Pierluigi Paganini April 23, 2012

The article is published on the last edition of PenTest AUDITING & STANDARDS 03 2012. 

Several reports published in the last months demonstrate that Cybercrime has double digit growth, being today among the four biggest crime threat all over the world, within asset theft crimes, frauds and corruption.

The trend is the same all over the word, cybercrime industry has collected a lot of successes during the last five years, we are facing with a sector doesn’t know the word “crisis” , in fact the cybercrime’s financial and geographic growth shows no slowdown despite the global economic difficulty. Cybercrime probably took advantage of the crisis factor, to undermine the business much more profitable. Lack of awareness of the incoming cyber threats, and contraction of investment in prevention and control have played in favor of cybercrime. No company or organization is immune.  Cybercrime growth has been fueled by an evident lack of adequate protection.

According a recent Norton cybercrime report costing fraud victims more than $388 billion worldwide over the past year, consider that up 35% of the global cybercrime bill were U.S. fraud victims, who spent $139 billion on cybercrime last year. An amounts of 141 victims per minute, an alarming statistic even for Norton’s consumer cybercrime expert, Helen Malani.

Online adults who have experienced with cybercrime in their lifetime are globally at 69% that indicate that the new threats are being part of everyone life, a worrying phenomena that daily generates new opportunity for business.

Cybercrime goes unpunished

Another aspect that must be considered when we talk about cybercrime is that usually this type of criminal activities go unpunished, it is highly lucrative and far less risky than any other ordinary crime like old-fashioned bank heist.

To give an idea of the real risk that a cybercrime face with let’s consider a statistics provided by FBI: In 2010, bank robbers pulled off 5,628 heists and ran off with $43 million. The average robbery netted $7,643 and the loot was recovered in 22 percent of cases. Often, the thieves wielded guns, so when caught, they faced long mandatory jail times. The crimes have been aggravated by “ancillary offenses” like injuries, death, and hostage situations. We can consider physical bank robberies very risky for criminals. Analyzing internet crime statistics we find a totally different scenario. According FBI 2011 report, 300,000 people were victim of Internet fraud with a total loss of $1.1 billion. The responsible of these crimes are almost never gets caught.

Cyber space has no boundaries this means the criminal acts could be conducted on foreign countries, each of them with its own law in the matter. This legislative inhomogeneity makes it virtually impossible an unanimous judgment of the criminal events that is then treated differently depending on which country is sentenced. This situation greatly complicates the operations of the crime persecution that often bases its headquarter in those countries where the risks of incurring penalties are minimal. Interesting is to interweave the information regarding the origins of the main frauds with data on related to countries that host crimes and the level of corruption present. Many countries are a real paradise for cybercrime, which thus finds its natural habitat in which to evolve and organize themselves in a dangerous way.

The area East Europe, but also many countries in Asia Pac are the appointed places to house the major criminals organizations that could operate in regions where the action of police is absent due corruption and provides them important connivance. In this scenario the fight against cybercrime is really complex and urgent regulations must be internationally recognized and shared, the fight against cybercrime can be conducted only through mutual cooperation of the states involved.

Which are the main cybercrimes observed last year?

No doubt on the response, computer viruses/malware development, online scams and phishing activities and cyber espionage, very interesting also the schemas used for the distribution and sell of the information illegally acquired and to offer any kind of support to the realization of frauds.  Group of hacker and cyber criminals are arranging creative and efficient services to promote their business, to give an example Trusteer Researchers have discovered a professional calling service that has been designed to offer the extraction of sensitive information needed for bank fraud and identity theft from individuals.

The security company Trusteer has discovered an advertisement for making targeted call calls in different languages to private individuals, banks, shops, post offices and similar organizations. $10 per call, this is the price for the service offered, cybercriminals were offered the possibility of obtaining the missing pieces of information they need to pull off attacks.

Many criminals have refined the techniques for collecting the information necessary to conduct an attack against a specific target. Banks and other Financial Educational Institutions, however, have a high level of security provided for their services making it difficult to carry out fraud. The introductions of authentication mechanisms more or less complex as the one-time-use passwords (OTPS) or sending codes for authentication through mobile devices has actually increased the level of security for each transaction.

To be able to retrieve the information described the criminal service offers an on-demand social engineering to convince customers to provide the information necessary to the success of the offense.

What is surprising is the organizational model of the service, trained staff is able to embody all kinds of professionals such as computer technicians or employees of companies that can supply all kinds of services, all to deceive the victims.

