Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Stolen Data's Black Market

Organized crime is chief buyer for information stolen by hackers and insiders, experts say

Computer crime is changing, experts agree. The Web-wide attack, designed to prove the hacker's proficiency, is out. The targeted attack -- designed to make a buck for the hacker or insider who initiates it -- is in, in, in.

So who's targeting your enterprise? And what's your data worth? Many IT people may be surprised at the answers, experts say.

The "black market" for stolen computer data is growing by leaps and bounds, according to experts who study computer crime and corporate espionage. "Before 1998, about 90 to 95 percent of all intrusions were done by individuals hacking out of curiosity," says Chris Pierson, founder of the cybersecurity and cyberliability practice at Lewis and Roca LLP, a Phoenix law firm. "That's entirely flipped now. I'd say 75 to 85 percent of all malicious attacks are coordinated by some organized group, even if it's a very loose organization."

"We're seeing a rapid growth in cooperative attacks, where an insider works in concert with some sort of external source to make a financial gain," says Brian Contos, chief security officer at ArcSight and author of the new book, Enemy at the Water Cooler, which outlines some of the recent trends and exploits in corporate computer crime. "It's not just hackers looking randomly for easy points of entry -- these are attacks on specific companies."

And although big-name companies and financial institutions are the most obvious targets, smaller and lesser-known organizations are on the hit list, too, Contos says. "Almost any company has some sensitive data that's valuable [to criminals]," he says. "A customer list can be used by a competitor or an identity thief. We've seen criminals hack into hospital systems just to get the Social Security numbers of the newborns. There's no one, obvious group of organizations that hackers are targeting."

The types of criminals who attack corporations are similarly diverse, experts say. There are still plenty of independent hackers out on the Web -- just look at the recent Black Hat and Defcon conferences -- who might sell vulnerabilities or stolen data by putting them up for auction.

"You can buy a rootkit for $75 that will give you all of the advice, logos, and templates you need to execute a phishing attack on the customers of a specific bank," observes Michael Rothschild, director of marketing at CounterStorm, which makes tools that help enterprises prevent insider attacks. Worms and viruses invented by independent hackers still make up a huge portion of the damage done to corporations each year, Pierson notes.

But the visibility of these individuals and their exploits sometimes belies the growing, but largely unpublicized threat from organized criminals who buy data from hackers or insiders and sometimes contract with them to collect data from a specific corporation, experts agree.

"There is a growing interest from organizations, like the Russian or Italian mafias, which basically just see stolen data as another revenue stream, like drugs or prostitution," says Pierson. "But when I say 'organized,' I don't just mean those groups. I also mean loose associations of people who may combine their efforts to make money from the data."

Pierson gives the example of stolen customer credit card data, which is sometimes handled by multiple individuals in a joint effort. While credit card information might be collected through the collaboration of phishers and spammers, that data might then be passed to "cashers" who forge credit cards that use the numbers. Then those cards will be passed out to a network of "mules" who use the cards for small purchases -- the kind that might not be immediately detected by the victim -- and thrown away. Then the syndicate of players might sell the account information to another buyer, just as the parts of a stolen car might be resold. The person or group that organizes the syndicate gets a cut from all of the players.

"Often, it takes an organized group to really maximize the financial gain from a [data theft]," Pierson says. A similar sort of "syndicate" might be formed to fence stolen business secrets or customer lists to competitors, or to other nations or terrorist groups, he says.

What do criminals pay for this data? Not nearly as much as you'd think. "You can buy a hacked credit card on the Web for as little as $10," says Rothschild.

Contos relates a case in which an individual used botnets to install adware on user computers for a full year, accounting for more than a million installations. "In all that time, and with all the trouble he caused, he only made about $30,000," he says.

In a recent study of 150 cases of alleged spying on key U.S. data sources, the federal government found that 26 percent of the spies accepted between $10,000 and $100,000 to do their dirty work, Contos says. Eleven percent accepted less than $1,000.

"You'd think it would cost millions to get someone to sell out their country," Contos says. "But that's not necessarily the case."

Pierson says that criminals often keep the price of their exploits low so they can avoid detection and make choices easy for corporations. For example, an extortionist might develop the means to launch a denial-of-service attack against a major search engine but only ask for $50,000 in ransom.

"If you're a site like Amazon or one of the big organizations that might lose $5 million in less than an hour of downtime, it's a pretty easy choice to pay a relatively small ransom like that and avoid all of the negative publicity," he says. Although Pierson's firm has handled many legal cases involving hackers, corporate espionage, and extortion, "we have never had a case that involved more than $200,000 paid to the alleged criminal," he says.

In fact, Pierson says the vast majority of computer crimes committed against corporations never see the light of day. "We estimate that only about 8 percent of the cases ever make it to the point where a company seeks assistance from outside counsel," he says. "And even then, sometimes companies call us, and then decide not to pursue it."

Most of the time, companies prefer to settle their computer crime cases without consulting law enforcement, and sometimes without even consulting their own legal counsel, Pierson says. External hackers may be paid off; insiders may be disciplined or dismissed; and in some cases, the crime is never detected.

Although there are cases in which external hackers break into an enterprise they find attractive, most targeted attacks involve some help from an insider, experts say. In many cases, the insider is an employee who feels slighted by the organization and is receptive to an inquiry from a targeted hacker, or goes out looking for a place to sell the information.

"There have been cases where an employee was coerced or blackmailed into participating, but according to the data I've seen, 69 percent of insiders said they just did it for the money," says Contos. "It's not a very surprising conclusion, but greed is usually the main motivator."

— Tim Wilson, Site Editor, Dark Reading

  • ArcSight Inc.
  • CounterStorm Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15058
    PUBLISHED: 2020-08-07
    Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
    CVE-2020-15059
    PUBLISHED: 2020-08-07
    Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
    CVE-2020-15060
    PUBLISHED: 2020-08-07
    Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
    CVE-2020-15061
    PUBLISHED: 2020-08-07
    Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
    CVE-2020-15062
    PUBLISHED: 2020-08-07
    DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.