E-Crime Gets Organised

E-criminals are increasingly modelling their activities on mainstream business practices. Business Management looks at the gangs putting the ‘organised’ into organised crime.

Recruiting and building up teams of specialist employees. Outsourcing elements of your operation. Adapting business models according to the nature of the markets you serve. It could describe any number of companies looking to compete in today’s increasingly global economy, but this is no ordinary enterprise – indeed, who would have thought that the concerns of the modern-day crime boss would so accurately mirror those of your average company manager?

According to the latest Symantec Internet Security Threat Report released last month, the business model for e-crime is becoming “increasingly mature” and major criminal gangs are now creating efficient global teams of criminals able to work across a variety of scams and attacks. This new generation of internet criminals are fast becoming “business professionals”, says the report, establishing a mature and consolidated underground network. For instance, when the infamous Russian Business Network – implicated in widespread malicious activity over the past two years – dropped offline in November last year in response to pressure from upstream internet service providers, it re-emerged in China a mere week later. “This rapid relocation indicates quite how prepared attackers are to adapt on the fly,” says the study. “They even have backup servers for when law-enforcement agencies or ISPs threaten to shut down their existing operations.”

Clearly the days of rogue hackers looking to penetrate corporate and government systems for the notoriety alone are long gone, and the new threats come with a much more sinister intent. So what has changed to drive this shift in the global crime markets? Many experts believe it’s a straightforward case of supply and demand.For instance, when asked why he targeted banks, legendary thief Willie Sutton’s answer was simple: “Because that’s where the money is.” Much the same could be said today of the internet. The proliferation of e-commerce now makes scamming unsuspecting banks and customers a lucrative proposition, and in response criminal gangs are evolving into adaptable, innovative and hyper-efficient entities in order to maximise the available opportunities. In fact, many of them are now working to strategic business models, along the lines of any orthodox corporate strategy.

“For some time we have seen that e-criminal gangs are becoming more professional and targeted in their activities, but now it appears they are taking a leaf out of legitimate business practices in their efforts to defraud and steal,” says Richard Archdeacon, Senior Director of Symantec Global Services. “ We have found that they have not only established and maintained an effective underground economy, but have also managed to build it into one with a mature business model that is capable of dealing with change. Some of these methods would not be out of place in a current MBA textbook teaching the next generation of business leaders – but instead we find some of the most up-to-date business methods being used to great effect within the world of global organised crime.”

Employment of specialists

The consolidation of formerly separately performed malicious activity into coordinated networks now accounts for almost two-thirds of all malicious code threats detected by Symantec since 2007, and it is this degree of specialisation that provides the first area of concern. “ The specialisation of production of goods and services is an indication of a mature, consolidated economy,” suggests the Symantec report.

Specialised production of goods and services means that individuals will focus on one specific task or job, which is generally done for two reasons: because an economy has evolved enough that individuals can successfully specialise in a specific area; and to take advantage of the economic efficiencies presented when one individual or group performs only one activity.

For instance, a group of specialised programmers can create a larger number of new threats than a single malicious code author, bringing about economies of scale and, therefore, an increased return on investment. Many of these threats can be used for financial gain by performing actions such as stealing confidential information that can be sold online. These proceeds can then be used to pay the programmers to continue creating new threats. The combination of these factors results in a high volume of new malicious code samples that threaten users online. “This is reflective of the increased ‘professionalisation’ of malicious activity, which has created sufficient demand to create a niche of professional malicious code developers,” says Archdeacon.

Another example of this specialisation of goods and services is the apparent rise of certain countries as leading centres of specific malicious activities. For example, the report cites Romania as home to the third most phishing websites globally (accounting for five percent of all phishing websites detected) and the most phishing websites in EMEA, with 46 percent of the region’s total. Although it ranked 35th worldwide and 16th in EMEA for overall malicious activity, it ranked 15th in the world for phishing hosts and had the 10th highest number of phishing hosts in EMEA. “It would seem that the amount of phishing based in Romania is disproportionately high relative to the overall malicious activity originating there, indicating that phishing is the most common malicious activity originating in Romania and that attackers there may be specialising in that activity,” speculates the report.

Such findings are borne out by numerous reports that indicate that Romania has become a growing source of online fraud. There is a well-established tradition of computer skills in the country dating back to the early 1980s, and these skills, c ombined with the slow economic growth in Romania since the fall of communism and the ensuing lack of employment opportunities, may have led to an increase in phishing activity.

The outsourcing model

And with teams of criminal specialists cropping up all over the world learning new skills suited to each country, e-criminals are also increasingly outsourcing to countries with those specialised skills. China, for example, accounts for four percent of the worldwide total of phishing websites – part of a trend for attackers to relocate to regions in which security practices, legislation and/or infrastructure are not particularly well developed.  

“The specialised production of malicious goods and services is often made possible by the development of an outsourcing model of malicious activity,” explains Archdeacon. Outsourcing is the practice of having people or organisations outside the organisation perform certain services, usually done to maximise economic efficiencies or to acquire skills that may not otherwise be available to the organisation.

