Organised, sneaky and out to get you. Cybercriminals have never been more dangerous.

Cyber-criminals have had companies and various law enforcement bodies on the run for years. As the law closes in, so the frontline changes, and the target moves. It’s an arms race of colossal proportion. And it’s happening in your back yard.

Speaking at the RSA Security conference in London last year, representatives from the US’ FBI and UK’s Serious Organised Crime Agency (SOCA) gave enthralled delegates the lowdown on the underground economy, RSA representative outlined the makeup of a cyber-crime organisation, and Verizon Business’ Forensics managing principle Matt van der Wel shattered some cosy illusions.

Wake up!

While the industry has long held that insiders are responsible for most data leaks, according to Van der Wel (quoting Verizon Business’ Data Breach Investigations Report 2009), external sources were responsible for 74 percent of data breach cases last year, while insiders accounted for 20 percent, and 32 percent occurred via partners (i.e. third parties that have access to a company’s systems). The overlap, he says, comes in where multiple parties were involved in a breach. What’s more worrying is that 90 percent of the breaches investigated were attributed to organised crime activity. And last year’s case load saw some 285 million records stolen, more than the previous four years’ combined total of 230 million

Black-market tools


Botnets, says Keith Mularski, Supervisory Special Agent at the FBI’s Cyber Initiative & Resource Fusion Unit, are infected computers. “Different botnets do different things for criminal schemes. Proxy botnets like Xsoz and Ligats let criminals engage anonymously. Torpig, ZeuS/ZBot etc. are used to steal information. Web hosting of phishing sites on botnets uses things like fast fluxing, which rotates DNS and where it is hosted. Srizbi, Harvester and Cutwall are used for spam, and Conficker and the like are droppers.”

Bulletproof hosting facilities, he says, are either rogue ISPs or people running space on co-location facilities lending services out to criminals specifically. These are difficult to shut down because the facilities use mirrored web hosting and change IPs every 15 minutes using a botnet.

Rogue AV or scareware involves criminals convincing users that their machines are infected with something and getting them to download malware, or useless software, for a fee. The malware can then be used to send the user’s information back to the criminal, and to infect the computer with other viruses.

“There’s a whole economy out there,” says Van der Wel, adding that the market for credit card records has been flooded, resulting in a drop in price from between $10 and $16 dollars per record two years ago to around $0.50 today.

“As supply has increased and prices fallen, criminals have had to overhaul their processes and differentiate their products in order to maintain profitability,” he notes.

How do they do this? By changing their game. The tools of the trade? Botnets, bulletproof ISPs, digital currencies, networks of collaborators, mules, and increasingly sophisticated technology (see boxes).

The basic modus operandi is simple. A harvester uses a combination of the above tools to get, for example, credit card records. He then sells these (via online forums) to fraudsters who will make purchases online and send the goods to mules who send them on to the fraudster. If he has stolen banking records and has access to cash, then money, not goods, is sent to the mule instead.

It takes two

“It takes more than a single fraudster,” says Uri Rivner, head of new technology, identity protection and verification at RSA Security. “There is the harvesting side of operations and the cash-out side.”

On the harvesting side are the techies who manufacture malware and viruses and so on, and the fraudsters who harvest information like credit card records.

But the harvesters won’t be the ones using this information, he says, “because if you’ve stolen credit card information, you aren’t going to go shopping and send the goods to your own home. You need an operation to cash out these credentials.

“Cash,” he states, “is a totally different skill set requirement.

It involves managing an operation. You need a network of collaborators. You need mules.”

“Mules,” he says, “are recruited as part of ‘legitimate business activity’. Criminals will send a job ad to a legitimate site, recruiting logistics managers, for example, to work two to three hours a day from home. It looks real. The company site is there. In the case of one operation, Air Parcel Express, we had a look at the back end. Within two months about 1 900 people had replied to the scam. They were told they’d receive Play- Stations, etc. from e-commerce sites and all they had to do was call a courier company to come pick up the box.”

They also send money transfers to mules, telling them to take the money minus their commission and wire the rest to a drop. The transfer is done using an international wire agency, which is why these are known as Western Union drops. This process allows criminals to send money out of a country, to the cash-out side of the operation.


“When the mule doesn’t pay?” he says. “Use a stolen credit card to send them a coffin with their name on it, to scare them (flowers included).” The two sides of the operation don’t know each other, he notes. “They use fraud forums and chat rooms to communicate.”

This is a competitive marketplace, he states, with many components in various operations and a variety of service providers. You need to stand out and develop good business relationships. Advertising helps too, as Andy Auld, Head of Intelligence, e-Crime Department, SOCA, points out.

