Cybercrime, Cosa Nostra-Style

Finjan report paints insider picture of today's cybercrime organization

A new report sheds some light on the structure and inner workings of today’s cybercrime organization based on online communication with resellers of stolen data.

The Finjan "Q2 Web Trends Security Report" says cybercrime is no longer the domain of just loosely affiliated hackers trading stolen booty online. Instead, hierarchical cybercrime organizations operate in a manner akin to traditional organized crime, from the Godfather mob boss all the way down to the foot soldiers.

Yuval Ben-Itzhak, CTO at Finjan, says the Mafia is an apt analogy for how organized cybercrime operates. The main findings from Finjan’s investigation of the underground economy is that it’s becoming very organized and stratified, with the big boss several layers away from the actual hack and sale of stolen data.

Finjan researchers posed as potential buyers of stolen data and communicated directly with several resellers via ICQ Messenger sessions. “That really helped us to confirm and create this report... It shows how well they are organized,” Ben-Itzhak says.

Ben-Itzhak says the resellers said they didn’t know exactly how the data was stolen, but that they were willing to put the Finjan researchers in touch with their “boss,” who had information on how the data was collected. The researchers weren’t able to pinpoint the geographic location of the resellers. “We don’t know where they are from... We could tell their English was broken, but we don’t know where they are," he says.

Finjan concluded that the boss of a cybercrime organization acts as the entrepreneur (and keeps his hands clean). Next in line is the underboss, who manages the operation, provides the Trojans for attacks, and oversees the command and control of Trojan attacks.

Then come the campaign managers, who use their own “affiliation networks” to attack systems and steal data, which is then sold by the resellers, according to Finjan. The bad guys get rewarded for their business successes: The campaign manager, for instance, gets paid a commission for the number of users he successfully infects.

Cybercrime expert Guillaume Lovet, senior manager for the threat response team at EMEA Fortinet Technologies, says that, although the report does an important job of raising awareness on cybercrime, it really doesn't break any new ground on the underground economy, and that other researchers have previously made similar contact with the bad guys.

Lovet took issue with the Mafia analogy used by Finjan, noting that command-and-control doesn’t manage infections as the Finjan report said -- it controls botnets. "The C&C does not manage and control infection campaigns. It controls resulting botnets -- it's a different thing,” Lovet says. “And yes, botnets have a central command... just like a legitimate business. Or the Navy."

Among other findings in the Finjan report: cybercrime organizations launch “campaigns,” independent attacks each with their own groups of attackers, often targeting certain types of Websites, for instance.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Finjan Software Inc.
  • Fortinet Inc.