The cybercriminal underground: Commercial sophistication
The cybercriminal underground: Commercial sophistication

When tracking a banking phish operation recently, Nick Newman, computer crimes specialist for the National White Collar Crime Center (NW3C), felt a sense of irony about the commercial path the phish had taken.

There was the bot-run email campaign to initially distribute the phish, the realistic login and personal information template screens (complete with the bank's real warning that it would never ask for personal information), and an email “drop” account to which the personal data was sent and retrieved.

All of these processes are individual parts of the malware commercialization process that is more adept and agile than those of the good guys, say experts.

“Crimeware networks have better business models than many corporate entities,” says David O'Berry, security chair for the Multi-State Information Sharing and Analysis Center (ISAC), and director of information technology systems and services at The South Carolina Probation, Parole and Pardon Services. “The malware infrastructure is churning so fast that our entire research and development community can't keep up. They're at least 18 months behind the criminals' commercialization cycles.”

While there are many purposes for malware, the bulk of commercialization –spamware, malicious installers, trojans and bots – centers around stealing credit and financial account information, according to a 12-month survey released in November by Symantec. Goods and services for financial and credit account theft came to about $7 billion, according to the report, with 69,130 distinct active advertisers posting an observed 44.3 million ads for goods and services.

Seeking out markets
“Historically, people would build these botnets, set them up and spam, but they'd be limited,” says Patrick Peterson, Cisco Fellow and chief security researcher at IronPort/Cisco. “The spambot guys settled this business problem by going to the illegal pharmacies and saying, ‘Hey, give us a real product to sell and we'll take care of the supply chain, customer support and even the charge-back problems.'”

One of the cases Peterson refers to is Glavmed. Calling itself a distributor, it associated with Spamit.com and advertised itself to the criminal underground that, in turn, advertises to attract knock-off pharmaceutical clients. For those clients, it handles all the malware and infrastructure, the financials, charge-backs, failovers and the percentage split payouts.

“We estimate that deployment of pharmaceutical malware is bringing in $200 million to $300 million a year in revenues,” says Peterson. “We've counted at least 13 businesses like GlavMed in Russia, all competing for botnets offering higher delivery rates, better terms and quicker payoff.”

This creates more demand for bots, feeding what he and others say is a sophisticated, ruthless capitalistic form of commercialization that's rolling over legitimate organizations' attempts to protect their brands, networks and customers from increasingly sophisticated commercialization of crimeware.

Take the layers of specialization involved in phishing attacks that started being reported in December, says Amit Klein, CTO of Trusteer. First, a crawler tests for and attacks a vulnerability discovered on a legitimate site. Next, a customized JavaScript waits for a visitor to browse the site – only this time it's looking for users specifically with other browsers open to their online financial accounts. Then there's the drop site, which is usually hosted at a “bullet proof” or untouchable ISP.

Monetizing the credentials represents a whole other layer of the commercialization cycle. Monetization includes the buying, selling or renting of botnets, buying and selling of stolen credentials, and laundering money off the stolen accounts – all of which can be handled as a service, or owned by an individual operator on a layer by layer basis.

“Malware goods and services can also be leased, rented or sold by the piece, by the infected computer or any way the customer would like to slice and dice,” Klein continues. “It's an amazingly well-developed market.”

Laundering money off the stolen goods is often the sorriest stage of the commercialization process. In many cases, this part of the distribution line for stolen cards and identification information lands back on the lowest end-user, says Ed Lowery, assistant special agent in charge (SAC) for the U.S. Secret Service Criminal Investigative Division.

What Lowery is referring to are money mules, package forwarders and others who fall victim to another wave of spam and web-based campaigns to lure desperate job seekers. Package forwarders are lured into accepting and forwarding packages acquired through stolen accounts. And money mules are commissioned to accept funds from stolen accounts, deposit them in their accounts and transfer them to the criminals' accounts.
Because of jurisdictional and other priorities with physical crimes, law enforcement efforts at shutting down relays and communication lines between developers, buyers and sellers have been difficult to carry out and have little impact on the wave of crimeware, says NWCC's Newman.

“While a significant amount of spam originates from the United States, most is originating in developing nations. Eastern Europe is a swamp for internet crime, and countries there are very unlikely to extradite,” Newman says.
Internet backbones can aid law enforcement by tracking down and closing accounts for known spammers and crimeware-spreading hosting clients when they're discovered, he continues. For example, when McColo hosting service was taken down on November 11, 2008, so many spambots went offline that spam volumes plunged 75 percent immediately following, according to Sophos' 2009 security report.

“Unfortunately, the break in spam didn't last too long. About six weeks later, it simply transferred botnets to different host providers and was up and running again,” says Sean Dougherty, head architect of SpamTitan, which has a number of backbone clients. “Even when we flag criminal relays for sending spam, it's tough to get them turned off because they chop and change all the time.”

There's no simple answer to how organizations can protect their brands, their employees and their customers with increasingly complex, commercialized cybercrime wares. Diligence in website security, log file monitoring, spam filtering, brand monitoring, user and customer education, end point security and network monitoring are some of the security steps recommended by experts.

“Malware is proliferating so fast and sending out so much white noise, I don't know how we're going to catch up,” adds O'Berry. “It will be interesting to see how if we can turn the tables in the future.”




Sidebar: How it's done: Criminal commercial cycle

The following is a diagram of the full commercialization cycle of malicious code. Each step in the cycle is being sold chop shop-style or as partial and complete services, including the accounting and sharing of profit.

1. Production of new malicious code.
2. Copying/customization for vertical, geographic and use-specific purposes.
3. Marketing on IRC, bulletin boards, promoting deep discounts.
4. Distribution over email spam campaigns and infected websites.
5. Managing of remote-controlled computer resources, including collection of stolen information at drop sites and anonymous email addresses.
6. Sorting of information and putting it to use.
7. Laundering of money from stolen accounts through “salami slicing” small amounts off tens of thousands of accounts, and launching new email and web campaigns to recruit “mules” for package forwarding and money transfers.
8. Accounting and percentage split.