Russian language cybercrime gangs have recruited up to 1,000 new ‘employees’ over the past three years, although there are only around 20 people who make up the core of the average group, according to Kaspersky Lab.
The security vendor’s chief investigator, Ruslan Stoyanov, used a new report, Russian financial cybercrime: how it works, to uncover the cyber-criminals behind global attacks.
He claimed that law enforcers around the world have arrested over 160 Russian-speaking cyber-criminals since 2012 from gangs of all sizes.
In fact, they’ve been responsible for attacks that have harvested over $790 million—most of which ($509m) was stolen from outside the former USSR—although even this figure could be merely the tip of the iceberg.
The Russian-speaking cybercrime underground is flourishing, and motivated primarily by making money, the report claimed. Of the 330+ incidents investigated by Stoyanov and his team, 95% were connected with the theft of money or financial info.
Although the exact number of gangs working across the region is unknown, Kaspersky Lab revealed that they contain around 20 people on average.
It continued:
“We can calculate fairly precisely the number of people who make up the core structure of an active criminal group: the organizers, the money flow managers involved in withdrawing money from compromised accounts and the professional hackers. Across the cyber-criminal underground, there are only around 20 of these core professionals. They are regular visitors of underground forums, and Kaspersky Lab experts have collected a considerable amount of information that suggests that these 20 people play leading roles in criminal activities that involve the online theft of money and information.”
After uncovering five such groups in 2012-13, Kaspersky Lab has been able to understand more about their operation and structure.
Key roles include programmers, web designers, system administrators, testers and cryptors—the latter tasked with ensuring that malware evades detection.
Staff are paid either a fixed wage or employed on a project basis as freelancers and recruited on underground and some mainstream job sites.
“By advertising ‘real’ job vacancies, cyber-criminals often expect to find employees from the remote regions of Russia and neighboring countries (mostly Ukraine) where problems with employment opportunities and salaries for IT specialists are quite severe,” said Stoyanov.
“The idea of searching for “employees” in these regions is simple—they carry a saving because staff can be paid less than employees based in large cities. Criminals also often give preference to candidates who have not previously been involved in cybercrime activity.”
Groups could be organized in “affiliate” programs, small groups of up to 10 people, and large organizations like Carberp and Carbanak—with the latter type apparently the most “destructive and dangerous.”
Major campaigns are preceded by months of preparation—developing and selecting the malware, building the attack infrastructure and studying the target organization(s).
Unfortunately for consumers and companies around the world, such gangs will continue to flourish in the absence of adequate international cybercrime laws, frameworks for co-operation between law enforcement agencies, and a sufficient number of cyber-trained police.
Photo © you