Chasing Online Criminal Ghosts

By Ericka Chickowski  |  Posted 2008-08-22

In today’s technical environment, one of the common threats executives hear about are the organized criminals out to break into corporate systems for profit, not notoriety. Security experts have been sounding warnings over stealthy attacks perpetrated by sneaky crooks for several years now, to the point where some executives might think they’re being scared unnecessarily by overinflated stories.

But these bad guys are not bogeyman. They haven’t been dreamed up by the CSO to scare upper-level executives into fattening the security budget. A whole ecosystem of criminals does exist—most of them silently getting richer off the mistakes of enterprises and their customers. To fight them, we must first understand how they work.
Hierarchy of Online Crime Sophistication
For people who aren’t limited by little things like laws and regulation, the ways of making money online are limited only by criminal creativity. Drawing an analogy to real-world robbers, some run simple smash-and grabs-at the local 7-11, and others orchestrate intricate jewelry heists and steal away into the night.

“There’s definitely a hierarchy in the types of activities that happen in online crime.
I would put things like 419 scams [an advance-fee fraud, usually by Nigerian fraudsters] on the lower end of it; they are very easy to mount, and you don’t need much technical sophistication to make the attack work,” says Zulfikar Ramzan, senior principal researcher for Symantec. “But as you get into slightly higher levels, you might get phishing attacks, where [the criminals] have to put up a Web site and do a little bit more work to make money. And then, at an even higher level, you have to do more work on developing malicious software and trying to get those on people's machines to steal their credentials that way. That requires even more technical sophistication.”

Then there are those even farther up the evolutionary crime chain. “Even the highest levels beyond that, you start to get to people who are doing very targeted attacks,” Ramzan says, explaining that they’ll often go after high net-worth individuals, key executives at companies, government officials and the like. This, he explains, is a force to be reckoned with, “They are really being very careful about what they are doing, and they're very slick. They go in there, do their work and get back out. They're very much under the radar.”

*Be sure to take a glance at Baseline's slide show 10 Notorious Cyber Gangs.

The higher up the chain of sophistication, the more a business must worry about the bad guys, because they’re the ones who tend to do the most damage. After all, the smash-and-grab robber usually manages to get his paws on only $50 at a time. The jewelry thief steals millions in one go of it.

In this case, the jewels are data stores. They are lists of personally identifiable information to be used for identity-theft scams; they are login and password combos to perpetrate financial theft; and they’re corporate intellectual property to be sold on the black market. Rest assured: The best crooks have been hard at work figuring out more efficient ways to steal them.

Chasing Online Criminal Ghosts
Just as in the everyday criminal world, the cybercriminal population is made up of a network of lone wolves and organized criminals. Some of the solo artists truly are in it for themselves, but many more are contracted specialists or thugs hired out to do dirty work. Often they are the “face” of a much more shadowy organization that’s hired them—the honchos live in obscurity by distributing the workforce, a sort of militaristic “need-to-know” work model that covers the connections.

“Like any other organized crime [group], they have few people at the very top where the money is being funneled up to, and as you go down to the bottom of the hierarchy, there are lots of foot soldiers. They even advertise for particular technical skills,” says Paul Ferguson, advanced threat researcher for TrendMicro. “You've got one guy doing Apache security mods [modifications that are hacks, in this case, of the Apache Web server], and another guy is doing social engineering campaigns, and another guy is writing SMTP mailers [email spam], and another guy is doing money-mule operations and work-at-home schemes.”

A lot of this bottom-level work is done piecemeal, contracted out to various foot soldiers, he says, who often have multiple projects going on at once for several ‘employers.’
“So one of them may be part of one operation and part of [a second] operation and part of another operation all at the same time,” he says. “It’s really confusing that way to identify who's pulling the strings.”

Making things even more complicated for researchers are the solo artists who hide out in the open. These individuals may not necessarily commit crimes, but they’ll enable them by writing malcode and selling it to other criminals. For example, take Mr. Brain, a hacker known for developing phishing kits for criminals who lack the technical skills or the initiative to develop their own theft tools.

*Want more info on the most notorious organized hacking organizations? Take a glance at Baseline's 10 Notorious Cyber Gangs.

“His name is a brand. His kits are of the highest quality,” says Don Jackson, director of threat intelligence at SecureWorks. “Mr. Brain became famous when he introduced a ‘free’ phishing kit. Instead of paying for it, you get a free kit—but what he didn’t tell you is that hidden in the code of the kit, whatever information your victim types into your phishing site, he gets a copy of. So the way you paid for your kit was [that] you got a copy of everything [that] you convinced people to enter into your site.”

Jackson says that even though Mr. Brain is collecting all of this information, researchers have been unable to pinpoint when and where he’s been using it. He walks the streets of Morocco a free man because the government there is not as cooperative as some in cracking down on hackers like him.

Similarly, there’s another hacker in China who runs a studio that takes credit for developing the popular Trojan Grey Pigeon. This nasty bit of code has been used prolifically by bad guys in China and across the globe to steal information and subvert government systems.

“He is very public, he has his own blog up, but he doesn't sell his wares publicly anymore because he has a standard set of clients. His clients are really the ones [who] are doing the damage, but he supplies them [with] the tools,” Jackson says. “His clients are much more shadowy, whereas he is very open. He says, ‘No, these are legitimate tools; nothing I'm doing is illegal.’ But we know that he does not have a full-time job and makes lots of money. Basically we see his fingerprints on these customized backdoor programs that are used in attacks all the time.”

Culture of Online Criminal 'Cybergangs'
Just as there are individual technical specialists working for cybergangs, there are very often entire gangs who focus on individual niches. Some might deal only in loading child porn onto unsuspecting victims’ computers for extortion; others might hijack Web sites to hold for hostage. Some are into identity theft and credit card schemes others break into servers to sell information to those perpetrating identity theft. Often such specialties are broken down by geographic location.

