The underground network of hackers and cyber profiteers are under more pressure from law enforcement, reports Deb Radcliff.
The hacker creed used to be: “do no harm.” If hackers did commit crimes, they were minor – trespassing, ‘borrowing' air and processing time, cheating at contests, maybe leaving a calling card to prove their prowess. Now, the criminal element has moved in to commit all manner of online crime where the name of the game is harming individuals and organizations.
Some, which we'll call hacks, are selling easy to use, push-button tools and services to infect computers, run botnets, phish sites, spam relays and identity theft rings to commit crimes against website operators and end-users. For a few hundred to a few thousand bucks, they'll kluge together their wares to customer specifications. Then there are the criminals you don't hear much about – the elite “crackers” creating zero-days and keeping them secret so they can attack the most data-rich targets for the longest amount of time.
“Intruders are coming into organizations where financial data is processed so they can steal massive amounts of data,” says Ed Lowery, assistant special agent in charge (SAC) for the U.S. Secret Service Criminal Investigative Division. “In the TJMaxx case, it started with war driving [searching for Wi-Fi networks by a person in a moving vehicle, using a laptop or PDA] and exploiting the wireless network. Parts of that attack were extremely technical. The criminals were particularly good at covering their tracks.”
During its three-year investigation into the TJMaxx hack, the Secret Service was able to identify who did the hacking, counterfeiting, distribution and sale of the card data – crimes for which the suspected kingpin faces a possible life sentence. The ring included 11 individuals – each with different specialties – from around the world. These folks also are charged with similar hacks against BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Forever21, DSW and Buster's Burgers. Entering first through wireless networks, the attackers proceeded to the payment processing centers, setup sniffers and sent the data out over encrypted channels.
With criminals going after end-users, web servers and the crown jewels at the core, organizations need to set their policies to protect their endpoints, networks and databases from intruders, says Chris Wysopal, CTO of Veracode. He comes from an ethical hacking background where he was known in the 1990s by the hacker handle, ‘Weld Pond' and was an esteemed member of the Boston-based l0pht hacking group.
The hacks
While serious criminal attacks on organizations' internal crown jewels are a concern, the biggest risk is the proliferation of less-talented hacks operating against end-users, customers and legitimate websites, says Yval Ben-Itzhak, CTO of Finjan.
“Crimeware toolkits include everything you need – a trojan horse, a reporting system, a database, a technique to compromise the website,” he says. “Without any knowledge of security, trojans start reporting back in the first day. Amateurs don't realize they need to protect this stream, so we see a lot of unencrypted traffic going directly back to the criminal host.”
Jose Nazario (right), security researcher at Arbor Networks, actually gets into these unencrypted channels and engages botnet herders and other malware operators to determine their level of sophistication.
“When we get into these channels, the better of the herders say ‘No lurkers,' and kick us off right away,” Nazario says. “The bad ones, once they think we're not a threat, will actually ask us for help.”
In one case, he told a botware manager that he was paying $2,000 a month to a developer who was giving him two-year-old exploit code. The botware manager said he didn't care, he was making plenty of money off the old exploits so why spend the $40,000 or so it'd take to purchase a zero-day?
“That's the whole eco-system of this underground – it's full of folks who barely scrape by in terms of work and investment – but they're going for the greatest reward,” Nazario says. “They have various ways of justifying their crimes while adhering to a pecking order.”
For example, another hack told him that installing porn dialers on victims' machines wasn't illegal in his country, and defended his actions saying that what he was doing was better than credit card theft or DDoS [distributed denial of service] attacks, which he considered truly evil.
Such fractionalization results in specialization of tools and services, says Josh Corman, principal security strategist at IBM. For example, someone wants a DDoS tool, so he goes to an Eastern European group called Black Energy. Want banking trojans? Go to a group in Brazil that designs code to intercept bank transactions on compromised clients. For botnets, call the Dutch, who keep getting arrested for their botnets.
“We estimate that there are between 2,000 to 3,000 crime forums specializing in different types of fraud, merchandise, tools and services that the fraudster community needs to do its business,” says Marc Gaffan, director of identity and access assurance for RSA. “They represent a value chain of very precise expertise.”
As such, crime rings are fluid and harder to track because alliances are formed to exploit the strengths of the others, then abandoned for something else that meets the criminal's goals, says Lowry.
Further online fraud against individuals is then perpetrated to launder the stolen information into money. Two such scams include spamming and posting job offers to accept and forward packages, or getting people to cash and forward money from fake cashier's checks and money orders.
Cracking the enterprise
It goes without saying that organizations need to also protect their websites, particularly with website infection rates hitting 16,000 a day as of July, according to Sophos. Many of these infections are being placed on web pages in the form of iFrames, and in ads being served up at legitimate engines like Google. But they're also being infected with an old attack, SQL injections, which take advantage of the errors in the web application's code.
Crackers are also the ones discovering and holding onto their own zero-days for use against lucrative data targets, including for corporate and government espionage. Zero-days can fetch a high price in the tens of thousands of dollars, and once they're released, they are copied and replicated by other malware sellers, says Finjan's Ben-Itzhak.
The TJMaxx case hits that point home: Multiple retailers, falling under PCI DSS compliance rules, were still royally breached. From wireless input points to the web server and database – all layers are going to need to be protected and monitored in today's hostile climate.
These rules don't just apply to financial information and intellectual property. Ben-Itzhak says his company is finding a lot more health-related data in botnet traffic these days. With stolen health cards, criminals buy prescription drugs and sell them on the black market, he says as an example of how health care data gets monetized. He blames this shift to the economics of supply and demand.
“Last year, a single stolen credit or debit card with a balance and other data was worth about $100. Now it's worth $10 or less,” he says. “Criminals are looking at different types of data for which they can charge a premium price.”
In addition to security and education for organizations and end-users, Lowery hopes that enforcement and stiff convictions against perpetrators will act as a deterrent to would-be hacks and crackers.
“After the TJMaxx indictment, hopefully the criminals won't be as confident as before,” says Lowery. “We have proven we can put a face to the hack, and all those along the criminal chain. And we can reach out internationally to touch the criminals, thanks to our relationships with international law enforcement agencies.”
[sidebar]
INTERNET FRAUD: Endpoints vulnerable
Internet fraud made up 64 percent of 555,472 fraud complaints reported to the FTC last year, with 49 percent of victims initially contacted via email. The success of email spam shows that endpoints are clearly vulnerable and users need more education and protection, says Yuval Ben-Itzhak, CTO, Finjan.
Education is particularly critical, he adds, when you consider what users might be clicking in those emails that could slip into the protected network.
“You'll need a technology that doesn't just rely on signatures and URL blacklists to protect your endpoints. You need something that can inspect the website in real-time before loading the page,” Ben-Itzhak advises.
Photo: A peaceful demonstration is held in London in support of British computer hacker Gary McKinnon. McKinnon is due to be extradited to the U.S., where he faces up to 80 years in jail for hacking military and NASA computers. Photo by Cate Gillon/Getty Images