Cybercriminals are just businessmen at heart

Cybercrime today is a full-fledged business with executives, middle managers and workers who depend on a variety of service providers to keep the illicit operations humming, a new study shows.

Supporting these criminal enterprises that mirror legitimate commercial enterprises is a shadow underground of chat rooms, Web portals and marketplaces for finding and hiring people and buying or leasing malware, exploit code and botnet-building tools, says the 2013 Cybercrime Report from Fortinet.

Also ready to lend a hand are tech consultants and hosting providers ready to turn a blind eye in return for payment.

The upshot of all these resources for building, deploying and running botnets is that "anyone can make a quick buck without having to be technically adept," the report says. "

"This has led to an explosion in monthly malware volumes, which are three times greater than four years ago," it said.

The organizational structures of these illicit businesses are eerily close of legitimate companies. Executives make decisions, oversee operations and are generally responsible for keeping everything running smoothly.

"Once they get the operation off the ground, they then move to a business development role and hand off the dirty work to the infantry and are not involved with launching attacks," the report says.

[See also: Cybercrime 'much bigger than al Qaeda']

The infantry, comprised of common workers, is typically under the supervision of middle managers recruited through old-boy networks or underground forums. The managers often work with recruiters to hire people to infect machines using a variety of methods, such as email links, poisoned PDFs, compromised Web sites and social-networking links.

To fine recruits, ads are placed on Internet job boards, hacking message forums and underground IRC chat rooms. There are also invitation-only, help-wanted portals that typically originate from Russia, Fortinet says. These portals provide all the tools new recruits need, including malware, URLs to support forums, payment rates and how to receive payments after completing a pre-set number of infections.

The botnets run by the criminal groups perform a number of functions. They are used to download malware and to steal credentials and data from bank accounts and social networking sites. Compromised systems can also be used to proxy malicious traffic, house data, encrypt critical data for ransom and generate revenue through click fraud.

A variety of service providers have sprung up to assist these criminal enterprises. Services include high-performance password cracking that charges $17 per 300 million attempts, which take about 20 minutes. These services are often used to crack passwords for online services.

Research-and-development organizations also exist for creating custom-ordered code, fake antivirus software, ransomware, deployment systems and exploit code. The technology can be bought, leased or rented.

Hosting providers are key to the success of cybercriminals, who need locations to store exploit code, malware and stolen data. Typical providers that don't care what's stored on their servers are often found in Russia and China.

Because of fierce competition, mergers and acquisitions are occurring among botnet operators, Fortinet said. The most recent example of a merger was between botnets using the Zeus or SpyEye malware.

With millions of dollars in revenue, criminals need a way to launder money. "Money mules" are used to move cash from one country or bank account to another, using anonymous wire transfer services, such as Western Union, Liberty Reserve, U Kash and WebMoney, Fortinet says. Small batches of money are usually transferred to avoid triggering anti-money laundering laws.

Like all business owners, cyber-criminals need to keep track of key metrics. In the case of criminal enterprises, that includes the number of infected machines, how many accounts have been cracked and how much money has been taken from the accounts.

To track everything from software development to accounts payable, criminals use commercial business process management software, financial systems, databases and Web portals

To combat the problem, Fortinet recommends countries and law enforcement go much further than simply taking down large botnets, which has been the focus of recent efforts by tech companies working with the courts.

Fortinet hopes the report demonstrates the need for global cooperation on controlling central elements to illicit operations, such as domain registration. "It (the study) illustrates why regional efforts are likely not sufficient to block a global threat," Patrick Bedwell, vice president of products for Fortinet, said in an email.

While taking down botnets isn't a final solution to cybercrime, such operations are certainly a setback for criminals and hurt their bottom line. For example, Microsoft has been particularly active. In September, the company pulled the plug on the Nitol botnet that had been spreading malware since 2008.

In March, Microsoft won court approval for seizing the servers of the Zeus botnet, which cybercriminals used to steal $100 million over five years through bank fraud and identity theft. Other botnets crippled or taken down by Microsoft over the last two years include Waledac, Rustock and Kelihos.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags FortinetapplicationsData Protection | Malwaresecuritylegalsoftwarebotnetdata protectionmalwarecybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place