Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Report: Cybercriminals Take Lessons From Business School

Online bad guys building specialized businesses along with sophisticated marketing and distribution strategies, Cisco study says

They follow business plans and marketing plans. They can respond quickly to new sales opportunities. They specialize, they share data, and they form partnerships. They compete on an open market, offering performance guarantees, 24-hour customer support, and service level agreements.

Oh, there's one thing that separates these savvy enterprises from others, though " their primary product is cybercrime.

The increasing sophistication of cybercriminals " both at the technical and financial levels " is a key theme of a new midyear security reportpublished today by the research team at Cisco Systems.

The report, which analyzes security trends over the past six months, indicates that cybercrime is becoming an increasingly sophisticated economy that, in many ways, mirrors conventional industries. Rather than trying to do everything themselves, cybercriminals are beginning to specialize in specific attacks or functions " such as botnet operation or spam campaigning " and attempting to differentiate themselves in an increasingly-competitive market with branding, customer support, and service guarantees.

"What's remarkable to us is the growth in sophistication that we've seen developing recently," says Marie Hattar, vice president of network systems and security at Cisco. "All of the practices we learn about in business school " cybercriminals are practicing them now. They're basically ripping off all of the best practices of marketing and business development from legitimate companies and applying them to their own market."

The report notes that cybercriminals are now responding with tremendous speed to exploit "business opportunities," such as public interest in the swine flu virus or the death of Michael Jackson. In each case, spam and malware distribution campaigns appeared within days, even hours, of the events, exploiting users' curiosity to drive traffic, Cisco researchers observe.

More significantly, cybercriminals are finding ways to partner and outsource specific aspects of their campaigns, the researchers state. The recent links between Conficker and Waledac " two separately-developed, botnet-driven exploits " suggest that cybercriminals have found ways to build partnerships that combine to help infections spread more quickly or work more effectively.

"We're seeing more specialized services being offered in the cybercrime marketplaces," says Scott Olechowski, a Cisco security researcher. "You can have a service scan your malware with a variety of different antivirus packages to see whether it will be blocked. You can hire a service to do CAPTCHA breaking, so that you don't have to do it yourself. You can hire out these services and simply Paypal them the money."

Cybercriminals are also developing more sophisticated methods of marketing and distribution, the researchers say. Many attackers are becoming adept at manipulating search engine results so that their malicious sites appear at the top of the results page, Hattar notes. Other cybercriminals are using traditional marketing strategies to sell their wares, offering customer support lines, performance guarantees, and service level agreements via underground forums, marketplaces, and auction sites that let them advertise their capabilities.

"We haven't gone as far as to buy these services and test out their customer service, but my guess is that a lot of these "customer service" offers are 100 percent bogus," Olechowski says. "It's hard to imagine cybercriminals having a 24-hour help line. But they do make the services look a lot more attractive to a potential buyer."

While the increasing sophistication of the cybercrime business might be a surprise, the increasing sophistication of cybercrime technology is not, Cisco researchers say. In just months, Cisco has seen a growing number of attacks that exploit the latest and most popular technologies on the Web, including social networks, Twitter, and SMS, the report notes.

"They're recognizing how people behave," Hattar says. "When I go places these days, I seldom have the time to open up my laptop " a lot of users' communication is done on their PDAs and smart phones. We're seeing a lot of activity in SMS and related technologies, where [cybercriminals] are taking advantage of the way users behave."

At the same time, new wrinkles in attack strategy are spreading faster than ever, Olechowski observes. "We're seeing the criminals go after the other criminals, stealing their code and their methods," he says. "If something works, you can bet it will spread, one way or the other." In some cases, new cybercrime developments are likely aided by criminal syndicates or even foreign governments that may bankroll the R&D, Olechowski observes.

And there are more players in cybercrime than ever, thanks largely to the economic downturn that has cost many IT workers their jobs, Cisco says. The new report includes and interview with a botnet administrator who is struggling to make ends meet by making what he can by building and selling botnet services. And as companies lay off more workers " and bring in contractors, temporary workers, and outsourcing firms " the security problem is likely to get worse, Hattar says.

What can be done to manage the cybercrime problem? Hattar says Cisco is encouraged by President Obama's efforts to put cybersecurity at the top of the federal government's agenda, which may eventually bring more attention " and more money " to the issue. Until then, she says, vendors and enterprises need to find ways to work together more closely.

"What we did with Conficker " forming a working group to research and develop answers for it " is a good example of what we can do," Hattar says. "We have to realize that cybercrime is not a stand-alone business anymore " and if the bad guys are going to work together more, we're going to have to work together more to stop them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
CVE-2020-9432
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9433
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9434
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-6383
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.