When you think of a computer hacker, who comes to mind? It could be this: a teenage boy, sitting in his parents’ basement, turning his attention away from his video game long enough to break into his school’s computer network so he can alter his grades before they’re officially released.
That image might have been accurate a few years ago, but today the game is changing. In the past, hackers and writers of malicious software (aka malware) were seeking attention and notoriety. Creators of viruses and worms were looking for bragging rights. Now they’re after money — and they’re finding it.
The transformation in motivation has changed the types of attacks, and it has also altered the profile of the attackers. Teens seeking notoriety may still be involved, but these days the likelier culprit is a hardened criminal in search of financial gain.The transformation in motivation has changed the types of attacks, and it has also altered the profile of the attackers.Text And that criminal isn’t working alone. Loosely organized groups — which Ken Dunham, director of malicious code at security company IDefense, and other security experts call “Web gangs” — conduct much of the illegal activity online. The structure of Web gangs may be patterned on that of traditional organized crime, in which the members of the group may never come into contact with one another and may never be aware of who they are working for.
Many intelligent, tech-savvy criminals now “work as mercenaries for the highest bidder,” says Tom Kellerman, until recently a specialist in data risk management for the World Bank. He calls organized Web crime “the cocaine of the new millennium,” likening its mystique of lawlessness and easy money to that surrounding drug trafficking in the United States during the 1980s.
And online attacks are certainly on the rise: Investigators uncovered more than 422 new Internet security vulnerabilities during the second quarter of 2005, according to a security report for that time period that the SANS Institute released in July. This figure represents an increase of nearly 20 percent over the corresponding number for the second quarter of 2004.
In its report, SANS asserted that people who don’t address these critical new Internet security vulnerabilities face a heightened threat that remote, unauthorized hackers “will take control of their PCs and use them for identity theft, for industrial espionage, or for distributing spam or pornography.”
Who are today’s cybercriminals?
Just ask Barrett Lyon, founder of Prolexic Technologies, a company dedicated to protecting businesses from distributed denial of service (DDoS) attacks. Last year, Lyon spent several months posing as an online crook to infiltrate a Russian crime syndicate that had used DDoS attacks to bring down several legal online gambling and retail sites after at least some of those sites refused to pay extortion money.
Lyon’s work helped detectives at the UK’s National Hi-Tech Crime Unit secure the July 2004 arrest of Ivan Maksakov — a 21-year-old Russian mechanical engineering student at the time — and several others. According to sources at the U.S. State Department, Maksakov has confessed in full to his role in the scheme and is participating in the investigation.
Lyon says that at least ten other individuals seem to have been involved in Maksakov’s group. “From what I understood, he and a bunch of his friends hung out in chat rooms, and he was being hired to attack companies,” Lyon says.
Barrett Lyon, left, worked undercover with Dayton Turner to expose an international Web gang.Lyon’s undercover work — done with the assistance of Dayton Turner, a Prolexic senior engineer — gives him insight into just who is behind financially motivated attacks. “The guys who used to be after bragging rights are now after money,” he says.
Working together
This scenario is typical, according to many security experts. “Generally, what we’ve seen is a form of compartmentalization, from the top down,” says Shane Coursen, senior technology consultant with Kaspersky Lab, a maker of security software. At the top of the food chain is someone who has the financial means to organize a group, Coursen says. This individual, acting as the criminal kingpin, puts together a plan and then assembles the necessary technologically savvy individuals.
The resulting group or team may not have a centralized organization, says Gary Iwatani, president and COO of Cloudmark, a provider of e-mail security products. “People think of these criminal activities as being carried out by centralized organizations, but really it is much more of a difficult problem to fight because it is decentralized.”
How do these groups work together without central organization? Many members are recruited through acquaintances; others are found online, as Lyon says Maksakov was. Individuals use Web sites, online forums, and IRC channels to advertise their services and meet their colleagues. Many others visit these sites to learn how to get started in the business.
“The scene is always looking for rooters, scanners, curriers [various hacking specialties], but how does one learn these skills? I’ve not been able to find much information about those topics,” reads a recent post in the Hacking-Security forum on Addict3D.org. Several posters replied, offering suggestions of where to look online to learn such skills; one post pointed out that a simple Internet search would uncover several Web sites that offer tips on how to learn the tricks of the hacking trade.
Once they’ve learned those skills, hackers commonly operate as freelancers, working on projects in an area of expertise — whether it be writing exploits, building botnet networks, or designing fake Web sites — says Dimtri Alprovitch, a research engineer with CipherTrust, an e-mail security company.
And like legitimate businesspeople and freelancers, they must build a reputation before they can get hired for lucrative work. “If you’re just getting started, you let people sample your work,” says Jimmy Kuo, a McAfee fellow. “You slowly establish your credibility and your value gets higher.”
The world’s weak spots
While some members of the group are recruited for their technical skills, others are recruited for different roles. One organization that Prolexic’s Lyon came across hired prostitutes to pick up payments from Western Union. “Some of these groups have really sophisticated money laundering techniques,” Lyon says. “They get their money sent in multiple broken Western Union payments, and then hire hookers to go pick it up. They get the money back together again, and then deposit into an account where it can be wired around the world. It bounces around and eventually becomes impossible to trace.”
And the members of a Web gang may be based almost anywhere in the world, though security experts have identified certain areas as hotspots for this type of activity. Brazil, Bulgaria, China, Estonia, Hungary, Indonesia, Japan, Latvia, Malaysia, North Korea, Romania, Russia, and the United States are major centers for organized hacking, says Kellerman, cofounder and chief knowledge officer for Cybrinth, a new cybersecurity consulting company.
Why are certain areas considered hotspots?
“Places where there’s a significant amount of activity usually have a technically advanced population and a large population of computer users. You also have a poor economy, so you have people with the technical skills to do good work, but they can’t find a job that will provide for them, so they may have to resort to doing things that are against the law,” Kaspersky’s Coursen says.
These hotspots (other than the United States and Japan) also tend to be countries where laws and