Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:23 PM
Connect Directly

Economic Crisis May Be Boon For Cybercriminals, Experts Say

How the global financial crisis is affecting organized cybercrime

One industry sector is actually happy about the current state of the global economy: cybercriminals.

"One thing we've seen is financially based cybercrime is recession-proof," says Darren Mott, supervisory special agent for the FBI's Cyber Division. "With [this] changing economy, the only thing that changes is the way they go about obtaining their information."

Organized cybercrime has already begun capitalizing on the global financial crisis, cybercrime experts say, with targeted phishing attacks on customers whose banks have folded, and attacks that scam consumers who may be shopping less online, but are now spending more time at home. With fewer business and consumer targets available, the bad guys are redirecting their efforts to adapt to the market. For example, credit cards are out; debit cards are in.

"The crisis is good for cybercrime because people become more desperate for 'good deals.' It is bad for cybercrime in that they will continue operations much like they do now, but have to move around more often," says security expert Gadi Evron.

And they are already on the move: A wave of targeted phishing attacks on doomed banks and brokerages has been spotted by The Shadowserver Foundation during the past few weeks. "They were crafted a little better, mentioning the affected banks," as well as some that posed as the Better Business Bureau, says Andre' DiMino, co-founder and director of Shadowserver. "They are almost preying on how people are trying to be more savvy in what they buy and what they are doing as they are more careful in where they spend."

One attack used Citigroup's attempted takeover of Wachovia as a premise for stealing Wachovia customers' credentials. (Wells Fargo eventually outbid Citigroup for Wachovia). "There's been a surge in phishing, telling customers that due to the new takeover, they need new credentials," says Ori Eisen, founder and chief innovation officer for 41st Parameter. If the victim hands over his old credentials to "set" his new ones, it's game over for his bank account information.

Socially engineered attacks are typically a lucrative ploy by seasoned attackers. The FBI is seeing more spear phishing aimed at businesses that were hit hard by the economic downturn. "There has been an increase in attacks on specific individuals, such as CEOs and CFOs, because a lot of businesses are going under...that gives them more directed targets," the FBI's Mott says. The attackers lure them with promises of financial assistance, for instance, and some even pretend to be subpoenas from the Justice Department. One attack via e-mail urged bidders who had lost out on a government contract to resubmit their bids and, thus, spill sensitive contact and other information.

Bad guys continue to go after "hot items," such as online banking credentials and online shopping accounts, security experts say. "People are tending to be more focused on their finances and the economic situation than they are in securing their networks" and systems, Shadowserver's DiMino says. "They are logging into their banking and brokerage accounts more frequently, and malware [planted on their systems] will wake up when" they visit these sites, he says.

In the past two months, researchers at Finjan have found three times the number of servers with stolen data. "Before that, we'd see five or six servers in a single month, or one every week or so. Now we're seeing four or five servers a week," says Yuval Ben-Itzhak, CTO of Finjan. "Increased phishing attacks might be the reason, and a combination of both corporate and consumer [victims]."

Other researchers have cited a direct correlation between the stock market's nosedive and an increase in cybercrime activity. (See related story, Security Weathering Economic Storm.) Ryan Sherstobitoff, chief corporate evangelist for PandaLabs says he and his team first noticed a jump in overall malware on Sept. 16 when stocks started to dip significantly. Panda discovered a 5 to 30 percent increase in malware that day related to the recent wave of rogue antivirus adware attacks. "If the stock market is crashing, there's not a lot of confidence," Sherstobitoff says. And phony antivirus popups warning that your system-may-be-infected-so-you'd-better-run-this-scan preyed on fears, he says.

Meanwhile, law enforcement and cybercrime experts say more malicious Web sites posing as economic or financial advisory services will start to emerge in this jittery financial climate. "'Have you been victimized by your bank's closing? Check us out,'" is the type of lure the bad guys may use with these sites, DiMino says.

That means a reverse in the trend from the past few months of cybercriminals' silently infecting legitimate sites. "Expect to see malicious sites crop up that are geared to information-stealing, malware-dropping, pharming, and phishing rather than compromising legitimate site," he says.

And just as street crime increases in times of financial stress, more novice attackers and script kiddies are likely to perform an online version of shoplifting and bank robbery. "You're going to see more quick-hit script kiddies, like street crime," DiMino says.

It's simple enough for these amateur hackers to get into the business -- there's plenty of off-the-shelf software that automates phishing. All it takes is a Web server. "We know [when] it's an amateur because they are leaving their servers completely open and unprotected," Yuval Ben-Itzhak says.

The insider threat, too, will likely also intensify as layoffs spread in the corporate world. "You're going to see insider attacks and less direct hacks," Shadowserver's DiMino says. "There will be more of an attempt to infiltrate from inside, with botnets and SQL injection."

With potentially fewer overall enterprise targets, cybercrime organizations could end up fighting over turf. "In general, cybercrime is nothing more than a new form of organized crime," the FBI's Mott says. "You may see more online cybercrime 'violence.' DDoS attacks may go up."

Still, the bottom line is that the crisis hasn't hurt the cybercriminal's bottom line. Nor has it slowed any activity in the bustling online black market, at least thus far. "Right now, there's no observable effect. We still see the same trading activity on IRC channels," says Guillaume Lovet, senior manager for Fortinet's Threat Response Team.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...