Original URL: http://www.theregister.co.uk/2010/07/01/cybercrime_gang_profile/

Online crims not just 'speccy geeks', researchers warn

They're normal and they're after your mother's maiden name

By John Leyden

Posted in Security, 1st July 2010 15:08 GMT

Misconceptions about the nature of cybercrime are affecting the fight against online economic skulduggery.

Widespread beliefs that e-crooks are likely to be either "geeks with glasses" or digital pranksters are well wide of the mark, according to researchers from Trend Micro, which reckons the majority of cybercrooks would be indistinguishable from the man in the street.

Cybergangs are located around the world. Russia, the Ukraine and China are well known havens for hackers, helped by the difficulty of getting foreign complaints against economic crime to local law enforcement taken seriously. Other countries including Turkey, Brazil and Estonia also commonly crop up as the home of hackers in cybercrime investigations.

Different gangs have differing skill sets. The most technical adept specialise in writing customisable, cybercrime toolkits (such as the Zeus Trojan). Others broker the sale of malware or stolen personal information while other groups specialise in spam distribution or the administration of networks of compromised systems (botnets).

What all the groups have in common is sophisticated business models, often featuring affiliates and ideas about bonuses and incentives stolen from the mainstream world of software development and applied to cybercrime. For example, many gangs outsource aspects of cybercrime to more specialised groups.

The result is groups specialising in coding working with others whose skills lie in finding vulnerabilities. Meanwhile, other gangs manage botnets or mines personal data, while others get their hands dirty in actually carrying out identity theft or financial fraud. The average team size typically ranges from one to five people, according to Trend.

Malware and social engineering tricks are used to harvest a variety of accounts, which are traded through underground markers. Average prices range from $4 for an eBay account to 50 debit cards for $170. Twitter, iTunes, eBay, email, Skype and gambling accounts have also become commodities in black market sales forums.

"Most people are simply unaware that their identities have real financial value, individually details are sold incredibly cheaply but the whole economy has a huge turnover," explained Rik Ferguson, a senior security advisor at Trend Micro.

"Identity theft has consequences far beyond the here and now. It can affect your financial record for life."

Enterprises as well as consumers are at risk of ID theft, especially in the case of compromised banking accounts, where corporates are not entitled to the guarantees against suffering the cost of financial crimes commonly offered to consumers.

Programming groups sell their malware for anywhere between $500 and $10,000, with the highest prices charged for customised version of the Zeus banking Trojan. Trend Micro researchers cite underground sources in speculation that ZeuS programmers earn more than $800,000 per year.

The potential earnings of botnet herders may be even higher than this, depending on how successful they are at maintaining a network of infected proxies and selling their services to unscrupulous third parties. Some gangs have even begun using Twitter, Facebook and YouTube accounts to promote their services and malware kits.

Researchers at security firms have to turn detective in order to piece together a picture of who cybergangs are and how they operate. Researchers working on the bigger picture try to make sense of the complex business relationships behind attacks to better protect their customers by detecting whole malware families (kits/packs) rather than individual malicious files.

Threats commonly operate on several different layers. For example, a spam email may link to a malicious website that exploits a vulnerability to drop a Trojan on a compromised PC. This compromised machine awaits instruction from botnet herders who may have only a tenuous, indirect relationship with the original malware coders.

Since cybercrime is global, the only effective way to tackle this crime is to enforce collaboration across law enforcement agencies in different countries and continents, Trend argues. However, international co-operation is frustrated by the fact many police forces often intervene only when there's enough evidence to suggest there is a single entity that happens to be located within their jurisdiction behind criminal activity.

David Sancho, a security researcher at TrendLabs who compiled the report, warns that a growing number of individuals attracted by the prospect of making a quick buck with minimum effort or risk are getting lured into cybercrime.

"There are a few well-financed outfits with big operations that cover everything from phishing to fake antivirus deployment to mass-mailing marketing front-ends and botnet operations back-ends," Sancho told El Reg, adding there are probably no more than two dozen such operations worldwide.

"Then there's a set of people who jump on the malware badwagon and create their own botnets with underground tools, phishing kits or whatnot. We calculate these to be a few hundreds. The entry level [cost] is so low though that this number is growing." ®