Cybercrime services

August 29, 2008

An international criminal gang has pulled off one of the most audacious cybercrimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. A previously unknown Indian hacker successfully breached the IT defenses of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.1

The hacker from India succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored. "Large corporate companies rely on anti-virus products to protect their infrastructure, but the problem with this approach is that these products only detect around 60% of threats out there" explains Jacques Erasmus from Prevx.1 (For more details on this aspect, see our October 2007 article Why the anti-virus industry will need to change).

The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specializes in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity. Once the information was online, experts estimate that it would take less than an hour to write and run a software bot - a simple computer program - capable of harvesting every record on Best Western's European reservation system.1

The allure of cyber crime lies in its promise of quick riches, much like that of the illegal drug trade. But building a network of hacked personal computers that can distribute your data-stealing malicious software is a time-consuming process that requires a modicum of skill. That is, until recently, when several online services have emerged that promise to help would-be cyber crooks graduate from common street dealers to distributors overnight.2

Such is the aim web sites which for a small fee will take whatever malware you provide and inject it into a pre-selected number of PCs already compromised and under the thumb of the service owners.2 (click here for a screenshot). For $100, you can have your malware loaded onto 1,000 PCs around the globe, or 10 cents per compromised machine. You merely tell the site the location of the URL where your malware is hosted, pay for the service with Webmoney, and sit back and wait for your soon-to-be-infected machines to start sending you their passwords and other sensitive data.2

And the criminals are diversifying into different venues. For example, for online businesses, positively identifying someone - by name, or physical location - is extremely difficult. Many Internet firms seek to verify the identity of customers by requesting scanned copies of their driver's licenses, passports, or utility bills. Online services now exist aimed at creating counterfeit versions of these documents (see here). For roughly $35 USD, you provide the site with the type of document or credential you're seeking and the identifying information you want to appear on it and these sites will produce a very authentic-looking digital image that appears to be a scanned copy of said item.3

The biggest factor driving the emergence of this new service economy is the obvious one: an explosion of online banking and shopping, coupled with consumers' increasing willingness to disclose personal information over the internet. For those with the technical skills, opportunities for exploitation are richer than ever before.4

But something else is happening, too. Those gifted hackers are now enabling the far larger market of wannabes whose deficient skills would otherwise shut them out of the cybercriminal enterprise system.4

Perhaps more troubling is that despite the increasingly sophisticated methods that cybercriminals use to steal data, those who are actually soliciting and using the stolen information are relative amateurs with little idea of how to secure their illegally gotten data. Often, stolen data is stored in unprotected fashion on servers that can easily be accessed by anyone with a Web browser. It is not uncommon for data stored on crimeware servers to have no access restrictions and allow search-engine crawlers to index log files as they do with other public information on the Internet. As a result, passwords, Social Security numbers and other sensitive information end up being stored on public caching servers such as those of Google.5

By creating services for those people, hackers can generate huge profits without actually committing fraud. Gold prospectors may or may not strike it rich, but folks selling pans and pickaxes make a heck of a living either way. What surprises some experts about this new service economy is just how innovative and vibrant it has become. The hackers code at a PhD level. Their solutions to problems are creative and efficient. They respond to market conditions with agility. Their focus on customer service is intense. If this loose collective of criminal hackers were a company, it would be a celebrated case study of success.4

1. "Revealed: 8 million victims in the world's biggest cyber heist", Sunday Herald, August 26, 2008

2. "Web Fraud 2.0: Distributing Your Malware", The Washington Post, August 22, 2008

3. "Web Fraud 2.0: Digital Forgeries", The Washington Post, August 21, 2008

4. "The Cybercrime Service Economy", Harvard Business Publishing, February 1, 2008

5. "Data thieves get focused (but buyers get sloppy)", Computerworld, June 18, 2008