Report: Cybercriminals Take Lessons From Business School

Online bad guys building specialized businesses along with sophisticated marketing and distribution strategies, Cisco study says

5 Min Read

They follow business plans and marketing plans. They can respond quickly to new sales opportunities. They specialize, they share data, and they form partnerships. They compete on an open market, offering performance guarantees, 24-hour customer support, and service level agreements.

Oh, there's one thing that separates these savvy enterprises from others, though " their primary product is cybercrime.

The increasing sophistication of cybercriminals " both at the technical and financial levels " is a key theme of a new midyear security reportpublished today by the research team at Cisco Systems.

The report, which analyzes security trends over the past six months, indicates that cybercrime is becoming an increasingly sophisticated economy that, in many ways, mirrors conventional industries. Rather than trying to do everything themselves, cybercriminals are beginning to specialize in specific attacks or functions " such as botnet operation or spam campaigning " and attempting to differentiate themselves in an increasingly-competitive market with branding, customer support, and service guarantees.

"What's remarkable to us is the growth in sophistication that we've seen developing recently," says Marie Hattar, vice president of network systems and security at Cisco. "All of the practices we learn about in business school " cybercriminals are practicing them now. They're basically ripping off all of the best practices of marketing and business development from legitimate companies and applying them to their own market."

The report notes that cybercriminals are now responding with tremendous speed to exploit "business opportunities," such as public interest in the swine flu virus or the death of Michael Jackson. In each case, spam and malware distribution campaigns appeared within days, even hours, of the events, exploiting users' curiosity to drive traffic, Cisco researchers observe.

More significantly, cybercriminals are finding ways to partner and outsource specific aspects of their campaigns, the researchers state. The recent links between Conficker and Waledac " two separately-developed, botnet-driven exploits " suggest that cybercriminals have found ways to build partnerships that combine to help infections spread more quickly or work more effectively.

"We're seeing more specialized services being offered in the cybercrime marketplaces," says Scott Olechowski, a Cisco security researcher. "You can have a service scan your malware with a variety of different antivirus packages to see whether it will be blocked. You can hire a service to do CAPTCHA breaking, so that you don't have to do it yourself. You can hire out these services and simply Paypal them the money."

Cybercriminals are also developing more sophisticated methods of marketing and distribution, the researchers say. Many attackers are becoming adept at manipulating search engine results so that their malicious sites appear at the top of the results page, Hattar notes. Other cybercriminals are using traditional marketing strategies to sell their wares, offering customer support lines, performance guarantees, and service level agreements via underground forums, marketplaces, and auction sites that let them advertise their capabilities.

"We haven't gone as far as to buy these services and test out their customer service, but my guess is that a lot of these "customer service" offers are 100 percent bogus," Olechowski says. "It's hard to imagine cybercriminals having a 24-hour help line. But they do make the services look a lot more attractive to a potential buyer."

While the increasing sophistication of the cybercrime business might be a surprise, the increasing sophistication of cybercrime technology is not, Cisco researchers say. In just months, Cisco has seen a growing number of attacks that exploit the latest and most popular technologies on the Web, including social networks, Twitter, and SMS, the report notes.

"They're recognizing how people behave," Hattar says. "When I go places these days, I seldom have the time to open up my laptop " a lot of users' communication is done on their PDAs and smart phones. We're seeing a lot of activity in SMS and related technologies, where [cybercriminals] are taking advantage of the way users behave."

At the same time, new wrinkles in attack strategy are spreading faster than ever, Olechowski observes. "We're seeing the criminals go after the other criminals, stealing their code and their methods," he says. "If something works, you can bet it will spread, one way or the other." In some cases, new cybercrime developments are likely aided by criminal syndicates or even foreign governments that may bankroll the R&D, Olechowski observes.

And there are more players in cybercrime than ever, thanks largely to the economic downturn that has cost many IT workers their jobs, Cisco says. The new report includes and interview with a botnet administrator who is struggling to make ends meet by making what he can by building and selling botnet services. And as companies lay off more workers " and bring in contractors, temporary workers, and outsourcing firms " the security problem is likely to get worse, Hattar says.

What can be done to manage the cybercrime problem? Hattar says Cisco is encouraged by President Obama's efforts to put cybersecurity at the top of the federal government's agenda, which may eventually bring more attention " and more money " to the issue. Until then, she says, vendors and enterprises need to find ways to work together more closely.

"What we did with Conficker " forming a working group to research and develop answers for it " is a good example of what we can do," Hattar says. "We have to realize that cybercrime is not a stand-alone business anymore " and if the bad guys are going to work together more, we're going to have to work together more to stop them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights