Attacks/Breaches
7/3/2013
07:08 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

How Cybercriminals Operate

A look at cybercriminal motives, resources, and processes -- and how they may affect enterprise defense

[The following is excerpted from "How Cybercriminals Operate," a new report posted this week on Dark Reading's "a href="http://www.darkreading.com/attacks-breaches">Attacks and Breaches Tech Center.]

Sun Tzu's The Art of War says "know your enemy," yet many businesses are unfamiliar with the cyber enemies that are attacking them every day. Mandiant's APT1 report provides fascinating insight into state-sponsored cyber espionage, but what about the world of the cybercriminal?

Fortinet's 2013 cybercrime report concludes that cybercriminal organizations are pretty much indistinguishable from any well-run, legitimate business operating in a global industry. They are organized, highly motivated, and react quickly to new opportunities and challenges by buying or renting specialist products and services if they don't have the necessary skills in-house.

In this Dark Reading report, we offer a look not at the world of foreign intelligence services or politically and theologically motivated hacktivists, but at the people and organizations that operate in the world of cybercrime. With a better understanding of cybercriminal activity and an appreciation of the threats cybercrime poses, businesses can make their defenses more effective.

The National Intelligence Estimate, the consensus view of the U.S. intelligence community, sees the current level of cyber espionage as a direct threat to the nation's economic interests. Taken with the recent high-profile accusations of state-sponsored cyber attacks against the United States, it's understandable that enterprises and government agencies arefocusing their attention on combating APT-style attacks emanating from other nation-states.

But these attacks are more about disrupting national infrastructures and the wholesale gathering of intelligence and intellectual property than they are about running a profitable but criminal business Criminals are motivated by greed, not ideologies, and the continuous growth of the Internet, e-commerce and data provides unlimited possibilities for making money.

Looking at the economics of cybercrime, it's easy to understand why crime syndicates have expanded their operations into cyberspace. The global nature of the Internet and the lack of effective cross-border and even national legislation make cybercrime relatively risk-free compared with traditional crimes. Trafficking drugs is probably still the most lucrative criminal trade, but the risks of getting caught are quite high. When it comes to cybercrime, on the other hand, the chances of getting caught, of being prosecuted or convicted, or of serving a full sentence are minimal.

For example, the Rustock botnet, thought to be capable of sending 30 billion messages a day from some 1 million infected computers, was taken down in 2011 after concerted efforts by Microsoft, U.S. federal law enforcement agents, FireEye and the University of Washington. The people behind Rustock have never been caught, despite Microsoft's offering a reward of $250,000 for information resulting in conviction.

Many players in the cybercrime economy are from or based in countries where there are weak cyber laws or a low level of enforcement, poor monitoring and even tacit government support for any business bringing in much-needed foreign earnings.

Countries that have a good educational system but offer few job opportunities are also a breeding ground for people susceptible to the lure of easy money.

Banner ads looking to recruit malware engineers give a rate of between $2,000 and $5,000 a month. This is quite alluring when you consider a sampling of national minimum annual wages in 2012: Estonia, $4,923; Brazil, $4,172; Russia, $1,794; and Moldova, $595.

Cybercrime requires no physical contact with victims -- they can be located anywhere in the world. This both reduces the chances of being caught and makes it very difficult for law enforcement to fingerprint a cybercriminal. It also greatly increases the potential number of victims of an attack and the return on investment.

And the ROI is astonishing: One network of hackers from countries including Estonia, Russia and Moldova reportedly defeated the encryption used by an RBS WorldPay computer network. The hackers and their associates withdrew more than $9.4 million from more than 2,100 ATMs across at least 280 cities around the world in less than 12 hours. This type of operation requires an incredible amount of preparation and organization.

To read more about cybercrime operations, motivations, resources, and methods -- and how you can defend against them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.