Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:40 AM
Connect Directly

Cybercrime, Cosa Nostra-Style

Finjan report paints insider picture of today's cybercrime organization

A new report sheds some light on the structure and inner workings of today’s cybercrime organization based on online communication with resellers of stolen data.

The Finjan "Q2 Web Trends Security Report" says cybercrime is no longer the domain of just loosely affiliated hackers trading stolen booty online. Instead, hierarchical cybercrime organizations operate in a manner akin to traditional organized crime, from the Godfather mob boss all the way down to the foot soldiers.

Yuval Ben-Itzhak, CTO at Finjan, says the Mafia is an apt analogy for how organized cybercrime operates. The main findings from Finjan’s investigation of the underground economy is that it’s becoming very organized and stratified, with the big boss several layers away from the actual hack and sale of stolen data.

Finjan researchers posed as potential buyers of stolen data and communicated directly with several resellers via ICQ Messenger sessions. “That really helped us to confirm and create this report... It shows how well they are organized,” Ben-Itzhak says.

Ben-Itzhak says the resellers said they didn’t know exactly how the data was stolen, but that they were willing to put the Finjan researchers in touch with their “boss,” who had information on how the data was collected. The researchers weren’t able to pinpoint the geographic location of the resellers. “We don’t know where they are from... We could tell their English was broken, but we don’t know where they are," he says.

Finjan concluded that the boss of a cybercrime organization acts as the entrepreneur (and keeps his hands clean). Next in line is the underboss, who manages the operation, provides the Trojans for attacks, and oversees the command and control of Trojan attacks.

Then come the campaign managers, who use their own “affiliation networks” to attack systems and steal data, which is then sold by the resellers, according to Finjan. The bad guys get rewarded for their business successes: The campaign manager, for instance, gets paid a commission for the number of users he successfully infects.

Cybercrime expert Guillaume Lovet, senior manager for the threat response team at EMEA Fortinet Technologies, says that, although the report does an important job of raising awareness on cybercrime, it really doesn't break any new ground on the underground economy, and that other researchers have previously made similar contact with the bad guys.

Lovet took issue with the Mafia analogy used by Finjan, noting that command-and-control doesn’t manage infections as the Finjan report said -- it controls botnets. "The C&C does not manage and control infection campaigns. It controls resulting botnets -- it's a different thing,” Lovet says. “And yes, botnets have a central command... just like a legitimate business. Or the Navy."

Among other findings in the Finjan report: cybercrime organizations launch “campaigns,” independent attacks each with their own groups of attackers, often targeting certain types of Websites, for instance.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Finjan Software Inc.
  • Fortinet Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/9/2020
    Introducing 'Secure Access Service Edge'
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
    Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
    Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-09
    An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
    PUBLISHED: 2020-07-09
    In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
    PUBLISHED: 2020-07-09
    The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
    PUBLISHED: 2020-07-09
    A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
    PUBLISHED: 2020-07-09
    IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...