Once the domain of uber savvy hackers and forward-thinking mafioso,
today’s online crime requires little more than a cursory knowledge of
programming and a downloadable tool kit to get started.
Progressive criminals saw the evolution of technology as a means for
upgrading their own malicious activities. Hackers, crackers, phishers,
pharmers and social engineers used their knowledge stores to one-up the
average individual in a vicious game of ‘you are you but I also can be
you’.
Identity theft was buoyed by the black market’s supply and demand. Yet
even criminal consumers are a fickle lot, and what was valuable last year
is not so lucrative by this year’s standards. According to Bindview’s
RAZOR research team — a group of people focused on incorporating the
latest up-to-date changes in the threat, vulnerability, and regulatory
landscape into Bindview’s products — credit card numbers were worth
approximately $25 each wholesale and $100 each retail in 2002. Fast
forward to 2005 and they’ve dropped to $1 to $5 wholesale and $10 to $25
retail.
Yet ‘products’ such as email addresses weren’t on the map in 2002 but are
currently worth $.01 to $.05 each. A well-programmed bot could find many
hundreds of valid emails a day, turning a tidy profit for black
marketeers.
Criminals themselves saw a shift in who is doing the digital break-ins. A
few years ago, hackers generally were techie types with too much time on
their hands who wanted to make a name for themselves in the hacker
underground. Now, they’re often hackers for hire, making a buck by
stealing corporate information or working hand-in-hand with spammers. And
the kids aren’t missing out on the ‘fun’ either, using plug-and-play
theft kits to make their work easier.
”The ease with which data can be stolen depends on the tools being used
and the thief’s level of sophistication in traversing through the
network,” says Jim Hurley, senior director of RAZOR Research, for
Houston, Texas-based Bindview. ”Creating a breach ranges in difficulty
from being intimately familiar with the innards of OS design,
construction and network protocols to having absolutely no knowledge —
because you don’t need it with the vast availability of pre-built tools.
Sniffers, keyloggers, rootkits, loaders, Trojans and virus kits are but a
few of the many offerings on thousands of accessible sites.”
In the recent past, online theft and criminal activity poured forth from
highly advanced or severely disadvantaged nations. But today’s online
crime is far from being country specific. If you know how to compile a
program, you can make changes to the source code of an application and
make it do something else.
Just as online auctions launched a flurry of overnight entrepreneurs, so
has the prevalence of online crime kits. You don’t need a long list of
contacts to get started on the dark side. Once a would-be criminal has
found themselves some interesting information, it’s not that hard to find
a buyer using Web sites, bulletin boards, IM, email, cell phones and of
course, the very lucrative Web auction ring.
Make no mistake, though the hierarchy has shifted from organized crime
families, it is very much alive in the form of organized Web auction
rings — well-oiled machines that include many layers of people
performing very specific roles and functions. From the top down they
include the inner ring, evaluators, inspectors, enforcers/contacts,
trusted fences and the buyer and seller.
Web auction rings, otherwise known as Web Mobs, have proved to be a very
nasty problem for Federal investigators due to their cross-country
logistics. Once sufficient evidence has been gathered to crack an auction
ring, authorities must work within international boundaries, time zones
and with foreign legal statutes.
”What’s not well known is they’re not in the business of stealing things
and theyre not hackers,” says Hurley. ”It’s best to think of them as a
fence between the buyer and the seller. They’re not technologists and
they don’t care to be, they just want to make sure that their activities
are not traceable and these are the organizations that are operating
around the world.”
So what’s for sale in this more accessible market? Falsified deeds, birth
and death records, letters of credit, health insurance cards, source
code, diplomas and even people are available for the right price. The
anonymity and relative ease of criminal activity is gaining in
attractiveness to the barely skilled programmers looking to cash in.
The modus operandi of today’s cyber criminal includes commonly known
tricks of the trade, starting with the path of least resistance, i.e.,
social engineering. According to Hurley, criminals go after their victims
using a predictable set of steps: reconnaissance, target, evaluate the
environment, install new service or backdoor, cover your tracks, hit pay
dirt and run or decide to hang around to exploit and reuse the target,
keep ownership of the device, or not, and then move on to the next
victim.
With so much information so relatively easy to get to, it’s a feast of
sorts for the would-be Web Mobber. Using established channels spanning
international date lines, and employing thousands of zombie machines,
it’s more difficult than ever to locate these extensive criminal networks
but easier than expected to join one.
Protection
So what can be done to protect our organizations from this type of
infiltration?
”There’s what I’ll call best practices and then there’s reality,” says
Hurley. ”Based on our research over the past two to three years, there
are significant differences in performance results that companies are
experiencing with their security programs. There are some common things
that are done very well among the best-class enterprises suffering the
least amount of breaches and damages. But even having said that, there’s
probably no way to defeat a serious security threat today and it wouldn’t
matter what the tool is. The only way to do that would be to unplug the
computers.”
According to Hurley, the firms that have a good chance of avoiding
victimization are the ones with a very active risk management program in
place. ”An executive team devoted to solving security issues, where the
IT security function isn’t buried in a hole somewhere in IT but rather
implemented as a risk management function, cross-company and
cross-functional.”
Although the U.S. government has been working in concert with
international authorities to painstakingly dismember online Web Mobs, our
indictments are but a grain of sand in the vast amount of criminal
collectives forming and disbanding in a constant game of hide and seek.
Individually, the indictments are a win, but with the ease and prevalence
of online hacking tools and the lucrative nature of buying and selling
through organized Web Mobs, many more will don the black hats as they
continue to cross-over.
The reality of it is that weve only just scratched the surface.