For example, if a fraudster wants to log into an account by using stolen online banking credentials, but is prompted for an OTP because he uses a different IP address than the real account holder, he can give a caller the information needed to impersonate a bank employee.  Armed with things like the victim’s name, account number, birth date and other personal information, the caller can claim that he’s performing system checks and ask the targeted individual to read back the code sent to their phone.

Illegal call services are not new and the number of rogue call centers has increased in recent years and all this services are available during American and European working hours, it might indicate that the groups are operating in these regions,” said Trusteer security researcher Ayelet Heyman.

The cybercrime is also benefiting of the new form of communication like social network platforms to promote its business and improve its products with a stimulating interaction with its clients. Operations are managed as projects and malware designed as products of large companies with a maniacal attention to the quality. Just the life cycle of products is the most amazing aspect, from design phase to the after sales support, each stage is designed in every detail with care and attention.
On more than one occasion we read of malware designed with complex solutions to meet the most demanding requirements of implementing effectiveness and scalability, evidence that there are high skills behind these projects probably coming from legal industry.

Recently has been published the news on the commercial distribution of the famous Zeus Trojan, a malware designed as an open project that can be customized with new features to meet customer demands. Zeus Trojan is an agent able to steal banking information by logging keystrokes and form grabbing, It is spread mainly through phishing and drive-by downloads schemes. Consider that the several Zeus botnets are estimated to include millions of compromised computers (around 3.6 million in the United States). As of October 28, 2009 over 1.5 million phishing messages sent on Facebook Were with the purpose of spreading the Zeus’ Trojan.

Interesting is the organization of sales and support channels, in many ways more responsive to those used for legal products. Forums and social networks used to collect information on bugs and request information regarding the commercial development of new features, a shortcut between developers and end users.
No doubt this approach raises a lot of concern because of the unpredictable evolution that the agents may have their own community by supporting open development.
The apparent evolutionary leap made ​​by this type of products and its marketing have been identified different ways of selling their products can be purchased in packages that provide ongoing support and evolutionary maintenance of Trojans to meet changing customer needs.

Always with an eye on the malware distribution model and support services, commonly referred to as “software-as-a-service”, I point out the ZeuS offshoot, Citadel, to true web store advertised on several members-only forums that proposed malicious hackers developments .

Which are the main services offered by the Citadel’s owners? Standing to their declaration they propose a common platform for content sharing based on a social network model.

• A social network for customers, Citadel CRM Store, to allows users to be active player in the in product development .
• Report bugs and other errors in software with a ticketing systems.
• Code Sharing platform. Each client can share its module and software code with other. creating new modules or improvements.
• Promoting of public proposal for software improvements and new features.
• Efficient jabber instant message communication channel.

The model described is essentially a model applicable to all kind of malware from the moment it is divulged its source code. Group of developers can then operate in the autonomous communities that take charge improvement of the product to meet business needs. This is the critical characteristic from malware business opportunity.

For obvious reasons I have mentioned only a couple of operating schemes that show how criminal communities are active and prolific and how effective is their work.

Impact of cybercrime on private industry

Having to use three attributes to describe cybercrime I would use the words intrusive, silent and dangerous. Just the silent mode of this type of crimes is a major problem in combating the threat, in fact, very often the companies realize that they have been victims of frauds or attacks until long after the event occurred. The consequences are disarming and retrieve the situation is sometimes impossible, precisely the time gap between the criminal event and its discovery provides an advantage to those who commit crimes often unbridgeable that makes impossible any action of persecution. But we are assuming that the event is discovered by the victims and this is not always true, many companies are in fact over the years are victims of cybercrime, but they are not aware, a cancer that destroys from within.

According the report “Second Annual Cost of Cyber Crime Study – Benchmark Study of U.S. Companies” published by the Ponemon Institute, a study is based on a representative sample of 50 larger-sized organizations in various industry sectors, despite the high level of awareness of the cyber threat the impact of cybercrime has serious financial consequences for businesses and government institutions. The report shows that the median annualized cost of cybercrime for 50 organizations is $5.9 million per year, with a range of $1.5 million to $36.5 million each year per company. The total cost is increased if compared to the first study of the previous year.

The majority cyber attacks generally refer to criminal activity conducted via the Internet that include cyber espionage, confiscating online bank accounts, creating and distributing viruses to infect the victims, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.

