Attacks/Breaches
12/19/2012
06:51 PM
50%
50%

Cybercrime Inc.: The Business Of The Digital Black Market

Report by security vendor Fortinet examines the structure of the cyber underworld

Money makes the world go 'round -- especially the world of cybercrime, where criminal groups have exploded in both number and sophistication.

In a new report, researchers at Fortinet dig into how cybercrime organizations continue to grow and generate profits. In a world where services from botnet rentals to black hat search engine optimization (SEO) are all for sale, the money criminals stand to make can be significant. For example, for $80, the report notes, a cyber-ring can get 20,000 backlinks for SEO purposes.

Other services, such as CAPTCHA breaking -- at a cost of $1 per 1,000 CAPTCHAs -- and botnet rentals -- at a cost of $40 per 20,000 spam emails -- are available as well.

"I would say that the organizations before used to be a handful in terms of organized cybercrime -- think of the RBN [Russian Business Network]," says Derek Manky, senior threat researcher at Fortinet's FortiGuard Labs. "Everything from development to network infrastructure and management were essentially in-house to these operations. Nowadays, there's more organizations, thanks to crimeware, crime services, existing source code, etc."

Today's cybercriminal enterprise is a complex ecosystem that encompasses executives, recruiters, and foot soldiers responsible for initiating the actual infection.

"The organization’s 'executives' make decisions, oversee operations, and ensure that everything runs smoothly," according to the Fortinet report. "Just as with legitimate businesses, these executives set up the original business model and infrastructure. Once they get the operation off the ground, they then move to a business development role and hand off the 'dirty work' to the infantry and are not involved with launching attacks."

In order to recruit that infantry, recruiters and affiliate program leads establish Web portals, the report explains, many of which originate in Russia. Some are closed communities that are accessible by invitation only; others, however, are open to the public.

"Oftentimes to protect themselves, open portals include disclaimers on the site that say, 'We do not allow spam or other illicit methods for machine infection,' the report notes. "These are typically in place to put the legal responsibility on the infantry. These portals provide the infantry with all of the necessary information they require to begin an infection campaign. Among other things, these tools include illicit software, support forums, payment rates and tracking and a method in which to receive payments upon completing a certain number of infections."

Fortinet compares the people running the affiliate programs to middle managers who are recruited through "old boy" networks or underground forums.

"To properly arm the infantry, recruiters/affiliates must develop the programs used to infect other systems," the report notes. "These applications include, but are not limited to, fake antivirus software, ransomware, and even botnets."

Crime services such as the ones mentioned above are offered by middlemen at the infantry or syndicate level as a way to make more money, according to the report. And then there are the money mules, who allow the organization to launder its proceeds.

Money mules are often recruited through advertisements and are used to anonymously to move money from one country or bank account to another -- typically using anonymous wire transfer services such as Western Union, Liberty Reserve, U Kash, and WebMoney.

While the report mentions the importance of cracking down on rogue registrars and initiating botnet takedown operations, going after the money is also a great way to hit back on the enforcement side, Manky opines.

"Particularly, the affiliate sponsors -- the ones paying out the money to these PPI/PPP programs -- that is the Achilles heel," he says. "Without that sort of money flow, you take out the infantry [middlemen] who are getting paid via these sponsorship programs. I think it's a good idea, but realistically would require more dedicated resources on the enforcement side -- concentrating mainly on fraud through payment processors, money mules, and affiliate sponsors."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?