Chasing Online Criminal GhostsBy Ericka Chickowski | Posted 2008-08-22 Email Print
WEBINAR: On-demand webcast
Next-Generation Applications Require the Power and Performance of Next-Generation Workstations REGISTER >
For those online criminals who are not limited by the law, regulation and security technology, the ways of making money with online scams, identity theft, and hacking are limited only by criminal creativity. There is a thriving underworld of online criminals who are having a major impact on the lives of the innocent and the those trying to protect themselves in the age of security.
Chasing Online Criminal Ghosts
Just as in the everyday criminal world, the cybercriminal population is made up of a network of lone wolves and organized criminals. Some of the solo artists truly are in it for themselves, but many more are contracted specialists or thugs hired out to do dirty work. Often they are the “face” of a much more shadowy organization that’s hired them—the honchos live in obscurity by distributing the workforce, a sort of militaristic “need-to-know” work model that covers the connections.
“Like any other organized crime [group], they have few people at the very top where the money is being funneled up to, and as you go down to the bottom of the hierarchy, there are lots of foot soldiers. They even advertise for particular technical skills,” says Paul Ferguson, advanced threat researcher for TrendMicro. “You've got one guy doing Apache security mods [modifications that are hacks, in this case, of the Apache Web server], and another guy is doing social engineering campaigns, and another guy is writing SMTP mailers [email spam], and another guy is doing money-mule operations and work-at-home schemes.”
A lot of this bottom-level work is done piecemeal, contracted out to various foot soldiers, he says, who often have multiple projects going on at once for several ‘employers.’
“So one of them may be part of one operation and part of [a second] operation and part of another operation all at the same time,” he says. “It’s really confusing that way to identify who's pulling the strings.”
Making things even more complicated for researchers are the solo artists who hide out in the open. These individuals may not necessarily commit crimes, but they’ll enable them by writing malcode and selling it to other criminals. For example, take Mr. Brain, a hacker known for developing phishing kits for criminals who lack the technical skills or the initiative to develop their own theft tools.
*Want more info on the most notorious organized hacking organizations? Take a glance at Baseline's 10 Notorious Cyber Gangs.
“His name is a brand. His kits are of the highest quality,” says Don Jackson, director of threat intelligence at SecureWorks. “Mr. Brain became famous when he introduced a ‘free’ phishing kit. Instead of paying for it, you get a free kit—but what he didn’t tell you is that hidden in the code of the kit, whatever information your victim types into your phishing site, he gets a copy of. So the way you paid for your kit was [that] you got a copy of everything [that] you convinced people to enter into your site.”
Jackson says that even though Mr. Brain is collecting all of this information, researchers have been unable to pinpoint when and where he’s been using it. He walks the streets of Morocco a free man because the government there is not as cooperative as some in cracking down on hackers like him.
Similarly, there’s another hacker in China who runs a studio that takes credit for developing the popular Trojan Grey Pigeon. This nasty bit of code has been used prolifically by bad guys in China and across the globe to steal information and subvert government systems.
“He is very public, he has his own blog up, but he doesn't sell his wares publicly anymore because he has a standard set of clients. His clients are really the ones [who] are doing the damage, but he supplies them [with] the tools,” Jackson says. “His clients are much more shadowy, whereas he is very open. He says, ‘No, these are legitimate tools; nothing I'm doing is illegal.’ But we know that he does not have a full-time job and makes lots of money. Basically we see his fingerprints on these customized backdoor programs that are used in attacks all the time.”