Where the malicious hacker community was once dominated by glory-seekers craving the notoriety associated with bringing a big Web site to its knees, the community is quickly evolving into a slick network of organized groups intent on exploiting the Internet’s weaknesses for ongoing financial gain.
“The hacker-cracker community has been criminalized and very much focused on making money — and there is a lot of money to be made in a lot of different ways,” says IDC security analyst Chris Christiansen. Information, he points out, is the new currency because it can be traded throughout the world.
“There are sites where you can buy zero-day exploits for targeted attacks, and there are sites where you can rent botnets. This is a business, in terms of products and services, in terms of support and in terms of how it’s organized.”
Further highlighting the similarities between this modern organized style of online pilfering and legitimate businesses is the degree of interaction between many of the grifting groups, adds Christiansen.
“People work in a loose association of partnerships that, by the way, is surprisingly well-maintained and fairly disciplined. It doesn’t operate in isolation the way many people think,” says the Framingham, Mass.-based industry observer. “They communicate with each other, they feed each other information, they trade information and they pay one another in a variety of forms.”
According to Fiaaz Walji, Canadian country manager for security software vendor Websense Inc., many of these organized units are drawing their computing prowess from young minds looking for quick and handsome paycheques.
“FBI reports (indicate) that organized crime will now go and recruit students,” Walji says. “If you think of economies that are faltering, be it Russia or whatever, when these super-smart guys are approached with an offer for financial gain, it’s hard for them to resist. Organized crime might outsource it to four or five hackers or they bring them into their own organization.”
Where the glory-seeking hacker is typically looking to get noticed through his actions, this modern breed of cybercriminal is instead looking for complete anonymity.
“You don’t want to bring down a target, or (have anyone) know about it,” points out Christiansen. “If you do this really carefully, you would want [victim organizations] to be largely unaffected by the attack. The idea is, if you’re stealing information, wouldn’t it be nice to steal that for months, years, possibly even decades?”
Christiansen adds that part of the attraction for these groups is the ease with which their nefarious goals can be realized. “It’s relatively low-risk and it’s easy.”
It’s low-risk in part because there are so few ways for authorities to combat it. Says Walji: “The Internet is very conducive to their type of crime because there are no borders. Laws are very vague in that if you originate in one country, exploit someone in another country and then sell the data to someone in a third country, what jurisdiction does that fall under?”
Other characteristics of the organized cybercrime community are their willingness to plant inside agents within the walls of target organizations, and a competitive streak that pits hacker versus hacker.
“In some cases, the criminals are actually fixing the security on [hacked] systems to prevent other criminals from penetrating those accounts,” says Christiansen.
One main thrust of Websense’s ThreatSeeker offering, which aims to help customers prevent organized cybercrime attacks, is looking for patterns in the statistics that the product collects.
“We scan about 100 million sites each day and we receive close to 700,000 piece of spam each day,” says Stephan Chenette, senior security researcher at the firm’s security lab in San Diego. Originating IP addresses are examined and a “reputation” for a particular site or e-mail sender is established and utilized.
The best recommendation Christiansen can make to enterprises looking to defend themselves from an organized attack is to think like the criminals. “The first thing to do is to get your group of IT people together and play criminal. You want to do a process of discovery. Look around and see where your databases are, see if they are properly secured and whether inappropriate people have access to it.”
Dan Hubbard, Websense’s vice-president of security research, adds that simply knowing where your sensitive data is, and regulating its movement, can go a long way to keeping it out of the wrong hands. “Is the data sitting on a sales guy’s laptop or the CFO’s desktop? Are people sending it out over their Gmail account, or sharing it with people they shouldn’t?”
Future developments in the organized cybercrime space identified by Hubbard include attacks against Web 2.0-oriented content and those that target not the client or server but network elements in between, a concept he refers to as “man in the middle” attacks.