Kicking the stool out from under the cybercrime economy

Put simply, cybercrime, especially financial malware, has the potential to be quite the lucrative affair. That's only because the bad guys have the tools to make their work quick and easy, though. Cripple the automated processes presented by certain malware platforms, and suddenly the threats -- and the losses --aren't quite so serious.

CSO Online had the opportunity to chat with Shape Security's senior threat researcher, Wade Williamson, at this year's Black Hat conference, and he offered a brief background of these types of popular malware platforms before putting the threat landscape into perspective.

[Black Hat USA 2014: Talking botnets and ad campaigns]

Williamson maintains that, despite its perceived "downfall," Zeus is still one of the most popular botnet platforms out there, and that's for a number of reasons. For one, the source code for Zeus previously leaked, allowing people who know how to code to more or less build on top of it for free. Also, it was one of the most common building blocks for many of the high-profile piece of malware that came after it; it's the very reason that it can be difficult to distinguish between Citadel and Zeus, for example. Ultimately, Zeus served as the "innovative wedge" that can be seen in man-in-the-browser financial malware today,

That said, there's a new up and comer in town in the form of Pandemiya.

"If you rewind about six years ago, SpyEye was actively marketing and saying, 'We're better than Zeus,'" says Williamson. "But they eventually merged and then you got iterative changes on top of the Zeus codebase. Pandemiya, on the other hand, is the new entrant and you're starting to see it challenge the monolith [Zeus]."

Be it Pandemiya or Zeus, however, the goals behind them are more or less the same. According to Williamson, there are two major branches to attack strategies now. The first is working on making the botnet harder to take down, which some coders have accomplished by implementing P2P communication between the bots.

"It used to be that C&C servers are the brain behind this big botnet and everyone wants to take that down," says Williamson. "But now botnets are using P2P communication, so there is no central server. They spread over the machines themselves, just like a P2P network, and it becomes hard to root this thing out even if you knew who was behind it."

The other branch has less to do with the older approach of password theft and more about automating the transfer of money, which is where Williamson says the "state of the art" technology is now.

"Pandemiya and Zeus are all ultimately about automation and the man-in-the-browser process," he says.

[RSA researchers discover new alternative to Zeus]

While it used to be easy for attackers to hit victims with a man-in-the-browser attack and simply wait for a login, banks got wise to the practice and implemented secondary authentication mechanisms; it was no longer enough for attackers to just acquire usernames and passwords. As such, they had to adopt a different approach.

"I'm in this guy's browser, I can just wait until he completes all authentication, and then I'm going to be on the inside," says Williamson. "Eventually, he's going to send money to someone else. If you can automate that transaction, it makes it impossible to discern what's real and what's the bot." 

So how exactly is this done? Because the malware owns the browser, it injects a bit of JavaScript that looks the same as what information coming from a legitimate, uncompromised browser looks like. Breaking that piece of the automation, says Williamson, is the key to mitigating the problem.

"From the bank's perspective, I can't just tell my customer to go away," he says. "Being able to selectively break an automation is the key for disrupting these attacks. It's true of anything that uses automation, like DDoS."

What the good guys can do is affect change at the website level, and change what the underlying markup code of the website is each time it loads without changing the user interface. This way the website always looks the same to the user and their experience isn't disrupted, but the code supporting it looks different, thus stumping the botnet on the infected machine. After all, automation needs the page to be predictable to automate against it; if it can't figure out how to put in a username and password and hit the submit button, automation doesn't work anymore.

"So now your botnet that knows what to do when it gets to, say, Bank of America, sees this and says, 'This is gobbledygook' and doesn't know what to do," says Williamson.

The economy of cybercrime

Like the malware itself, what the economy of cybercrime comes down to is automation: attackers can make money quickly and easily because with botnets, they don't have to do the heavy lifting. And the bad news for the good guys is that defending networks from such attacks is an arduous process.

[Businesses can do more in battle against Gameover Zeus-like botnets]

"If you can automate one of these attacks, it's the reason 10 guys can make millions a month because scripts are doing work in the background," says Williamson. "And for someone defending networking, every small change from an attacker makes you go back to square one, write a signature for it, etc. Every time a web server burps with a new piece of malware, you have to go reanalyze it."

The trick then is to turn the tables and put all of the hard work on the side of the attacker. By crippling automated processes -- by constantly changing website code, for example --the attackers are now the ones being forced to constantly do the hard cerebral work as they go back to square one and manually adjust their game plans. Suddenly, cybercriminals are raking in less money over time and their economy begins to crumble.

"If you can force someone to rewind to 10 years ago where they have to do everything themselves, it kicks the stool out from under a lot of attacks," says Williamson. "How do I monetize stolen credit cards? How do I know if they've logged into their bank? If you can't deal with those sites automatically, everything deescalates."

By way of example, Williamson explained when a target is breached and criminals get their hands on stolen credit cards, their value on the black market jumps substantially -- say, from 20 cents to anywhere from 40 to 80 dollars apiece -- once they have been verified. It's what gives the stolen cards value, so criminals have an automated process to determine whether or not the cards are, in fact, verified.

"So let's say they take a thousand of those cards and go to the Red Cross and make a one dollar donation with each of them," says Williamson. "It's something that people aren't going to notice. They make the donations and say, okay, 900 out of 1,000 of them worked. So when they sell the cards, they say that the cards are from this area in the country and they have a 90% success rate. People pay a really high premium for [a rate that high]."

[New Gameover Zeus botnet keeps growing, especially in the US]

The key, then, is breaking that verification process, since that's where all the value in the cybercriminal economy gets generated. To do so, defenders need to take advantage of the fact that the entire process is automated; again, without changing the GUI of the site in question, the ID of field names can be changed to a random string, ensuring that each user interaction is unique. This, of course, breaks the automated process when it can't find the fields that it's attempting to fill out.

"If you think about this in the context of testing credit cards, the script says, 'Put in the number here, address, hit submit, and if I get a good verify back, I know it works,'" says Williamson. "And since nothing was ever submitted, it looks like they went zero for a thousand."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssoftwareWade Williamsondata protectionmalwarecybercrimeShape Securityman-in-the-browserfinancial malwaresecuritybotnetseconomylegal

More about Bank of AmericaCitadelCSORSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Hatchimonji

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts