Criminal organizations are using sophisticated online marketplaces to distribute the work of theft to those who have the skills, according to Symantec‘s latest Internet Security Threat Report, covering 2008.
Once key information, such as a social security number, credit card number or bank account has been stolen, a criminal can sell the data in the underground economy, which the report describes as “various forums, such as websites and Internet Relay Chat (IRC) channels, which allow criminals to buy, sell, and trade illicit goods and services.”
“Our team built the first system to mine data from the underground economy,” Zulfikar Ramzan, technical director at Symantec, told InternetNews.com. “Underground servers are essentially IRC chat rooms for illegal transactions but, ironically, anyone can log on.”
The Web 2.0 underground allows criminals to specialize, Ramzan said. “Individuals can go in with one skill set and rely on others to provide the rest of the skills to complete the cyber crime.”
“Say I’m really good at setting up a Web site to get credit card or bank information, but I don’t know how to cash that out,” he said. “Others may specialize in cashing out. They know how to make transactions that will be approved. Many banks now have very good fraud detection.”
Where the money is
All those efforts are concentrated on lifting large amounts of cash. The report found that an astonishing 76 percent of all phishing exploits targeted financial brands. That’s because thieves want credit card numbers and billing credentials, and spoofing financial sector brands allows them to ask for sensitive data.
Ramzan said that phishers may see an industry weakness they can exploit. “During the past year, the financial firms dominated the news. This created a sense of mayhem and confusions for customers. There was a perfect opportunity to trip up a victim with cleverly timed misinformation. If a customer reads in the news that their bank is involved in a merger and then gets an e-mail asking for information, they’re more likely to be fooled.”
Not surprisingly, there are consequences, Symantec said. The report found that the financial industry was responsible for 29 percent of all identities exposed in 2008, a sharp increase from 2007, when it was at fault for only 10 percent.
The report even lists the prices of items for sale in the underground market. However, actual prices vary widely depending on several circumstances including, ironically, the level of trust between criminals.
Other factors affecting price may include the volume of the item traded (discounts for bulk deals) and the financial institution’s security.
“Some banks are easier to cash out than others,” Ramzan said.
Credit card information accounted for 32 percent of products by volume of sales, followed by bank account credentials, accounting for 19 percent.
Combined, they represented just over half the market (51 percent).
Credit cards could sell for between six cents and thirty dollars each and bank account credentials could sell for between $10 and $1,000.
Ramzan added that some transactions in the marketplace are barter transactions, and that those are difficult to track. “Prices are easy to mine,” he said, “but when criminals talk terms, it’s difficult to find out what kind of deal was negotiated.”
Page 2: The tool makers and the threat to enterprises
Page 2 of 2
The tool makers
Threats are increasing. Symantec reported that it detected 1,656,227 malicious code threats in 2008, equal to 60 percent of all threats detected since the report began in 2002. Ramzan said that the numbers in 2008 are not strictly comparable to those from 2002 because criminals now have tools to automate the modification of malicious code. “They can create a hundred variants automatically,” he said. “They’re part of the same family, but they’re not one instance and not one hundred.”
The report attributed the increase in part to a better-functioning underground market, with vendors competing to provide such products as customized malicious code and phishing kits.
Although some criminals work alone or in small groups, the report identified one large cyber crime organization: the Russian Business Network (RBN), which Ramzan said started out as hosts for online criminals.
“Traditionally, their business was renting out hosting space for people carrying out cyber crime operations,” he said. “They were the landlord to the underworld. Recently, we suspect that they have crossed the line and begun participating by building attack tool kits and selling them and even by carrying out criminal operations.”
“They’ve done a bit of everything,” Ramzan added.
Another such group, Ramzan said, is the Rock Phish group, which is responsible for a significant amount of all phishing attacks.
The enterprise threat
While individual users have cause to fear that their credit card or bank account is at risk because that information is so popular in the criminal underground, enterprise users should fear items that appear in the marketplace only occasionally, Ramzan said. “We occasionally see one-offs that don’t make it to the report.”
In its 2007 mid-year report (available here in PDF format,) for example, the company conducted a study that concluded that “between January 1 and June 30, 2007, four percent of malicious activity detected by Symantec originated from the IP address space of Fortune 100 companies.”
Symantec has not since repeated the study, although Ramzan said the evidence indicates that criminals occasionally rent time on a stolen machine that others can use to launch attacks.
Despite such findings, he said he worries that security awareness is actually decreasing — because criminals are better at hiding what they do.
“The profit-driven attacker wants to get onto your system without being noticed and stay for the longest time,” he said. “Attacks are more silent, so awareness has gone down. People’s level of awareness must be increased.”