Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:40 AM
Connect Directly

Cybercrime, Cosa Nostra-Style

Finjan report paints insider picture of today's cybercrime organization

A new report sheds some light on the structure and inner workings of today’s cybercrime organization based on online communication with resellers of stolen data.

The Finjan "Q2 Web Trends Security Report" says cybercrime is no longer the domain of just loosely affiliated hackers trading stolen booty online. Instead, hierarchical cybercrime organizations operate in a manner akin to traditional organized crime, from the Godfather mob boss all the way down to the foot soldiers.

Yuval Ben-Itzhak, CTO at Finjan, says the Mafia is an apt analogy for how organized cybercrime operates. The main findings from Finjan’s investigation of the underground economy is that it’s becoming very organized and stratified, with the big boss several layers away from the actual hack and sale of stolen data.

Finjan researchers posed as potential buyers of stolen data and communicated directly with several resellers via ICQ Messenger sessions. “That really helped us to confirm and create this report... It shows how well they are organized,” Ben-Itzhak says.

Ben-Itzhak says the resellers said they didn’t know exactly how the data was stolen, but that they were willing to put the Finjan researchers in touch with their “boss,” who had information on how the data was collected. The researchers weren’t able to pinpoint the geographic location of the resellers. “We don’t know where they are from... We could tell their English was broken, but we don’t know where they are," he says.

Finjan concluded that the boss of a cybercrime organization acts as the entrepreneur (and keeps his hands clean). Next in line is the underboss, who manages the operation, provides the Trojans for attacks, and oversees the command and control of Trojan attacks.

Then come the campaign managers, who use their own “affiliation networks” to attack systems and steal data, which is then sold by the resellers, according to Finjan. The bad guys get rewarded for their business successes: The campaign manager, for instance, gets paid a commission for the number of users he successfully infects.

Cybercrime expert Guillaume Lovet, senior manager for the threat response team at EMEA Fortinet Technologies, says that, although the report does an important job of raising awareness on cybercrime, it really doesn't break any new ground on the underground economy, and that other researchers have previously made similar contact with the bad guys.

Lovet took issue with the Mafia analogy used by Finjan, noting that command-and-control doesn’t manage infections as the Finjan report said -- it controls botnets. "The C&C does not manage and control infection campaigns. It controls resulting botnets -- it's a different thing,” Lovet says. “And yes, botnets have a central command... just like a legitimate business. Or the Navy."

Among other findings in the Finjan report: cybercrime organizations launch “campaigns,” independent attacks each with their own groups of attackers, often targeting certain types of Websites, for instance.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Finjan Software Inc.
  • Fortinet Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-08
    On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
    PUBLISHED: 2019-12-08
    An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
    PUBLISHED: 2019-12-08
    An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
    PUBLISHED: 2019-12-08
    An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
    PUBLISHED: 2019-12-08
    An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.