Attacks/Breaches
12/19/2012
06:51 PM
50%
50%

Cybercrime Inc.: The Business Of The Digital Black Market

Report by security vendor Fortinet examines the structure of the cyber underworld

Money makes the world go 'round -- especially the world of cybercrime, where criminal groups have exploded in both number and sophistication.

In a new report, researchers at Fortinet dig into how cybercrime organizations continue to grow and generate profits. In a world where services from botnet rentals to black hat search engine optimization (SEO) are all for sale, the money criminals stand to make can be significant. For example, for $80, the report notes, a cyber-ring can get 20,000 backlinks for SEO purposes.

Other services, such as CAPTCHA breaking -- at a cost of $1 per 1,000 CAPTCHAs -- and botnet rentals -- at a cost of $40 per 20,000 spam emails -- are available as well.

"I would say that the organizations before used to be a handful in terms of organized cybercrime -- think of the RBN [Russian Business Network]," says Derek Manky, senior threat researcher at Fortinet's FortiGuard Labs. "Everything from development to network infrastructure and management were essentially in-house to these operations. Nowadays, there's more organizations, thanks to crimeware, crime services, existing source code, etc."

Today's cybercriminal enterprise is a complex ecosystem that encompasses executives, recruiters, and foot soldiers responsible for initiating the actual infection.

"The organization’s 'executives' make decisions, oversee operations, and ensure that everything runs smoothly," according to the Fortinet report. "Just as with legitimate businesses, these executives set up the original business model and infrastructure. Once they get the operation off the ground, they then move to a business development role and hand off the 'dirty work' to the infantry and are not involved with launching attacks."

In order to recruit that infantry, recruiters and affiliate program leads establish Web portals, the report explains, many of which originate in Russia. Some are closed communities that are accessible by invitation only; others, however, are open to the public.

"Oftentimes to protect themselves, open portals include disclaimers on the site that say, 'We do not allow spam or other illicit methods for machine infection,' the report notes. "These are typically in place to put the legal responsibility on the infantry. These portals provide the infantry with all of the necessary information they require to begin an infection campaign. Among other things, these tools include illicit software, support forums, payment rates and tracking and a method in which to receive payments upon completing a certain number of infections."

Fortinet compares the people running the affiliate programs to middle managers who are recruited through "old boy" networks or underground forums.

"To properly arm the infantry, recruiters/affiliates must develop the programs used to infect other systems," the report notes. "These applications include, but are not limited to, fake antivirus software, ransomware, and even botnets."

Crime services such as the ones mentioned above are offered by middlemen at the infantry or syndicate level as a way to make more money, according to the report. And then there are the money mules, who allow the organization to launder its proceeds.

Money mules are often recruited through advertisements and are used to anonymously to move money from one country or bank account to another -- typically using anonymous wire transfer services such as Western Union, Liberty Reserve, U Kash, and WebMoney.

While the report mentions the importance of cracking down on rogue registrars and initiating botnet takedown operations, going after the money is also a great way to hit back on the enforcement side, Manky opines.

"Particularly, the affiliate sponsors -- the ones paying out the money to these PPI/PPP programs -- that is the Achilles heel," he says. "Without that sort of money flow, you take out the infantry [middlemen] who are getting paid via these sponsorship programs. I think it's a good idea, but realistically would require more dedicated resources on the enforcement side -- concentrating mainly on fraud through payment processors, money mules, and affiliate sponsors."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.