventing attacks and protecting businesses and consumers. However, we have seen progress on a number of fronts.
Some businesses have started to take a proactive approach to monitoring black market developments. For example, Twitter has been known to track and disable fake accounts, preventing cyber-criminals from selling them to spammers. Google has taken a more economic approach, looking to increase the price of Zombie accounts used for launching attacks to make them less attractive to spammers.
Regulators are also taking action with initiatives designed to improve the way businesses store and protect sensitive data, such as Privacy Shield and the EU General Data Protection Regulation, making it more difficult for cyber-criminals to access and exploit digital information.
It is also safe to say that, in the wake of a number of high-profile attacks, the financial and reputational impact of cybercrime is now understood. In fact, our recent Datastrophe study found that over a third of workers believe the company they work for may be at risk of a data breach in the next year.
With security becoming a board level issue, businesses are starting to invest in multi-layered solutions. With an influx of mobile devices such as smartphones and wearables entering the workplace, businesses can no longer afford to rely on perimeter protection alone. This must be supplemented by an endpoint data solution to protect and backup data wherever it resides.
The best solutions on the market today can track data movement across devices, enabling unusual activity to be detected. The backup and real-time recovery element allows businesses to recover lost data to any point in time, and get a new device up and running in a matter of minutes if required.
Additionally, when it comes to tackling cybercrime, we are held back by the fact that businesses are reluctant to share details of attacks. This is in direct contrast to cybercrime corporations where ‘crime-as-a-service’ contractors have a market-wide view of the types of attacks that are generating results. By encouraging real time sharing of experiences and intelligence, businesses and governments can work together with a view to collectively staying ahead of the cyber-criminals. Doing so would drastically impact the effectiveness of organized cyber-attacks.
While it is true that none of the measures we have outlined above will bring down the black market alone, taken together they can help us fight back against sophisticated cybercrime enterprises. It is only by bringing together ‘protect’ and ‘prevent’ measures across policy making, law enforcement and smart technology solutions that we can start to tackle the cybercrime industry.