"One thing we've seen is financially based cybercrime is recession-proof," says Darren Mott, supervisory special agent for the FBI's Cyber Division. "With [this] changing economy, the only thing that changes is the way they go about obtaining their information."
Organized cybercrime has already begun capitalizing on the global financial crisis, cybercrime experts say, with targeted phishing attacks on customers whose banks have folded, and attacks that scam consumers who may be shopping less online, but are now spending more time at home. With fewer business and consumer targets available, the bad guys are redirecting their efforts to adapt to the market. For example, credit cards are out; debit cards are in.
"The crisis is good for cybercrime because people become more desperate for 'good deals.' It is bad for cybercrime in that they will continue operations much like they do now, but have to move around more often," says security expert Gadi Evron.
And they are already on the move: A wave of targeted phishing attacks on doomed banks and brokerages has been spotted by The Shadowserver Foundation during the past few weeks. "They were crafted a little better, mentioning the affected banks," as well as some that posed as the Better Business Bureau, says Andre' DiMino, co-founder and director of Shadowserver. "They are almost preying on how people are trying to be more savvy in what they buy and what they are doing as they are more careful in where they spend."
One attack used Citigroup's attempted takeover of Wachovia as a premise for stealing Wachovia customers' credentials. (Wells Fargo eventually outbid Citigroup for Wachovia). "There's been a surge in phishing, telling customers that due to the new takeover, they need new credentials," says Ori Eisen, founder and chief innovation officer for 41st Parameter. If the victim hands over his old credentials to "set" his new ones, it's game over for his bank account information.
Socially engineered attacks are typically a lucrative ploy by seasoned attackers. The FBI is seeing more spear phishing aimed at businesses that were hit hard by the economic downturn. "There has been an increase in attacks on specific individuals, such as CEOs and CFOs, because a lot of businesses are going under...that gives them more directed targets," the FBI's Mott says. The attackers lure them with promises of financial assistance, for instance, and some even pretend to be subpoenas from the Justice Department. One attack via e-mail urged bidders who had lost out on a government contract to resubmit their bids and, thus, spill sensitive contact and other information.
Bad guys continue to go after "hot items," such as online banking credentials and online shopping accounts, security experts say. "People are tending to be more focused on their finances and the economic situation than they are in securing their networks" and systems, Shadowserver's DiMino says. "They are logging into their banking and brokerage accounts more frequently, and malware [planted on their systems] will wake up when" they visit these sites, he says.
In the past two months, researchers at Finjan have found three times the number of servers with stolen data. "Before that, we'd see five or six servers in a single month, or one every week or so. Now we're seeing four or five servers a week," says Yuval Ben-Itzhak, CTO of Finjan. "Increased phishing attacks might be the reason, and a combination of both corporate and consumer [victims]."
Other researchers have cited a direct correlation between the stock market's nosedive and an increase in cybercrime activity. (See related story, Security Weathering Economic Storm.) Ryan Sherstobitoff, chief corporate evangelist for PandaLabs says he and his team first noticed a jump in overall malware on Sept. 16 when stocks started to dip significantly. Panda discovered a 5 to 30 percent increase in malware that day related to the recent wave of rogue antivirus adware attacks. "If the stock market is crashing, there's not a lot of confidence," Sherstobitoff says. And phony antivirus popups warning that your system-may-be-infected-so-you'd-better-run-this-scan preyed on fears, he says.
Meanwhile, law enforcement and cybercrime experts say more malicious Web sites posing as economic or financial advisory services will start to emerge in this jittery financial climate. "'Have you been victimized by your bank's closing? Check us out,'" is the type of lure the bad guys may use with these sites, DiMino says.
That means a reverse in the trend from the past few months of cybercriminals' silently infecting legitimate sites. "Expect to see malicious sites crop up that are geared to information-stealing, malware-dropping, pharming, and phishing rather than compromising legitimate site," he says.
And just as street crime increases in times of financial stress, more novice attackers and script kiddies are likely to perform an online version of shoplifting and bank robbery. "You're going to see more quick-hit script kiddies, like street crime," DiMino says.
It's simple enough for these amateur hackers to get into the business -- there's plenty of off-the-shelf software that automates phishing. All it takes is a Web server. "We know [when] it's an amateur because they are leaving their servers completely open and unprotected," Yuval Ben-Itzhak says.
The insider threat, too, will likely also intensify as layoffs spread in the corporate world. "You're going to see insider attacks and less direct hacks," Shadowserver's DiMino says. "There will be more of an attempt to infiltrate from inside, with botnets and SQL injection."
With potentially fewer overall enterprise targets, cybercrime organizations could end up fighting over turf. "In general, cybercrime is nothing more than a new form of organized crime," the FBI's Mott says. "You may see more online cybercrime 'violence.' DDoS attacks may go up."
Still, the bottom line is that the crisis hasn't hurt the cybercriminal's bottom line. Nor has it slowed any activity in the bustling online black market, at least thus far. "Right now, there's no observable effect. We still see the same trading activity on IRC channels," says Guillaume Lovet, senior manager for Fortinet's Threat Response Team.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message