Many criminals advertise their services in forums and chat rooms like the now shut down CarderPlanet and ShadowCrew. Organogram “Carderplanet established the blueprint for how internet crime is conducted,” says Auld.

“Adminstrators at the top of the chain control entry to the site and also run an escrow service (buyers deposit funds, which are released when both parties are happy). Beneath them are senior members with moderator status on the forums; beneath them are moderators specifically for discussions; then reviewers (sometimes trusted senior members, other times moderators/ admins) who perform quality control on the vendors.

If vendors (the guys who harvest and sell information) want to sell on the forum, they have to submit to peer review first. If they meet the requirement, they get ‘recognised’ status.”

“There are 50 major fraud forums,” says Rivner. “This is where you establish your credibility long-term. There are Russian-speaking fora, English-speaking fora, each with thousands of members.” Access to forums is very strictly by invite only, and credentials must be proven.

Hard cash

Credentials are equally important on the cash side of the business. Says Auld: “They’re all fraudsters so there’s not much trust between buyers and sellers.”

As a result, payment processors like Web Money, Liberty Reserve and Pecunix have sprung up.

“These all offer an anonymous account, instant payments worldwide, are cheaper by and large than conventional systems and payments made through them can’t be revoked,” he says. “The dominant system used is WebMoney, a Russian system, with servers in Moscow, registered in Panama.

The payment processors are reliant on the relaxed approach their host countries have to financial systems and reporting,” he adds.

Criminals also make extensive use of digital currency exchangers – someone franchised to buy and sell currencies at a small fee to themselves, he says. “So a fraudster in the US who wants to trade with a Vietnamese vendor will transfer $500 to the exchanger via Western Union, and notify them of this. They will then deposit the money into the fraudster’s WebMoney account so that the fraudster has the money to arrange the trade, usually via ICQ/Jabber. Once the parties have agreed on price, quality and delivery, the fraudster sends money to the vendor, and the vendor transfers the information in return. The vendor has digital currency though, and needs real currency, so he then goes to the exchanger, transfers digital currency into their account and they send back hard currency.”

Looking ahead

“You need to get into the system between the fraudster and the end-user,” Rivner says. “The key is to have flexible, dynamic threat counter mechanisms, because threat is dynamic. Losses have not increased at the same rate fraud has because financial services are adapting too.

“The new frontier for criminals expanding beyond the financial sector is the enterprise,” he warns. “Look at consumers with infected machines. Most are employees. How many work for financial services, government, the military? So they act as consumers at home, get infected and bring the machine to work. An infected computer is now behind the firewall.

“Thousands of corporate laptops are already infected,” he says, “information now on ZeuS or Sinowal databases (see box) includes VPN credentials, blueprints, financial reports, all sitting in the garbage bin because the syndicates aren’t interested; they want online banking information. They’re getting interested though. And they have realised they’re sitting on a pot of gold in terms of accessing networks through infected machines.”

From a law enforcement perspective, says Keith Mularski, Supervisory Special Agent at the FBI’s Cyber Initiative & Resource Fusion Unit: “The problem is bigger than FBI and the like. We need to leverage industry relationships. The industry has the information. It’s under attack, not the FBI. And we need to work with industry to understand where the criminals are going.”


The Trojan Guide

While the cyber-crime market relies on tools for sale, some trojans cannot be bought. Says Uri Rivner, head of new technology, identity protection and verification at RSA Security: “Sinowal and Silent Banker are two big organised crime organisations (and trojans) you can’t buy a kit for. ZeuS, a master boot record trojan that can’t be removed even with a hard disk wipe, you can buy for $1 000. Some versions are free. You can buy 1 000 infected machines for $23. If you want exclusive access to a machine, you pay $130.

“Limbo used to be very popular but died due to with ZeuS. Its code was leaked and fraudsters made it an open source project.

“Sinowal was connected to the Russian Business Network. The trojan infected 300 000 machines between 2006 and 2008, and stole 600 000 credit card credentials. Infection today is ten times higher than last year. We’re seeing it across every trojan and region. Fraudsters follow up on the latest vulnerabilities and automatically exploit new ones,” Rivner says. The Russian Business Network, says Andy Auld, Head of Intelligence, e-Crime Department, SOCA, was an organised crime syndicate with an e-crime component. Based in St Petersburg, it had the judiciary and the police in its pocket.

“One third of all hosting on RBN was pay-per-view child pornography. The remainder was hosting malware systems, botnet commander controls. It was an ISP purpose built for and operated by criminals.

“An international effort (including the FBI, SOCA, Dutch and French agencies) shut them down. Our investigations suggest it’s now back in business,” he adds.

Tags: crime lord  cyber-criminals  security  law  sneaky