Busting up cybergangs
Busting up cybergangs

If cyber is the modern day Wild West then black hat hackers are the new outlaws finding solace in the safe havens of Russia and other countries that don't have extradition treaties with the U.S.

And while some robbers may have traded in their weapons for exploit kits and given up bank robbery for ransomware attacks, the long arm of the law is still using traditional tactics for busting up these cyber gangs while collaborating with the private sector to implement modern methods to takedown criminal enterprises.

With the globalization of the internet and eCommerce over the last twenty plus years, traditional financial crimes have evolved from static physical breaches to dynamic network data breaches, Trend Micro Chief Cybersecurity Officer Ed Cabrera told SC Media.

Cabrera, who served as 20 years in the United States Secret Service, with a stint as its CISO, and racked up experience leading information security, cyber investigative, and protective programs in support of the Secret Service integrated missions before moving to the private sector, says local skimming operations that physically compromise credit card and financial accounts have been overtaken and outdone by international cybercrimes where attacks on endpoints, networks and cloud infrastructure are done remotely to compromise critical data for resale in the Russian underground or more lucratively to be encrypted and held for ransom.

The political climate of the mid-1990s help foster these activities after the fall of the Soviet Union paired with a growing globalized economy left many unemployed former Soviet Union IT professionals the opportunities to use their skills to create a robust criminal underground, Cabrera said. In addition, Russia provided one of the two necessary keys for cybercriminals to thrive which is a physical safe haven, or a place with no U.S. extradition laws. The second key for a cybercriminal's success is a virtual safe haven through the use of “nics” (nicknames) or handles within these criminal forums and establish personas based their criminal activity.

“Russian cybercriminals began their criminal eCommerce marketplace around the growing demand for stolen credit card information,” Cabrera said. “Carding forums and other illicit forums became the go to places where these cybercriminals could communicate and collaborate but more importantly monetize their activities.”  

Eventually the threat actors started moving beyond data breaches and into cyberespionage, which eventually turned into the battle between federal law enforcement and the Russian underground that we know of today.

Despite the international and technical nature of these crimes, taking down the cybercriminals and the organizations responsible for these kind of attacks isn't much different than taking down organized crime in the real world.

Cabrera described Russia's cybercriminal underground as being by far the most mature of all Deep Web undergrounds having a true reputation economy not unlike what we see on the surface web

“For these cyber criminals to succeed they need ‘cyber-cred' instead of ‘street-cred',” he said. “This affords them the ability to build trust and move up in these forums and gain access to others in affect to make more money.

Networks begin to form similar to the one in Oceans 11 with each member of the group having criminal specialty, Cabrera said, and while the forums may have hierarchy of admins, many of the cybergangs operated on a lateral level so you can't just cut off the head.

In order to break up theses these groups, law enforcement needs to act like a cybercriminal, sometimes assuming the identities of already established cybercriminals in order to gain information.  Like with physical crime, you need a level of penetration into the criminal organization in order to get a foothold in the org.

“Just as in traditional organized crime investigations, confidential informants and undercover agents have to gain the trust of the group by committing or rather look as though they are committing criminal activity,” Cabrera said.

One of the biggest challenges of this is gaining the trust of these individuals which Cabrera called the connective tissue of the criminal underground. Unlike other organized criminal groups, trust is not gained on fear, intimidation, and violence but is instead gained through reputation and enforced with the FOMO principle, fear of missing out.

Another challenge law enforcement faces when busting up cybergangs is properly identifying the individuals involved. In order to do this, officials will send in online undercover operations that eventually turn into physical undercover operations to ID target and arrest.

Cabrera said success in these cases is based on building comprehensive target profiles built over many cases and many years. These profiles are then developed through long-term undercover and surveillance operations and enhanced by international law enforcement and security industry partners. Undercover agents then use this information to target and infiltrate key groups.

A lot of federal investigations end in indictments but due to international laws it turns into a waiting game for the target to travel outside the country if foreign governments aren't willing to work with U.S. law enforcement.

Officials will sometimes use sealed indictments where they await for the person to travel to a country where extradition is possible before making a move.  A lot of times this happens when cybercrooks go on vacation to a country that does have U.S. extradition agreements, Cabrera said.

As a result of these targeted takedowns, law enforcement officials end up bringing down more than just a few individuals, but their entire networks, since often a few key threat actors are behind major criminal enterprises and they collapse once those actors are taken out of the equation.  An example of this would be the disappearance of the Angler Exploit Kit and Lurk banking trojans after the takedown of a Russian cybergang.

And while taking down cybergangs doesn't always stop the use of its services, strategic public private partnerships between security companies and law enforcement help cripple their activities.

As a result cybercriminals are often forced to scale down and to maintain a lower profile such as with the Neutrino kit which has scaled back and went private only catering to a small clientele.

“In order to make money as a cybercriminal you have to scale,” New York University Assistant Professor Damon McCoy told SC Media. McCoy has studied spamming campaigns and other cybercriminal operations and worked in collaboration with law enforcement agencies to fight cybercrime.

Concerning spamming campaigns, McCoy works by following the money trail by collecting technical and financial data to identify key groups and to map the banking infrastructure that criminal organizations are using. He then uses this information to look for patterns to cluster people together.

“If you can cluster things properly, you can forge out the infrastructure they are using,” McCoy said.

McCoy said that there aren't a lot of the banks that do dealings with these cyber criminals and often they are often foreign entities. This findings are then relayed to various law enforcement who take the necessary action to put pressure on the banks to stop dealing with the cybercriminals.

McCoy said law enforcement will also approach Visa and MasterCard to apply pressure on the banks as well by enhancing fines for payments stemming from cybercrime as well as other methods. 

“Sometimes it doesn't lead to an arrest but it does force them to drastically change their business model,” McCoy said.