Feeds

FBI and SOCA plot cybercrime smackdown

White hats get proactive on e-crime

Choosing a cloud hosting partner with confidence

RSA Europe 2009 The FBI and the UK’s Serious and Organised Crime Agency have drawn up a program for dismantling and disrupting cybercrime operations. The effort relies on a better understanding of the business models of carders, malware authors and hacker groups which have increasingly come to resemble those of legitimate businesses.

The three prong strategy aims to target botnet and malware creators, so-called bullet-proof hosting providers that offer hosting services to cybercrooks, and digital currency exchanges. Digital currency exchanges such as WebMoney and Liberty Reserve are central to the operation of the black economy, according to Andy Auld, head of intelligence at SOCA’s e-crime department.

During a keynote presentation at the RSA Europe Conference, Auld and FBI special agent Keith Mularski used the Russian Business Network (RBN) cybercrime network as an example of the type of criminal enterprise they were targeting. The now disbanded group used an IP network allocated by RIPE, a European body that allocates IP resources, to host scam sites, malware and child porn.

RIPE actions might lend themselves to interpretation, viewed in the harshest terms, as being complicit with cybercriminals and "involved in money laundering offences".

"We are not interpreting it that way. Instead we are working in partnership to make internet governance a less permissive environment," Auld said.

The RBN – described as a purpose-built criminal ISP – allegedly paid off local police, judges and government officials in St Petersburg.

"This was a well organized organization not a cottage industry,” Auld explained. “RBN was the e-crime component in a wider criminal portfolio.

“There were strong indications RBN had the local police, local judiciary and local government in St Petersburg in its pocket. Our investigation hit significant hurdles.”

Auld said that although western law enforcement efforts were frustrated, the group was put under surveillance for a short time, during which the group travelled around the Russian city in an Armoured Audi A8 that was always escorted by a Range Rover.

As the heat was turned up on RBN, the group applied a disaster recovery plan, activated in November 2008. However, foreknowledge allowed the FBI and SOCA to shut down new systems before RBN was able to complete its migration.

“All we achieved was disruption, not a prosecution,” Auld explained. “We believe RBN is back in business, pursuing a slightly different business model.”

Zombie botnet taxonomy

The well attended presentation also included a comprehensive taxonomy of botnet types. Network of compromised PCs can be used for multiple purposes include proxies that supply anonymity (based on machines infected by malware strains such as Xsox), credential stealing (the notorious banking Trojan ZeuS and Torpig being the chief irritants in this category), web hosting (ASProx), spam distribution (Srizbi, Storm worm) and malware dropping botnets.

Another vital component of the cybercrime economy is carder forums, described by Mularski as e-crime “supermarkets” for exploits, tools and stolen data that have adopted a mafia-style organisational structure. These forums have splintered after law enforcement efforts that led to the demise of forums such as Shadowcrew and Carderplanet in 2004.

New generation forums are split between Russian and English language sites. Each have hierarchical structures with administrators who take a percentage for running escrow services and control membership at the top. Below these bosses are reviewers who handle site management (capos).

Hackers, carders and data thieves occupy the rung below with mainstream members (associates) below them. The quality of stolen credit card data, for example, is reviewed before a vendor is allowed to sell through these forums.

Counteroffensive

SOCA and the FBI intend to infiltrate groups or cultivate inside sources. The law enforcement agencies will also go after the money by targeting electronic exchanges that are used to transfer funds between criminals. Working with internet governance organisations, such as groups that allocate IP addresses to crooks without realising that the address space will be used for cybercrime, also form part of the clampdown.

The two law enforcement agencies also want to encourage the targets of cybercrime to improve their security while going after locations where crackers upload and store stolen data.

“Traditional policing is reactive,” Auld explained. “Cybercrime enforcement, by contrast, has to be pro-active.” ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.