Cybercriminals are just businessmen at heart
Fortinet cybercrime report says that organizational structures of such illicit businesses are eerily close to legitimate companies
By Antone Gonsalves
December 24, 2012 — CSO — Cybercrime today is a full-fledged business with executives, middle managers and workers who depend on a variety of service providers to keep the illicit operations humming, a new study shows.
Supporting these criminal enterprises that mirror legitimate commercial enterprises is a shadow underground of chat rooms, Web portals and marketplaces for finding and hiring people and buying or leasing malware, exploit code and botnet-building tools, says the 2013 Cybercrime Report from Fortinet.
Also ready to lend a hand are tech consultants and hosting providers ready to turn a blind eye in return for payment.
The upshot of all these resources for building, deploying and running botnets is that "anyone can make a quick buck without having to be technically adept," the report says. "
"This has led to an explosion in monthly malware volumes, which are three times greater than four years ago," it said.
The organizational structures of these illicit businesses are eerily close of legitimate companies. Executives make decisions, oversee operations and are generally responsible for keeping everything running smoothly.
"Once they get the operation off the ground, they then move to a business development role and hand off the dirty work to the infantry and are not involved with launching attacks," the report says.
[See also: Cybercrime 'much bigger than al Qaeda']
The infantry, comprised of common workers, is typically under the supervision of middle managers recruited through old-boy networks or underground forums. The managers often work with recruiters to hire people to infect machines using a variety of methods, such as email links, poisoned PDFs, compromised Web sites and social-networking links.
To fine recruits, ads are placed on Internet job boards, hacking message forums and underground IRC chat rooms. There are also invitation-only, help-wanted portals that typically originate from Russia, Fortinet says. These portals provide all the tools new recruits need, including malware, URLs to support forums, payment rates and how to receive payments after completing a pre-set number of infections.
The botnets run by the criminal groups perform a number of functions. They are used to download malware and to steal credentials and data from bank accounts and social networking sites. Compromised systems can also be used to proxy malicious traffic, house data, encrypt critical data for ransom and generate revenue through click fraud.
A variety of service providers have sprung up to assist these criminal enterprises. Services include high-performance password cracking that charges $17 per 300 million attempts, which take about 20 minutes. These services are often used to crack passwords for online services.
Research-and-development organizations also exist for creating custom-ordered code, fake antivirus software, ransomware, deployment systems and exploit code. The technology can be bought, leased or rented.
Hosting providers are key to the success of cybercriminals, who need locations to store exploit code, malware and stolen data. Typical providers that don't care what's stored on their servers are often found in Russia and China.
Because of fierce competition, mergers and acquisitions are occurring among botnet operators, Fortinet said. The most recent example of a merger was between botnets using the Zeus or SpyEye malware.
With millions of dollars in revenue, criminals need a way to launder money. "Money mules" are used to move cash from one country or bank account to another, using anonymous wire transfer services, such as Western Union, Liberty Reserve, U Kash and WebMoney, Fortinet says. Small batches of money are usually transferred to avoid triggering anti-money laundering laws.
Like all business owners, cyber-criminals need to keep track of key metrics. In the case of criminal enterprises, that includes the number of infected machines, how many accounts have been cracked and how much money has been taken from the accounts.
To track everything from software development to accounts payable, criminals use commercial business process management software, financial systems, databases and Web portals
To combat the problem, Fortinet recommends countries and law enforcement go much further than simply taking down large botnets, which has been the focus of recent efforts by tech companies working with the courts.
Fortinet hopes the report demonstrates the need for global cooperation on controlling central elements to illicit operations, such as domain registration. "It (the study) illustrates why regional efforts are likely not sufficient to block a global threat," Patrick Bedwell, vice president of products for Fortinet, said in an email.
While taking down botnets isn't a final solution to cybercrime, such operations are certainly a setback for criminals and hurt their bottom line. For example, Microsoft has been particularly active. In September, the company pulled the plug on the Nitol botnet that had been spreading malware since 2008.
In March, Microsoft won court approval for seizing the servers of the Zeus botnet, which cybercriminals used to steal $100 million over five years through bank fraud and identity theft. Other botnets crippled or taken down by Microsoft over the last two years include Waledac, Rustock and Kelihos.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.