Automated phishing toolkits are another example of outsourcing. A phishing toolkit is a set of scripts that allows an attacker to automatically set up phishing websites that spoof the legitimate websites of different brands, including the images and logos associated with those brands. Phishing toolkits are developed by groups or individuals and are sold in the underground economy. These sophisticated kits are typically difficult to obtain and expensive, and are more likely to be purchased and used by well-organised groups of phishers, rather than average users. The three most popular phishing toolkits that Symantec tracked for this reporting period were responsible for 26 percent of all phishing attacks, a decrease from the first half of 2007, when the three most popular phishing toolkits were responsible for 42 percent of all phishing attacks. Furthermore, two of the three most popular phishing toolkits tracked by Symantec in the first half of 2007 were no longer commonly used in the second half of the year. These numbers indicate that the popularity of phishing toolkits changes quickly, which reflects the need for phishers to adapt in order to avoid detection by anti-phishing software. The change in phishing toolkits during this reporting period also indicates that the number of toolkits is increasing and that attackers are using a greater number of different toolkits, resulting in the total amount of attacks being distributed over more toolkits.

Try-before-you-buy

Another key trend is the rise of variable pricing offers, such as buy-one-get-one-free and try-before-you-buy deals. Led by supply and demand, the second half of 2007 witnessed supermarket-type pricing deals and even the giving away of free teaser samples of data, enticing buyers to come back and buy more. In addition, Symantec observed bulk pricing, where criminals were offering 50 credit card numbers for around $40 but 500 credit card numbers for only $200.  

Symantec observed that the cost of full identities depended on the location of the identity. As with bank accounts and credit cards, EU identities were advertised at prices 50 percent higher than US identities, indicating that demand for these identities was higher than for those based in the United States. Along with their availability, this may also be due to the flexibility of their use, since citizens in the European Union are able to travel and conduct business freely throughout the region without a passport. This flexibility may be useful to attackers and criminals who could use the identities easily across all EU countries.

Pricing on the underground economy also appears to be subject to value-added incentives. For instance, bank account information for accounts that included higher balances (such as business accounts) and EU accounts were advertised for considerably more. Furthermore, in some cases, bank accounts that bundled in personal information – such as names, addresses and dates of birth – were advertised at higher prices than those without this extra information.

Adaptable business models

But perhaps the quality that best reflects the modern criminal organisation’s embracing of strategic business initiatives is in the flexibility now inherent in their operations. When a model is no longer effective, any business would look at other ways of sourcing the information they require – and this is exactly what Symantec has observed in the underground economy. For instance, following several recent high-profile reports on lost credit card data, credit card companies are becoming more diligent in monitoring their credit card activity, reducing the window of opportunity for criminals to exploit stolen cards. With this in mind, the underground economy has changed their business model and attackers are now seeking different sources of financial information, such as bank account information or complete identities.  

“A mature, consolidated economy is characterised by the development and implementation of specific business models that are suitable to the prevailing conditions in the economy,” says Archdeacon. “Symantec has observed that organisations and individuals currently operating within the underground economy appear willing and able to change their business models or adopt new ones in response to changes in the threat landscape.”

Of course, we shouldn’t necessarily be surprised that criminal organisations are borrowing our business models as they seek to gain a competitive edge – after all, as entrepreneurs of a different sort, cyber criminals have long had an eye on the opportunities that blending technology with crime can bring. Nevertheless, the growing sophistication of such groups means that combating attacks and guarding against potential threats is only likely to get harder. Increasingly, companies will be competing with multiple criminal ‘competitors’ on the security front just as they compete with their more legitimate business rivals in the boardroom. “The relative maturity and adaptability of the underground e-crime circuit is shocking,” concludes Archdeacon. The e-crime movement is gathering momentum. Businesses everywhere beware.

By the numbers

In the last six months of 2007, Symantec detected 499,811 new malicious code threats, a 136 percent increase over the previous period when 212,101 new threats were detected and a 571 percent increase over the second half of 2006. In total, Symantec detected 711,912 new threats in 2007 compared to 125,243 threats in 2006, an increase of 468 percent. This brings the overall number of malicious code threats identified by Symantec to 1,122,311 as of the end of 2007. This means that almost two-thirds of all malicious code threats currently detected were created during 2007.

(Black) market trends

During the current reporting period, credit cards were the second most commonly advertised item on underground economy servers, accounting for 13 percent of all advertised goods. This was a decrease from 22 percent in the first six months of 2007. The decrease in credit cards being advertised may be due to several reasons. With several recent high-profile reports on lost credit card data, credit card companies may be more diligent in monitoring customers’ credit card activities and quicker to inform customers of suspicious transactions, subsequently reducing the window of opportunity for criminals to exploit stolen credit cards.

It is also becoming more difficult to cash out credit cards as many wire transfer companies and currency exchange services do not accept them as a form of payment for all countries. Because of this, attackers may be seeking different sources of financial information. Likely as a result, bank account credentials, including account numbers and authentication information, were the most frequently advertised item during this period, making up 22 percent of all goods. This was a slight increase from 21 percent in the first half of 2007.

Rising demand for IT security workers in the Middle East

• 2001: No separate division existed within most major corporations in the region

• 2002: Saw the introduction of hiring basic security engineers who were in the IT department with an average salary of US$1000 p/m

• 2003: Saw IT security departments established as separate entities within the IT department. Salary of an IT security manager at around US$3000 p/m

• 2004/2005: Saw the IT security department starting to stand by itself, no longer reporting to the IT department, but more toward internal audit and chief financial officer, Salary of IT manager around US$6000 p/m

• 2006: Saw the market demand for security personnel increase dramatically, and due to the lack of IT security personnel within the country, salaries got their highest rise. Poaching of staff within the country became a major issue. Salary for an IT security manager was approximately US$9000 p/m

• 2007: Due to the high amount of poaching of skilled IT staff, companies started to look outside the country for supply, offering packages of over US$11,000 p/m

• 2008: Expecting to see salaries for some skilled IT security staff reaching US$15,000 p/m

Source: Oger Systems