Attacks/Breaches
12/19/2012
06:51 PM
50%
50%

Cybercrime Inc.: The Business Of The Digital Black Market

Report by security vendor Fortinet examines the structure of the cyber underworld

Money makes the world go 'round -- especially the world of cybercrime, where criminal groups have exploded in both number and sophistication.

In a new report, researchers at Fortinet dig into how cybercrime organizations continue to grow and generate profits. In a world where services from botnet rentals to black hat search engine optimization (SEO) are all for sale, the money criminals stand to make can be significant. For example, for $80, the report notes, a cyber-ring can get 20,000 backlinks for SEO purposes.

Other services, such as CAPTCHA breaking -- at a cost of $1 per 1,000 CAPTCHAs -- and botnet rentals -- at a cost of $40 per 20,000 spam emails -- are available as well.

"I would say that the organizations before used to be a handful in terms of organized cybercrime -- think of the RBN [Russian Business Network]," says Derek Manky, senior threat researcher at Fortinet's FortiGuard Labs. "Everything from development to network infrastructure and management were essentially in-house to these operations. Nowadays, there's more organizations, thanks to crimeware, crime services, existing source code, etc."

Today's cybercriminal enterprise is a complex ecosystem that encompasses executives, recruiters, and foot soldiers responsible for initiating the actual infection.

"The organization’s 'executives' make decisions, oversee operations, and ensure that everything runs smoothly," according to the Fortinet report. "Just as with legitimate businesses, these executives set up the original business model and infrastructure. Once they get the operation off the ground, they then move to a business development role and hand off the 'dirty work' to the infantry and are not involved with launching attacks."

In order to recruit that infantry, recruiters and affiliate program leads establish Web portals, the report explains, many of which originate in Russia. Some are closed communities that are accessible by invitation only; others, however, are open to the public.

"Oftentimes to protect themselves, open portals include disclaimers on the site that say, 'We do not allow spam or other illicit methods for machine infection,' the report notes. "These are typically in place to put the legal responsibility on the infantry. These portals provide the infantry with all of the necessary information they require to begin an infection campaign. Among other things, these tools include illicit software, support forums, payment rates and tracking and a method in which to receive payments upon completing a certain number of infections."

Fortinet compares the people running the affiliate programs to middle managers who are recruited through "old boy" networks or underground forums.

"To properly arm the infantry, recruiters/affiliates must develop the programs used to infect other systems," the report notes. "These applications include, but are not limited to, fake antivirus software, ransomware, and even botnets."

Crime services such as the ones mentioned above are offered by middlemen at the infantry or syndicate level as a way to make more money, according to the report. And then there are the money mules, who allow the organization to launder its proceeds.

Money mules are often recruited through advertisements and are used to anonymously to move money from one country or bank account to another -- typically using anonymous wire transfer services such as Western Union, Liberty Reserve, U Kash, and WebMoney.

While the report mentions the importance of cracking down on rogue registrars and initiating botnet takedown operations, going after the money is also a great way to hit back on the enforcement side, Manky opines.

"Particularly, the affiliate sponsors -- the ones paying out the money to these PPI/PPP programs -- that is the Achilles heel," he says. "Without that sort of money flow, you take out the infantry [middlemen] who are getting paid via these sponsorship programs. I think it's a good idea, but realistically would require more dedicated resources on the enforcement side -- concentrating mainly on fraud through payment processors, money mules, and affiliate sponsors."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.