Attacks/Breaches
7/3/2013
07:08 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

How Cybercriminals Operate

A look at cybercriminal motives, resources, and processes -- and how they may affect enterprise defense

[The following is excerpted from "How Cybercriminals Operate," a new report posted this week on Dark Reading's "a href="http://www.darkreading.com/attacks-breaches">Attacks and Breaches Tech Center.]

Sun Tzu's The Art of War says "know your enemy," yet many businesses are unfamiliar with the cyber enemies that are attacking them every day. Mandiant's APT1 report provides fascinating insight into state-sponsored cyber espionage, but what about the world of the cybercriminal?

Fortinet's 2013 cybercrime report concludes that cybercriminal organizations are pretty much indistinguishable from any well-run, legitimate business operating in a global industry. They are organized, highly motivated, and react quickly to new opportunities and challenges by buying or renting specialist products and services if they don't have the necessary skills in-house.

In this Dark Reading report, we offer a look not at the world of foreign intelligence services or politically and theologically motivated hacktivists, but at the people and organizations that operate in the world of cybercrime. With a better understanding of cybercriminal activity and an appreciation of the threats cybercrime poses, businesses can make their defenses more effective.

The National Intelligence Estimate, the consensus view of the U.S. intelligence community, sees the current level of cyber espionage as a direct threat to the nation's economic interests. Taken with the recent high-profile accusations of state-sponsored cyber attacks against the United States, it's understandable that enterprises and government agencies arefocusing their attention on combating APT-style attacks emanating from other nation-states.

But these attacks are more about disrupting national infrastructures and the wholesale gathering of intelligence and intellectual property than they are about running a profitable but criminal business Criminals are motivated by greed, not ideologies, and the continuous growth of the Internet, e-commerce and data provides unlimited possibilities for making money.

Looking at the economics of cybercrime, it's easy to understand why crime syndicates have expanded their operations into cyberspace. The global nature of the Internet and the lack of effective cross-border and even national legislation make cybercrime relatively risk-free compared with traditional crimes. Trafficking drugs is probably still the most lucrative criminal trade, but the risks of getting caught are quite high. When it comes to cybercrime, on the other hand, the chances of getting caught, of being prosecuted or convicted, or of serving a full sentence are minimal.

For example, the Rustock botnet, thought to be capable of sending 30 billion messages a day from some 1 million infected computers, was taken down in 2011 after concerted efforts by Microsoft, U.S. federal law enforcement agents, FireEye and the University of Washington. The people behind Rustock have never been caught, despite Microsoft's offering a reward of $250,000 for information resulting in conviction.

Many players in the cybercrime economy are from or based in countries where there are weak cyber laws or a low level of enforcement, poor monitoring and even tacit government support for any business bringing in much-needed foreign earnings.

Countries that have a good educational system but offer few job opportunities are also a breeding ground for people susceptible to the lure of easy money.

Banner ads looking to recruit malware engineers give a rate of between $2,000 and $5,000 a month. This is quite alluring when you consider a sampling of national minimum annual wages in 2012: Estonia, $4,923; Brazil, $4,172; Russia, $1,794; and Moldova, $595.

Cybercrime requires no physical contact with victims -- they can be located anywhere in the world. This both reduces the chances of being caught and makes it very difficult for law enforcement to fingerprint a cybercriminal. It also greatly increases the potential number of victims of an attack and the return on investment.

And the ROI is astonishing: One network of hackers from countries including Estonia, Russia and Moldova reportedly defeated the encryption used by an RBS WorldPay computer network. The hackers and their associates withdrew more than $9.4 million from more than 2,100 ATMs across at least 280 cities around the world in less than 12 hours. This type of operation requires an incredible amount of preparation and organization.

To read more about cybercrime operations, motivations, resources, and methods -- and how you can defend against them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.