Attacks/Breaches
7/3/2013
07:08 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

How Cybercriminals Operate

A look at cybercriminal motives, resources, and processes -- and how they may affect enterprise defense

[The following is excerpted from "How Cybercriminals Operate," a new report posted this week on Dark Reading's "a href="http://www.darkreading.com/attacks-breaches">Attacks and Breaches Tech Center.]

Sun Tzu's The Art of War says "know your enemy," yet many businesses are unfamiliar with the cyber enemies that are attacking them every day. Mandiant's APT1 report provides fascinating insight into state-sponsored cyber espionage, but what about the world of the cybercriminal?

Fortinet's 2013 cybercrime report concludes that cybercriminal organizations are pretty much indistinguishable from any well-run, legitimate business operating in a global industry. They are organized, highly motivated, and react quickly to new opportunities and challenges by buying or renting specialist products and services if they don't have the necessary skills in-house.

In this Dark Reading report, we offer a look not at the world of foreign intelligence services or politically and theologically motivated hacktivists, but at the people and organizations that operate in the world of cybercrime. With a better understanding of cybercriminal activity and an appreciation of the threats cybercrime poses, businesses can make their defenses more effective.

The National Intelligence Estimate, the consensus view of the U.S. intelligence community, sees the current level of cyber espionage as a direct threat to the nation's economic interests. Taken with the recent high-profile accusations of state-sponsored cyber attacks against the United States, it's understandable that enterprises and government agencies arefocusing their attention on combating APT-style attacks emanating from other nation-states.

But these attacks are more about disrupting national infrastructures and the wholesale gathering of intelligence and intellectual property than they are about running a profitable but criminal business Criminals are motivated by greed, not ideologies, and the continuous growth of the Internet, e-commerce and data provides unlimited possibilities for making money.

Looking at the economics of cybercrime, it's easy to understand why crime syndicates have expanded their operations into cyberspace. The global nature of the Internet and the lack of effective cross-border and even national legislation make cybercrime relatively risk-free compared with traditional crimes. Trafficking drugs is probably still the most lucrative criminal trade, but the risks of getting caught are quite high. When it comes to cybercrime, on the other hand, the chances of getting caught, of being prosecuted or convicted, or of serving a full sentence are minimal.

For example, the Rustock botnet, thought to be capable of sending 30 billion messages a day from some 1 million infected computers, was taken down in 2011 after concerted efforts by Microsoft, U.S. federal law enforcement agents, FireEye and the University of Washington. The people behind Rustock have never been caught, despite Microsoft's offering a reward of $250,000 for information resulting in conviction.

Many players in the cybercrime economy are from or based in countries where there are weak cyber laws or a low level of enforcement, poor monitoring and even tacit government support for any business bringing in much-needed foreign earnings.

Countries that have a good educational system but offer few job opportunities are also a breeding ground for people susceptible to the lure of easy money.

Banner ads looking to recruit malware engineers give a rate of between $2,000 and $5,000 a month. This is quite alluring when you consider a sampling of national minimum annual wages in 2012: Estonia, $4,923; Brazil, $4,172; Russia, $1,794; and Moldova, $595.

Cybercrime requires no physical contact with victims -- they can be located anywhere in the world. This both reduces the chances of being caught and makes it very difficult for law enforcement to fingerprint a cybercriminal. It also greatly increases the potential number of victims of an attack and the return on investment.

And the ROI is astonishing: One network of hackers from countries including Estonia, Russia and Moldova reportedly defeated the encryption used by an RBS WorldPay computer network. The hackers and their associates withdrew more than $9.4 million from more than 2,100 ATMs across at least 280 cities around the world in less than 12 hours. This type of operation requires an incredible amount of preparation and organization.

To read more about cybercrime operations, motivations, resources, and methods -- and how you can defend against them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.