If corporate IT infrastructures are a battlefield, then the cybercriminals are putting up a good fight. Last year saw some nasty breaches.
Anthem Insurance, which lost nearly 80 million records, and the US Office of Personnel Management, which lost 21 million records after failing to encrypt its records.
Cybercriminals are driven by a range of things, ranging from financial gain through to political advantage. Who are they, and how do they operate?
Who are the criminals?
Insider threats are perhaps the most insidious, because they can have privileged access to sensitive information. Verizon’s 2015 Data Breach Investigations Report said that of more than 2,100 confirmed data breaches in 2014, close to one in five were caused by insiders.
The criminal kind of insider threat is typically motivated by a grudge, or personal gain, explained Randy Trzeciak, technical manager at the CERT Insider Threat Centre at Carnegie Mellon University.
“There is a clear financial or personal benefit on the part of the insider. They typically do it over a longer period of time, and they longer they do it, the longer they can benefit from a fraudulent activity,” he said. “Those folks tend to be someone that has access to a key critical data set.” That could be intellectual property, employee or customer data, or simply an application handling a financial business process.
When an insider strikes, they can cause severe embarrassment to a company, and put commercial partnerships in danger. US pharmacy chain CVS found this to its cost recently, when an employee stole the personal details that the company was holding on almost 55,000 patients of health insurance firm Molina Healthcare. CVS filled the patients’ subscriptions, and its employee moved data to his personal computer including member IDs, names, and CVS IDs.
Insider threats may be dangerous because of their privilege, but at least it is possible to neutralize them when they are found and stop them from striking again. External actors are more difficult because they may be half a world away.
Insiders may be lone wolves, but outsiders these days are generally part of a loosely-coupled supply chain designed to steal, process, sell on and then use criminal data. The skills necessary to accomplish each of these stages are typically so specialized that different people will handle each aspect of the operation, offering their services to each other for a fee.
One example of this specialization is in the malware used to steal data from victims, explained Victor Benjamin, an MIS doctoral student at the University of Arizona.
Benjamin got into security research while at the university after his team ran across Rescator, an infamous online cybercriminal who advertised some malware called BlackPOS in various fora online.
Benjamin was part of a team that formed the Hacker Web project, a data mining program that uses algorithms to analyze what is being said and done on the various underground fora frequented by cybercriminals online. The team runs text and sentiment analysis programs across the sites to gain a better understanding of the supply chain.
“The vast majority of participants in this carding circle aren’t very legitimate or very ingrained in the community,” Benjamin said.
Typically, a handful of operators at the top of the chain will run multiple online sites for the trading of information. Rescator is one such player, owning and operating multiple fora. “The carding community at its core isn’t a significant number of people,” he added. “That has remained constant since we started this investigation.”
What services are available on these sites? Some people will offer malware for sale. Others will offer to get it installed on point of sale terminals, in the case of retail hacks.
“You are seeing specialization in people who are building certain types of tools, but the users of those tools are not as specialized,” explained Ken Deitz, director of intelligence at the Dell SecureWorks corporate security team.
The tools to steal the data are becoming increasingly niche. Some phishing kits may emulate a bank’s web site and try to persuade people to log into it. Other malware may target a particular bank’s back-end financial systems, as did Carbanak, the banking software used to steal $1bn in funds from various banks.
The malware writers are innovating at breakneck speed. Some are reportedly infecting IP cameras to look at the surrounding environment, in a bid to check whether the computers they’re infecting are in a retail environment, for example.
Those offering the malware are typically not those who write it, said Benjamin. He suggests that the malware writers tend to stay out of the spotlight, avoiding online marketplaces and dealing with a select few. The specialized malware also mutates.
“The malware can transfer from region to region. Russian hackers might make it, but then the Chinese may take it and edit it and call it their own,” he said.
This mutation is is clearly visible online. The malware used in the Target hack, which stripped the retailer of millions of credit card numbers, was a variant of BlackPOS, known as Trojan.POSRAM, for example.
Buying and selling card details
Then, there are people at the sharper end of the supply chain, who use the tools to steal data. These cybercriminals typically use the tools to harvest credit card data, personal information, and other related services. Some people sell partial credit card information, while others offer “fulls”, referring to the complete personal details, including the customer’s date of birth, and other information that could be used to steal an identity.
