Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:40 AM
Connect Directly

Cybercrime, Cosa Nostra-Style

Finjan report paints insider picture of today's cybercrime organization

A new report sheds some light on the structure and inner workings of today’s cybercrime organization based on online communication with resellers of stolen data.

The Finjan "Q2 Web Trends Security Report" says cybercrime is no longer the domain of just loosely affiliated hackers trading stolen booty online. Instead, hierarchical cybercrime organizations operate in a manner akin to traditional organized crime, from the Godfather mob boss all the way down to the foot soldiers.

Yuval Ben-Itzhak, CTO at Finjan, says the Mafia is an apt analogy for how organized cybercrime operates. The main findings from Finjan’s investigation of the underground economy is that it’s becoming very organized and stratified, with the big boss several layers away from the actual hack and sale of stolen data.

Finjan researchers posed as potential buyers of stolen data and communicated directly with several resellers via ICQ Messenger sessions. “That really helped us to confirm and create this report... It shows how well they are organized,” Ben-Itzhak says.

Ben-Itzhak says the resellers said they didn’t know exactly how the data was stolen, but that they were willing to put the Finjan researchers in touch with their “boss,” who had information on how the data was collected. The researchers weren’t able to pinpoint the geographic location of the resellers. “We don’t know where they are from... We could tell their English was broken, but we don’t know where they are," he says.

Finjan concluded that the boss of a cybercrime organization acts as the entrepreneur (and keeps his hands clean). Next in line is the underboss, who manages the operation, provides the Trojans for attacks, and oversees the command and control of Trojan attacks.

Then come the campaign managers, who use their own “affiliation networks” to attack systems and steal data, which is then sold by the resellers, according to Finjan. The bad guys get rewarded for their business successes: The campaign manager, for instance, gets paid a commission for the number of users he successfully infects.

Cybercrime expert Guillaume Lovet, senior manager for the threat response team at EMEA Fortinet Technologies, says that, although the report does an important job of raising awareness on cybercrime, it really doesn't break any new ground on the underground economy, and that other researchers have previously made similar contact with the bad guys.

Lovet took issue with the Mafia analogy used by Finjan, noting that command-and-control doesn’t manage infections as the Finjan report said -- it controls botnets. "The C&C does not manage and control infection campaigns. It controls resulting botnets -- it's a different thing,” Lovet says. “And yes, botnets have a central command... just like a legitimate business. Or the Navy."

Among other findings in the Finjan report: cybercrime organizations launch “campaigns,” independent attacks each with their own groups of attackers, often targeting certain types of Websites, for instance.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Finjan Software Inc.
  • Fortinet Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Tor Weaponized to Steal Bitcoin
    Dark Reading Staff 10/18/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-23
    Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
    PUBLISHED: 2019-10-23
    XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
    PUBLISHED: 2019-10-23
    XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
    PUBLISHED: 2019-10-23
    An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
    PUBLISHED: 2019-10-23
    An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.