Navigating the New Cybercrime Threatscape, Part 2
The motivation for purveyors of malware used to be mostly about spite and the possibility of recognition. Now, it's about money. Botnets, zombie computers, phishing scams, spam, ID theft and corporate network intrusion all come together to form an often lucrative business model for criminally minded hackers.
09/16/09 4:00 AM PT
Part 1 of this series discusses the history of cybercrime.
The current threatscape, as with any landscape, can be viewed as endless vistas of changing complexities and unfathomable permutations of technologies, network topologies, risk scenarios and user requirements. It's the white noise of this dizzying array of technologies -- built upon an operating system monoculture -- which creates a healthy breeding ground for cybercrime.
Essentially, cybercriminals are the ones who define the threatscape and can be thought of as having the ultimate, but illegal, business plan. Currently there are several negative elements that make up today's threatscape and this article focuses on a few key pieces: malware, botnets, phishing and data breaches.
One main component of today's threatscape puzzle is malware. The term "malware" is short for "malicious software," and the last few years have seen a shift in the malware dynamic. The shift is a result of the change in malware authors' motivation. While in the past malware authors have been driven by things like spite and the possibility of fame, in today's climate their motivation is almost always financial.
Today, one of the most popular types of malware is a botnet. A botnet is a network of infected computers (also known as "drones" or "zombies") under the management of a central controller or bot herder through the use of command and control servers.
The goal of a botnet is to use the infected computers for criminal activities such as generating spam or attacking a specific target (company, country, network, etc.). Regardless of the crime committed with the botnet, it can be used by the owner(s) for political purposes, to generate revenue or simply wreak mayhem.
The most noticeable effect of a botnet may be a decrease in computer performance -- although today's malware authors are careful to limit the impact on a host system so that their software can stay "under the radar" and not tip off the user that there may be unwanted software residing in the system. A botnet may be sending thousands of spam emails from an infected computer, and it is difficult for the user to know that volumes of spam email are being sent from their computer. An infected computer can also be used to attack other computers.
For both individual users and companies, there are far more serious risks from botnets than just the potential reduction in computer performance and available network bandwidth. Data that is accessible by an infected computer has the potential to be stolen. If there's bank account information, personal information such as medical history, Social Security numbers, etc., this information can be sent to a third party without the user's knowledge. This type of attack is often used for identity theft, but in a company, the information that can be stolen may pertain to customer lists, confidential employee records or other proprietary information. In a corporate network, a single botnet-infected computer can provide the means to gain control of the entire network.
Many consider botnets the most dangerous species of network-based attack today. This is due to the fact that they involve the use of very large, coordinated groups of hosts for both brute-force and more subtle types of attacks. According to Randy Vaughn, professor at Baylor University, there are as few as six or seven major bot gangs and as few as 1,000 criminals controlling all infected computers. To put this into perspective, let's look at two recent examples: The Nuwar or Storm Worm, which created a botnet that consisted of over 2 million infected bots, and the well known Conficker Worm, which created a botnet estimated to range from 5 million infected PCs to more than 10 million.
While bots are malware that cause the infected system to be part of a botnet, not all malware is designed to turn an infected host into a bot or zombie. Other types of malware include keyloggers, trojans, spyware and adware -- to name but a few.
Another element of the threatscape is phishing. Phishing is a direct marketing scam targeting a recipient's bank account information or other private data, such as account credentials and Social Security numbers, by appearing as a trusted source to the victim. While phishing isn't a new attack vector, according to Gartner, more than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008 -- a 39.8 percent increase over the number of victims a year earlier.
Phishing is just one form of cybercrime made unique in that its vehicle -- spam -- was originally used successfully for business to consumer sales before it was outlawed. It may come as a surprise to some people that cybercrime syndicates are, in many ways, very similar to startup businesses.
The Error Chain
The fourth prominent problem adding to today's threatscape is the breach of data. While most know what a data breach is, many don't realize how frequently they occur. Data breaches can range from the loss of a USB memory device to subverting a large organization's network security and stealing customer information.
Let us take some time to dissect a data breach that occurred in 2008 which involved the exposure/release of 4.2 million records. In the aviation world, when there is an accident it is referred to as a "chain of events" or the "error chain." These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents such as data leakage. Take the case of the Maine-based Hannaford Bros. grocery stores. Let's look at this chain of events. First, the supermarket chain reported to Massachusetts regulators that the scope of the malware infection appeared to be larger than anything that is remotely possible. It was Hannaford's belief that a "trusted" source had physical access to the servers. A source with administrative remote or physical access to one or more servers installed malware onto those servers. The installed malware intercepted customer card data and transmitted that data outside of the network to remote servers.
These are just a few points, but if you add them up, you will see the chain of events that added up to a data breach that revealed up to 4.2 million customer records. Keep in mind that at the time of the breach, Hannaford Brothers was PCI compliant. This reinforces the fact that companies must stay vigilant and look for anomalous behavior as well as correlate disparate pieces of information to draw larger pictures and determine the probability of attacks from various vectors.
According to the Identity Theft Resource Center the number of records involved in data breaches are either under-reported or, in some cases, not reported at all. The top three ways that data breaches occur are weak passwords, unprotected transmission and under-protected internal networks.
As financial gains continue to drive cybercriminals to create even more effective business models, this will, in turn, create a faster-evolving threatscape made up of intertwined cyber gangs that work in a "pay per install" type of environment.
Jeff Debrosse is the North American research director at ESET