For example, the Russian and Ukrainian gangs are especially known for running profitable identity theft rings, credit card schemes and the like. “The most prolific, the most profitable and probably the most dangerous ones are operating out of Russia and the Ukraine,” says Ferguson.

South Americans, on the other hand, have their own fraudulent financial niche. “While Russia is good at financial fraud and credit carding and that type of thing, the South American Trojans are about automated man-in-the-middle, defeating-two-factor-authentication-type attacks,” Jackson says.

Meanwhile, he says, in Turkey, Morocco and the rest of the Middle East, there is a whole other flavor of criminal misdeed brewing. “It’s a culture of Web site break-in and disablement. The [criminals] trade information on what servers are running what software, what versions and what kind of exploits work against those servers,” Jackson says. “They don’t have to exploit them, because they don't want to tip their hands; but they have lists of them and can tell you exactly how to exploit them when you need to break into a server and use it as a command and control for a botnet.”

Asian hackers, meanwhile, seem to have a penchant developing for custom malcode. This is especially true for Chinese hacking groups, which are often shrouded in more mystery due to the infamous “Great Firewall.” “The names change often; they are just more nebulous and they're a little bit harder for us to track,” Jackson says. “We just don't have as much visibility into their network. So anything they do [internally in] China kind of remains a secret, and it’s hard for us to really track development of specific groups.”
In Asia at large, one of the big trends is in the development of gangs that focus primarily on stealing online gaming credentials.

*Want more info on the most notorious organized hacking organizations? Take a glance at Baseline's 10 Notorious Cyber Gangs.

“Especially in parts of Asia game play is huge, and in some games it takes up to 800 hours of skilled play to get to the top levels, and people don't like that. So there are these companies that say, ‘We'll play for you. Pay us hundreds of dollars, and we'll get you to level 20 or whatever it’s gong to be,’ ” says Ken Dunham, director of global response for iSIGHT Partners. “So things purchased within a virtual world have a real monetary value to them, and in fact there have been issues with money being laundered through these programs.”

The key trait that all gangs worldwide have in common is that they are generally out for one thing only, to make a buck. “Most of these operations are geared toward for profit. The [gangs] don't want to take down the infrastructure by denial-of-service attacking it off the face of the Earth, because if they take down the infrastructure, it makes it a lot harder to reach into somebody's back pocket without [their] knowing [it], to steal their money,” Ferguson says. “So they'd prefer to fly under the radar as best they can to try to go [as] unnoticed as they can and exploit the opportunity presented to them at any given time.”

Sizing Up Online Criminal Organizations
The truly dangerous element to all of these specialized pockets of crime is the fact that many of them cooperate with one another. Some groups are partnering with others, and certain rings have just always been a part of a greater circle of crooks led by a shadowy figure who might be heading organizations that perpetrate more than just cybercrime.

“You have a lot of smaller bit players who are individuals operating on their own, but I think there's very much a one-sided world in cybercrime where there's a very small number of groups who are responsible for a large percentage of the activity,” Ramzan says.

A lot of the individual crooks and the smaller crews try to make it difficult for researchers to identify them by muddying the waters further—after all, they and their employers make their money from being unobtrusive, and they don’t want their revenue streams interrupted by cops and security sleuths. A larger organization will disassociate itself from its foot soldiers if they are caught. So the organization will constantly switch their online handles, change the names of their groups and so on.

“There will be two or three of them, and later on there’ll be another member, and different members will drop out, or they'll change their name entirely, but it will be the same three guys,” Jackson says.

All of these factors contribute to a sometimes maddening puzzle for investigators sifting through server logs, illicit hacker forums, incident reports and anecdotes from colleagues to put the puzzle pieces together and form a picture of the influential groups on the
rise—the ones most likely to strike legitimate businesses and consumers again.

Where does the tail of the tiger end and the body begin? Who’s actually pulling the strings? Who’s the mastermind of an operation? These are questions investigators are constantly looking to answer.

*Want more info on the most notorious organized hacking organizations? Take a glance at Baseline's 10 Notorious Cyber Gangs.

“I wish it were easier, that there [were] some identifiable quote unquote gangs, but unfortunately there's not,” Ferguson says. “Several operations are ongoing [and] have global footprints that are all interconnected. More or less, we’re pretty much referring to the same operatives every time, because a lot of the same guys who are behind some of this stuff have their fingers in multiple pots.”

Of course, all hope is not lost. There are ways to track activity, follow patterns and figure out who’s who, says Ramzan.

“You know when you have serial killer who has tell-tale signs? It is a similar thing with these groups. Sometimes they have similar signatures we [can use to recognize that]  they're the ones responsible for an attack,” he says.

Researchers like Ramzan, Ferguson, Dunham and Jackson are not necessarily trying to put identified cybergangs into a scrapbook with mug shots next to them. In a lot of ways they just need a little bit of definition to help them predict the criminals’ next moves so they can protect customers and the public at large.

While it would be nice, the investigators don’t necessarily need to know their employee roster or how many people work for them. Sometimes they just need to know what skills these gangs possess. From there they can categorize groups and assess their risk levels.

 “It is hard to say [which is] the most dangerous hacking group,” Jackson says. “I think when you're talking about threat agents and cybercrime activity, two big factors in determining who's really the biggest threat are how good are they technically, and their institutional knowledge. If they attack U.K. banks, how well do they know how the U.K. banking systems work and how their online banking services are implemented and where their weaknesses are?” 

* Take a glance at Baseline's 10 Notorious Cyber Gangs.