Feeds

FBI and SOCA plot cybercrime smackdown

White hats get proactive on e-crime

Using blade systems to cut costs and sharpen efficiencies

RSA Europe 2009 The FBI and the UK’s Serious and Organised Crime Agency have drawn up a program for dismantling and disrupting cybercrime operations. The effort relies on a better understanding of the business models of carders, malware authors and hacker groups which have increasingly come to resemble those of legitimate businesses.

The three prong strategy aims to target botnet and malware creators, so-called bullet-proof hosting providers that offer hosting services to cybercrooks, and digital currency exchanges. Digital currency exchanges such as WebMoney and Liberty Reserve are central to the operation of the black economy, according to Andy Auld, head of intelligence at SOCA’s e-crime department.

During a keynote presentation at the RSA Europe Conference, Auld and FBI special agent Keith Mularski used the Russian Business Network (RBN) cybercrime network as an example of the type of criminal enterprise they were targeting. The now disbanded group used an IP network allocated by RIPE, a European body that allocates IP resources, to host scam sites, malware and child porn.

RIPE actions might lend themselves to interpretation, viewed in the harshest terms, as being complicit with cybercriminals and "involved in money laundering offences".

"We are not interpreting it that way. Instead we are working in partnership to make internet governance a less permissive environment," Auld said.

The RBN – described as a purpose-built criminal ISP – allegedly paid off local police, judges and government officials in St Petersburg.

"This was a well organized organization not a cottage industry,” Auld explained. “RBN was the e-crime component in a wider criminal portfolio.

“There were strong indications RBN had the local police, local judiciary and local government in St Petersburg in its pocket. Our investigation hit significant hurdles.”

Auld said that although western law enforcement efforts were frustrated, the group was put under surveillance for a short time, during which the group travelled around the Russian city in an Armoured Audi A8 that was always escorted by a Range Rover.

As the heat was turned up on RBN, the group applied a disaster recovery plan, activated in November 2008. However, foreknowledge allowed the FBI and SOCA to shut down new systems before RBN was able to complete its migration.

“All we achieved was disruption, not a prosecution,” Auld explained. “We believe RBN is back in business, pursuing a slightly different business model.”

Zombie botnet taxonomy

The well attended presentation also included a comprehensive taxonomy of botnet types. Network of compromised PCs can be used for multiple purposes include proxies that supply anonymity (based on machines infected by malware strains such as Xsox), credential stealing (the notorious banking Trojan ZeuS and Torpig being the chief irritants in this category), web hosting (ASProx), spam distribution (Srizbi, Storm worm) and malware dropping botnets.

Another vital component of the cybercrime economy is carder forums, described by Mularski as e-crime “supermarkets” for exploits, tools and stolen data that have adopted a mafia-style organisational structure. These forums have splintered after law enforcement efforts that led to the demise of forums such as Shadowcrew and Carderplanet in 2004.

New generation forums are split between Russian and English language sites. Each have hierarchical structures with administrators who take a percentage for running escrow services and control membership at the top. Below these bosses are reviewers who handle site management (capos).

Hackers, carders and data thieves occupy the rung below with mainstream members (associates) below them. The quality of stolen credit card data, for example, is reviewed before a vendor is allowed to sell through these forums.

Counteroffensive

SOCA and the FBI intend to infiltrate groups or cultivate inside sources. The law enforcement agencies will also go after the money by targeting electronic exchanges that are used to transfer funds between criminals. Working with internet governance organisations, such as groups that allocate IP addresses to crooks without realising that the address space will be used for cybercrime, also form part of the clampdown.

The two law enforcement agencies also want to encourage the targets of cybercrime to improve their security while going after locations where crackers upload and store stolen data.

“Traditional policing is reactive,” Auld explained. “Cybercrime enforcement, by contrast, has to be pro-active.” ®

The smart choice: opportunity from uncertainty

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.