A popular product on cybercrime forums is a “dump” – a file containing a stolen credit card’s information, in a format that could be loaded directly into a magstripe writer to create a fake card. This kind of file could fetch around twenty bucks online, but could net the buyer hundreds in profit.
The smart criminals use the files to create counterfeit cards, and then sell the cards to others, who would turn their profit by using them to withdraw money from the machines.
Success in the carding community lies further up the supply chain. People who trade carding information on underground sites are the most protected, because they need never to meet their customers or put themselves in a physical position to be arrested. They can also trade in volume. The dumb newbies are the ones who cash out at the machines, putting themselves at risk.
The retail sector in the US has been hit hard at both ends by cybercriminals targeting credit cards. At one end, they have their customers’ data stolen by sophisticated attackers. At the other, they suffer from fraudulent transactions, where those at the sharp end buy expensive items using counterfeit cards produced with that stolen data.
The bottom feeders and victims of the carding world
The people at the sharp end can often come from poorer socio-economic groups, explained John Clark, vice president at the Coalition of Law Enforcement and Retail.
“We're starting to see human trafficking victims in the mix too,” he said.
These people will often be forced into the crimes by their handlers.
“Sex traffic victims say ‘they're holding onto my identity’,” Clark explains, describing some of the things that victims tell him when they’re caught making fraudulent transactions. “Or there will be an individual in the country illegally and this is their job.”
Credit card data isn’t the only information or service traded on underground cybercrime web sites.
“There are also people who provide drop-off locations,” explained Benjamin.
With chip and PIN technology now protecting many credit card users in Europe, online fraud using stolen data is becoming more common, because it still allows stolen card information to be used. Those using defrauded credit cards to buy goods online need somewhere safe to have it delivered that won’t give them up if the fraud is detected and the site raided by the police.
Enter the dark web
Cybercriminals typically get together over online criminal marketplace to trade information and services, but these have changed over the years. In the mid-2000s, Internet relay chat (IRC) and some public web sites were common ways to trade information.
One common destination back then was ShadowCrew, a site operated by hacker Albert Gonzalez, who went on to manage one of the most notorious credit card theft rings in history, stealing more than 100 million credit card records from more than 250 companies. Gonzalez was collared by the Secret Service while carding and became an informant for the cops while running ShadowCrew. After they nabbed his friends, they shut the site down.
These days, things have moved from public sites to private ones, operated on the dark web. “The wide availability of these technologies, whether it’s Tor, or I2P, which some say is taking over some Tor, or Freenet, all of these things fall under the term privacy networks these days,” said Jonathan Lampe, product manager at the Infosec Institute.
Tor enables people to create secure, anonymous services (the equivalent of a web site), that serve data anonymously, and are accessible anonymously by others, using a network of relays that encase network packet header information to shield the sender’s and receiver’s identities.
One factor that helped was the rise of anonymous digital currencies. These had previously been centralized operations, like Liberty Reserve, “minting” online currencies that cybercriminals could use to pay each other and then exchange for real dollars. Being operated by a single entity, these sites are relatively easy to shut down (Liberty Reserve was shuttered in May 2013, and co-founder Arthur Budovsky pleaded guilty to money laundering charges in January).
Bitcoin has changed all of that, with a decentralized and quasi-anonymous model that makes it suitable for nefarious purposes. “There was a general acceptance in the community that this was a really cool digital technology, but then there was an amazing spike in its value,” said Lampe. “That solidified that one and only currency as one that people use for exchange.”
Dark web sites that use Bitcoin and other digital currencies as their trading mechanism pop up and disappear relatively quickly, for two reasons. Firstly, law enforcement manages to shut them down with surprising frequency, typically using “light leakage” to find clues about the perpetrators. FBI researchers caught Ross Ulbricht, the operator of the Silk Road drug peddling web site, in part by piecing together his other activities online.
In some instances, law enforcement officials have managed to find users of criminal services operating on the Tor network by controlling the Tor site and installing code that then infected the users’ machines with malware that revealed their true Internet address. That was how the FBI nabbed users of child porn sites hosted by “bulletproof” Irish hosting company Freedom Hosting in 2012.
The battle between law enforcement and security practitioners on one side and cybercriminals on the other will only continue to escalate, with criminals using every technology at their disposal. One thing is clear about the cybercriminal underworld: it’s loosely coupled and dynamic. A high degree of specialization leads to a constant cycle of reinvention and innovation. Be prepared for a perpetual war. ®