The following chart demonstrate that virtually all companies experienced attacks moved using malware, very interesting also the data related to the action made by the insider and the damages caused by social engineering attacks. The conclusion is that industries fall victim to cybercrime, but to different degrees and with different economic impact. Defense, utilities and energy, and financial service companies experience higher costs than organizations in retail, hospitality and consumer products. 

The data provided give a clear situation regarding the impact of the cybercrime on the business of large size companies, however a significant impact is observed on the small business where the companies face the cyber threats with fewer resources and accepting the risks related to exposure. In this market segment cybercrime is very fierce and daily it tries to elude helpless companies that often fail to meet the cyber threat, the related damages are devastating causing in many situations the end of the business. In this sector is desirable for governments to support small businesses in harmony with a cyber strategy defined at the national level. Leave helpless the social fabric made ​​up of small businesses has definitely a direct impact also on the business of large firms.

Is cybercrime only a threat for private?

Believe that cybercrime may be a prerogative alone of the private sphere is deeply wrong. The crime industry has recently been shown to be very attracted to areas such as government and military.

The information objects of interest are extremely different, email addresses, confidential information, intellectual property, secret technologies being tested are a valuable commodity to the sale and retrieving very interesting revenues.

I recently report the presence on underground market of millions of harvested U.S government and U.S military harvested emails addresses that cyber criminals are trying to sell. The criminal business is offering  2.462.935 U.S government email addresses, and another 2.178.000 U.S military email addresses.

The risks are really serious, this information could be used by hostiles government in cyber attacks and cyber espionage activities in the short term.

We are facing with efficient organization that continuously collect info from various sources trying to sell them using several channels like social network, chat rooms, specific web sites and Internet directories. Many organizations have set up growing community where they sold any kind of service, from the malware development to information need to attack a specific target. Cyber criminals have used several cyber options to gather personal data and financial information of representatives of the U.S. military. The scams schemes provide phishing attacks and malware diffusion to steal precious data.  Really interesting another aspect, spammers and virus creators are also launching massive attacks on anti-spam organizations with the intent to thwart their defense and operate unchallenged.

The knowledge of this email addressed could be used in targeted cyber attacks with the purpose to gain access to critical information related to military operation in which the victim is involved.

The line between cybercrime and cyber warfare

The byber espionage is one of the most common forms of cybercrime in this period of great concern to the world of private industry and military, and according Uri Rivner, head of new technologies at RSA, one of the most common and dangerous cybercrime in Asia-Pacific. A growing number of companies around the world are victims of computer attacks with purposes of cyber espionage to steal corporate secrets and intellectual property with the intent to benefit in economic terms. The information acquired may in fact be resold by criminals to competitors companies and governments interested to the strategic know-how. The line between cybercrime and cyber warfare is thin, we have understood that one of the main strategies pursued by governments around the world is to make intelligence operations through technology to gather sensitive information relating to private industry and military sectors that somehow represent the backbone of the nation victims of attacks. The cyber espionage is a terrible cyber threat can have devastating effects on the social fabric of a nation as well as on the actions of every private company, is sneaky and silent, and for this reason, unlike other crimes may be conducted for years without the victim being aware of it with serious consequences, as happened in the case of Nortel company.

Some months ago the Office of the National Counterintelligence Executive has just published a report to Congress that presents a frightening picture of the degree to which other countries use cyber espionage to attempt to gain business and industrial secrets from US companies. The biggest threat in term of cyber espionage against American business are China and Russia engaged in efforts to obtain sensitive business and technology information as well. The report projects that China and Russia will “remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.”

“National boundaries will deter economic espionage less than ever as more business is conducted from wherever workers can access the Internet,” the report states. “The globalization of the supply chain for new—and increasingly interconnected—IT products will offer more opportunities for malicious actors to compromise the integrity and security of
these devices.”

The report classified the Chinese government as a “persistent collector,” the most active one and shows that Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

Uri Rivner is convinced that we are in the age of cyber espionage were criminals stealing trade secrets from other nations and companies for their own benefit. In this area we have a growing demand for information technology which corresponds a technology offer more thrust but often vulnerable to all sorts of cyber attacks, these conditions make the market attractive to criminal organizations that in the absence of effective regulations often see their crimes unpunished.

Ideological  cybercrimes , not only profits and frauds

When we speak about cybercrime we immediately think to profits and frauds, but we must consider that individuals and many organization act with different objectives like promoting an ideology. Groups of computer hackers act driven by economic, political, or religious interests that generally go beyond their nation’s borders, this phenomena is called hacktivism. The social impact of hacktivism is considerable, private institutions, industry, governments and law enforcer are facing with the attacks that are able to interrupt their operations and steal sensible information. The main damages are mainly caused by data breach and related costs.

