When Cybercriminals Turn Pro
IN ANY OTHER BUSINESS, they’d be model employees. They regularly work 12-hour days, they don’t require health or retirement plans, nor do they grumble about the management. And they work well together to achieve their goals.
Unfortunately, these aren’t your employees; they’re your enemies, who are writing malicious code to exploit holes in your network and then taking advantage of the sensitive data they manage to get their hands on. According to Dave Cole, director, Symantec Security Response, these über-professional bad guys with their eyes on the bottom line have supplanted the “script kiddies” who were simply trying to be annoying and to rack up bragging rights.
Cole and his team wanted to examine the changing nature of hackers and malicious-code writers, and the communities in which they work. As a basis for their research, the Symantec team looked specifically at an increasingly widespread Trojan horse program called Bancos that targets customers of some Latin American banks and tries to steal their account passwords.
The researchers took the Bancos code apart to find out when various versions had been compiled (the process by which the code written in a programming language is converted into a file that can be executed), and then mapped the information found in the different time stamps.
“We could see that the Bancos Trojan was compiled during the work week,” Cole says. “We saw a definite dropoff on Saturday and Sunday.”
The team also looked at what time of day this work was being done (the compile time/date stamps are recorded in local times). “What we saw is that it picked up around noon and went through until midnight and then started to taper off.”
Based on this analysis, the team felt it unlikely that whoever was working on the code held down a day job. Tuesday was the day when most compilations (almost 140) were done; on Sunday, there were fewer than 60. The team’s report notes an alarming conclusion: “The developer(s) may even have produced this malicious code as their full-time job.”
That is just one of the findings of the Symantec team, which spends much of its time in the dark corners of the Internet, in chat rooms and on message boards where cybercrooks loiter. Through this undercover work, they have come to the conclusion that online fraudsters are increasingly becoming specialists. In a report called Online Fraud Communities and Tools, the team notes that several specialized roles are necessary for a phishing attack to take place: spammers to send emails out; Web designers to make fake pages look legitimate; exploiters who take over systems to be used as the phishing site or to send the spam; cashiers who can take money out of a compromised credit-card or bank account; and droppers, whose job it is to receive fraudulently obtained items at an untraceable drop point.
Larry Johnson, special agent in charge of the Secret Service’s Criminal Investigative Division, said at a recent cybercrime roundtable that this cooperation is common. “What we’ve seen is that hackers are able to take over accounts and then, through some social engineering, they’re also able to contact a financial institution and obtain additional information needed to close out an account.”
There are also “phone services,” says Johnson, “where, if a bad guy wants to take over an account, he’ll have someone else speak in a different language in a different location, and that’s all they do. Their expertise is calling financial institutions for social engineering.”
Cole says that this growing skill level is typical of what would be expected in a “normal” job market. “Each player ups the level of what they can provide,” he says. The result is malware that “is really more sophisticated than some commercial software.”
The evolution from petty prankster to hardcore hacker began back in the days of Y2K, when extortion efforts against ecommerce sites started to happen, says former FBI cybercrime investigator Scott Larson. That was when organized criminals in Eastern Europe realized there was money to be made. “You had two groups: the actual techies, the hackers; and you had combined with them a con man who is the person who would reach out to the e-commerce company and try to work the extortion,” says Larson, who is now managing director at Stroz Friedberg, LLC. That partnership has evolved into the specialized teams seen today.
“Some of these folks aren’t particularly technically sophisticated,” Cole notes, “but they all play a specialized role, and they all get a cut of the overall proceeds.”
Another development is that the use of couriers, or mules, has “gotten a little smarter, a little more effective,” making it tougher for law enforcement to round up a whole gang, notes Larson.
Many of these groups are based outside the United States, which makes the task even harder. A lack of international law enforcement coordination “makes it difficult in some of these countries to get ‘habeas grabus,’ as we like to say, on some of these people,” Larson says.