Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Report: Cybercriminals Take Lessons From Business School

Online bad guys building specialized businesses along with sophisticated marketing and distribution strategies, Cisco study says

They follow business plans and marketing plans. They can respond quickly to new sales opportunities. They specialize, they share data, and they form partnerships. They compete on an open market, offering performance guarantees, 24-hour customer support, and service level agreements.

Oh, there's one thing that separates these savvy enterprises from others, though " their primary product is cybercrime.

The increasing sophistication of cybercriminals " both at the technical and financial levels " is a key theme of a new midyear security reportpublished today by the research team at Cisco Systems.

The report, which analyzes security trends over the past six months, indicates that cybercrime is becoming an increasingly sophisticated economy that, in many ways, mirrors conventional industries. Rather than trying to do everything themselves, cybercriminals are beginning to specialize in specific attacks or functions " such as botnet operation or spam campaigning " and attempting to differentiate themselves in an increasingly-competitive market with branding, customer support, and service guarantees.

"What's remarkable to us is the growth in sophistication that we've seen developing recently," says Marie Hattar, vice president of network systems and security at Cisco. "All of the practices we learn about in business school " cybercriminals are practicing them now. They're basically ripping off all of the best practices of marketing and business development from legitimate companies and applying them to their own market."

The report notes that cybercriminals are now responding with tremendous speed to exploit "business opportunities," such as public interest in the swine flu virus or the death of Michael Jackson. In each case, spam and malware distribution campaigns appeared within days, even hours, of the events, exploiting users' curiosity to drive traffic, Cisco researchers observe.

More significantly, cybercriminals are finding ways to partner and outsource specific aspects of their campaigns, the researchers state. The recent links between Conficker and Waledac " two separately-developed, botnet-driven exploits " suggest that cybercriminals have found ways to build partnerships that combine to help infections spread more quickly or work more effectively.

"We're seeing more specialized services being offered in the cybercrime marketplaces," says Scott Olechowski, a Cisco security researcher. "You can have a service scan your malware with a variety of different antivirus packages to see whether it will be blocked. You can hire a service to do CAPTCHA breaking, so that you don't have to do it yourself. You can hire out these services and simply Paypal them the money."

Cybercriminals are also developing more sophisticated methods of marketing and distribution, the researchers say. Many attackers are becoming adept at manipulating search engine results so that their malicious sites appear at the top of the results page, Hattar notes. Other cybercriminals are using traditional marketing strategies to sell their wares, offering customer support lines, performance guarantees, and service level agreements via underground forums, marketplaces, and auction sites that let them advertise their capabilities.

"We haven't gone as far as to buy these services and test out their customer service, but my guess is that a lot of these "customer service" offers are 100 percent bogus," Olechowski says. "It's hard to imagine cybercriminals having a 24-hour help line. But they do make the services look a lot more attractive to a potential buyer."

While the increasing sophistication of the cybercrime business might be a surprise, the increasing sophistication of cybercrime technology is not, Cisco researchers say. In just months, Cisco has seen a growing number of attacks that exploit the latest and most popular technologies on the Web, including social networks, Twitter, and SMS, the report notes.

"They're recognizing how people behave," Hattar says. "When I go places these days, I seldom have the time to open up my laptop " a lot of users' communication is done on their PDAs and smart phones. We're seeing a lot of activity in SMS and related technologies, where [cybercriminals] are taking advantage of the way users behave."

At the same time, new wrinkles in attack strategy are spreading faster than ever, Olechowski observes. "We're seeing the criminals go after the other criminals, stealing their code and their methods," he says. "If something works, you can bet it will spread, one way or the other." In some cases, new cybercrime developments are likely aided by criminal syndicates or even foreign governments that may bankroll the R&D, Olechowski observes.

And there are more players in cybercrime than ever, thanks largely to the economic downturn that has cost many IT workers their jobs, Cisco says. The new report includes and interview with a botnet administrator who is struggling to make ends meet by making what he can by building and selling botnet services. And as companies lay off more workers " and bring in contractors, temporary workers, and outsourcing firms " the security problem is likely to get worse, Hattar says.

What can be done to manage the cybercrime problem? Hattar says Cisco is encouraged by President Obama's efforts to put cybersecurity at the top of the federal government's agenda, which may eventually bring more attention " and more money " to the issue. Until then, she says, vendors and enterprises need to find ways to work together more closely.

"What we did with Conficker " forming a working group to research and develop answers for it " is a good example of what we can do," Hattar says. "We have to realize that cybercrime is not a stand-alone business anymore " and if the bad guys are going to work together more, we're going to have to work together more to stop them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-02
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...