The tactics of hacktivism include blocking access to websites, defacing of web sites, identity theft, virtual sit-ins, and website hijacking. The debate on the phenomena is open, many professional in fact believe cyber attacks represent a justifiable form of protest meanwhile we are facing with crime that cause serious leaks.  Cyber activists use hacking techniques to perform their operations involving critical masses made of ordinary people. The type attacks more diffused is without doubts the Distributed Denial of Service (DDoS) attack, which attempt to make a site or service unavailable to its users due an enormous quantity of request sent in a short period. Hactivists are demonstrating increasing skills in their attacks and we expect increasing in number of their operations with possible extensive damage.

In the future we will be confronted with new cyber threats such as malware developed cyber espionage and information for collection building. Extremely dangerous is the phenomenon of infiltration of the groups of hacktivist due critical mass involved in their operations. A few days ago was released a version of a fake operative system announced as a product by Anonymous.

Within hours, tens of thousands of users had downloaded the release ignoring the dangers and the possibility that the OS was infected. Events like this are very dangerous considering the rapid spread of malicious agents produced by the criminals.

New Technologies new opportunities for cyber crime, the mobile scenario

No doubt the last two years witnessed the true revolution in information technology world is the development and deployment of mobile systems. Unfortunately the development of the sector is not paid to the implementation of appropriate security mechanisms to protect these systems, but more importantly is the lack of awareness by users of the necessity of having to defend a system so valuable.

Why we believe the mobile systems are so precious? They are somehow an extension of our person, follow us everywhere, track our position, they know our contacts (email, phone numbers), manage our appointments, and when we surf on the web through these devices indirectly we provide them information on our customs and traditions. It isn’t difficult to predict a rosy future for the proliferation of malware in the mobile sector, but what are the main motivations behind the development of malware, especially in the scenario we are examining?

Cyber ​​criminals are aware of the importance of information gained from our mobile and therefore are showing an high interest in the field, we have observed an exponential growth of malware designed to attack mobile systems and steal sensitive information, useful for the accomplishments of frauds, very impressed the banking sector.

Among the risk factors that most concern there is also the growing use of jailbreak procedures for the activation/introduction of features not available in the version distributed officially. These systems replace the original operating system intercepting all calls to the underlying hardware, a special path for those who wish to install spyware, rootkits or other malware. These procedure open the way to new potential cyber threats, the user is convinced to have a system with higher performance while actually has an operating environment which ignores everything. Often these procedures allow download from parallel app store for applications where there is no certification. A child’s play to spread in this way applications that can steal all sorts of information to the user.

Which are the methods used by cybercrimes to monetize the malware usage?

Several methods are known to the monetization with malware development, here you are a list of the principals:

• Mobile pickpocketing (SMS/call fraud), or the ability to charge a phone bill via SMS billing and phone calls. Malware uses these mechanisms to steal directly from user accounts. A Fomous malware of this type has been GGTracker. It has been estimated that these malware have stolen around one million dollars from users in 2011. Similar agent, RuFraud, has been observed in Asia and Europe causes premium SMS charges for folks, downloading helpers for popular games and utilities, or wallpaper from Market.
• Botnets Creation. Many past instances of malware like DroidDream have integrated thousands of mobile devices into extensive botnet, exactly in the same way that happen for common Desktop devices.
• Vulnerabilities exploit. The opportunity to exploit vulnerabilities of the OS to perform unauthorized operations, for example steal you bank account credentials. The problems is accentuated for all those devices that have been modified with jailbreaks. At that point user have no control on its software distribution contrary to what might believe.

Conclusions

The results proposed in this article show a growth difficult to stop, a relentless progression that requires us to implement, in both Government and private sectors, a series of measures to contain the threat. Cybercrimes evolving with the technology progress and new criminal techniques are discovered every day to perform frauds.  To fight the cybercrime phenomena it absolutely necessary:

• from a legal point of view a global agreement and a strong cooperation to address these type of crimes ensuring to law enforce all over the world. Same penalties and effort in the fight against cybercrime must be shared and globally approved.

• from e technological point of view we must ensure awareness on cyber threats ad group of expert from private and government sectors must collaborate in the definition of an efficient strategy in the fight against cybercrimes.

First step is to become aware of the threat and risks … second step, action!

Pierluigi Paganini