Proofpoint Report Exposes Details about Cybercrime Division of Labor and Malware Architecture

Hacker tactics are varied, sophisticated, and built for success. This report should be required reading for everyone in the cybersecurity domain.

One of the more vapid cybersecurity cliché statements goes something like this: “hacking is no longer about alienated teenagers spending countless hours in the basement on their PCs. Rather, it is now the domain of organized crime and nation states.” While this is certainly true, it is also blatantly obvious. It is also nothing more than a meaningless platitude with no details about why this is true, how hackers operate differently than teenagers, or what the implications are.

If you want to understand these issues, I strongly suggest that you read a new threat report, Analysis of a Cybercrime Infrastructure, published this week by Proofpoint. The report follows the tactics and techniques used by a Russian organized crime group as it launched an attack on U.S.- and European-based users with the intention of stealing online banking credentials.

Reader warning: this report is a tad on the geeky side using technical terminology like browser plug-ins, droppers, microshells, and static/dynamic injections. Nevertheless, I suggest that readers move beyond these technical points and plow through the report. Eschewing the technical depth, the report can still provide readers with a conceptual feel for the strategies and tactics used by the bad guys.

With this is mind, here are a few of my biggest takeaways from the report:

  1. It takes a village to commit a cybercrime. Like the team of crooks recruited to rob a casino in the movie Ocean’s Eleven, organized crime is all about specialization and division of labor. Everyone knows this but few people can talk about the actual details about who does what. This report does a great job of exploring these kinds of nuances around the cybercrime market. For example, the Russian hacking group at the center of this report purchased lists of administrator passwords from others in order to compromise sites using the WordPress open source content management system. While this group used its own homegrown Traffic Distribution Service (TDS) to direct victims to exploit servers, the report mentions that other cybercriminals provide SaaS offerings for TDS. Finally, the highlighted Russian hacking group didn’t stop at stealing banking credentials, it also leveraged its network of compromised PCs to develop a cybercrime proxy service it then leases to other hackers. So hackers are making money coming and going. 
  2. Hackers look for the path of least resistance. In order to attain a high rate of success, cybercriminals determine which of several exploits to use based upon a profile of a victim’s PC. In other words, my PC may be compromised through a Java exploit while the person sitting next to me may get powned using an IE vulnerability. The bad guys aren’t wasting time with one-off attacks, but rather are sizing up each victim, finding their weaknesses, and then storming through one of several open doors.
  3. Attacks are designed to stay one step ahead of the law. It’s common wisdom that hackers test their malware against all the popular AV software to avoid detection. In this case, the Russian hackers went beyond checking the detection rates of the malicious payload by making sure to steer clear of IP addresses and URLs that might pop up on reputation lists. The bad guys also instrumented their code with “lookout” capabilities. When any AV software starts to detect their exploit, the tool notifies the group immediately. So each time Kaspersky, McAfee, Sophos, Symantec, and Trend Micro catch up, the bad guys figure out a way to disappear again. 
  4. Ease of use is part of the process. Yes, hackers are highly skilled but they don’t have to be technical savants who can whistle into pay phones at 2600 hertz. The report displays a multitude of administrator screens that would make sense to any reasonably competent system administrator. In some cases, hacking groups also use ease-of-use administration/operations as a way to differentiate their services from the competition. This also helps cybercrime groups delegate tasks to junior administrators and thus free up talented hackers for more high-value projects.

To mix metaphors, the Proofpoint report takes the reader “behind the curtain” to understand “how the sausage is made.” Given this, it is a worthwhile – and frightening – read for all cybersecurity participants. On a final note, the Proofpoint report provides a detailed case study of what we white hats are up against. We need to get our act together and prepare our defenses for Russian professional organized crime syndicates like the one described in this report. Alas, too many organizations still treat the cybersecurity battle as if they were still facing alienated teenagers in basements. 

Cybersecurity market research: Top 15 statistics for 2017