How cybercrime works and what to do about it
By Chester Wisniewski, Senior Security Advisor at SophosLabs
It’s important to understand the motivation behind the onslaught of malicious code bombarding our firewalls, users and servers. At SophosLabs we see more than 200,000 malicious files every single day. These files aren’t created by governments and spies to spark the next cyber war. Today’s cybercriminals are driven by one thing—money. Working together as a community to gain a better understanding of cybercrime gives us the ammunition we need to build more effective defenses, and to exploit weaknesses in criminal networks.
How cybercrime works
The point of nearly all malware is to make money. Cybercriminals have many methods to monetize their activity. Fortunately, the criminals must take many steps for the entire process to work. Every step along the way is another opportunity for us to break the chain needed for their efforts to be profitable.
The first step for cybercriminals is to find victims. Here are the six primary ways cybercriminals ensnare unwitting victims in their nets and compromise their computers for criminal purposes.
- Spam: The monetization of malware started primarily with email spam. Peddling pills, fake watches and Russian brides is still a profitable practice for many criminals. Although spam volumes have begun to drop, spammers send billions of messages every day hoping that just a small percentage will make it past spam filters and convince a few folks with their guard down to make a purchase. While malware is still sent attached to some messages, it has largely moved to the web.
- Phishing: Attackers use email for more than just spam promoting products and services. Email is the preferred method to deliver phishing attacks. These can vary from emails pretending to be from your bank or email service providers in order to steal your account details, to targeted attacks attempting to gain access to your company’s internal services.
- Social media: Many spammers have migrated from email spam to social media spam. Users are more likely to click links in commercially motivated spam if it appears to come from a friend or colleague on services like Facebook and Twitter. Breaking news and popular features on these networks can lead curious victims to click on unsafe links.
- Blackhat SEO: Scammers continue their cat and mouse game with Google and Bing to manipulate search engine results, which we call Blackhat SEO or SEO poisoning. This leads to “poisoned” search results about many popular topics, including front page results leading to exploits, malware and phishing sites. For more information on SEO poisoning, read our technical paper from SophosLabs.
- Drive-by downloads: The largest number of victims is delivered into the hands of these thieves simply by visiting websites containing exploits known as drive-by downloads. SophosLabs sees 30,000 new URLs every day that expose innocent surfers to a variety of code attempting to exploit vulnerabilities in their operating systems, browsers, plugins and applications.
- Malware: Worms, viruses and other malware files still serve their masters well. While they are less common today than they were 10 years ago, opportunistic crooks still exploit malware to infect exposed systems and recruit people’s computing devices for their own purposes.
Money behind the malware
After a criminal hooks a victim or takes over a victim’s computer, there are many ways to make money. Here are eight schemes that cybercriminals use to make money off their victims.
The most basic way to make money from any sort of malware, spam or website compromise is to sell a product. Criminals simply set up a store and use infected websites and spam to deliver promotions and advertisements to drive traffic to a virtual storefront. Many of these operations are not just false-front businesses. They ship sham products pretending to be Viagra, Rolex watches, Gucci handbags and various pirated software packages.
Stealing login details
The purpose of phishing spam messages is to convince you they come from someone you know or trust. Criminals use social engineering techniques borrowed from real brands to collect usernames and passwords associated with high-value websites like PayPal, banks, Facebook, Twitter, Yahoo and web-based email services.
It’s easy for criminals to imitate these companies as everything online is digital. They simply steal real communications from the victim companies and redirect the links to bogus webpages. As a percentage, phishing emails are an increasing threat taking advantage of a user’s lack of awareness of hacking attacks and data breaches.
After compromising a user’s computer the criminals can download malware that manipulates Internet traffic. They divert the victim’s clicks to advertisements located on the criminals’ webpages. The criminals make money from ad networks by generating traffic to their customers’ ads.
Fake security software
Often referred to as fake antivirus, these programs are designed to behave in the exact opposite way of traditional malware: noisy, annoying and flashy. Fake antivirus works by convincing the user they are at risk of infection after visiting a compromised webpage that secretly installs the fake antivirus on their computer.
The criminals typically charge around US$100 for the fake antivirus software to “clean up” the infected computer. But the fake antivirus doesn’t clean up threats—it is a threat. And the criminals can make even more money off the victim by offering extended support and multi-year offers. Fake security suites target Windows, Mac and even Android users.
Cybercriminals can use ransomware to encrypt your documents, boot sector or other important component of your PC and hold it hostage until you pay a ransom. The ransomware often uses modern cryptographic algorithms, and only the criminals possess the keys to unlock your files. If you want your stuff back, you have to pay up.
Traditionally ransomware was almost exclusively Russian, but recently we’ve seen these gangs targeting North America, Europe and Australia. A new variation plaguing Internet users in 2012 is a fake law enforcement warning suggesting your federal police authority has detected child pornography on your computer. The warning tells the victim their computer has been locked and they must pay a $100 fine to unlock it.
Social media spam
Delivering email messages to our inbox is harder than ever. Spam filters block more than 99% of it before it can see the light of day. And users can spot the fake names on spam that gets through. Social media sites like Facebook and Twitter have been an attractive place for spammers to move.
The criminals can purchase access to stolen user credentials or convince users to spread fraud for them. They benefit from your social capital—the more friends and followers you have, the more people can be spammed by the criminal using your account. Users are far more likely to click a message about winning a free iPad or losing 30 pounds on a miracle weight-loss plan if it comes from someone they know and trust.
A highly specialized industry has popped up around capturing authentication information to access online financial institutions. While it started as simple key-logging software designed to capture your username and password, it has led to an advanced game of cat and mouse between criminals and banks.
Modern banking Trojans are available for devices running BlackBerry, Windows, Android and more. These Trojans can capture SMS messages and record videos of your screen while you log in, uploading YouTube-like videos for the criminals to see. One gang busted by the FBI in 2010 attempted to steal nearly $220 million from victims.
Premium-rate SMS fraud
Rather than ask you for your credit card or attempt to withdraw money directly from your bank account, many social media spammers and mobile phone malware authors use SMS services. When you answer a survey on Facebook asking for your mobile phone number to notify you if you are a contest winner, fraudsters are signing you up for a premium-rate SMS service. Pirated apps for your Android may come with a little something extra, a program that will start sending SMS messages to premium rate numbers at your expense.
The cybercriminal network
With so many steps to take for criminal money-making schemes to work, the perpetrators need to specialize in their jobs. The criminals need to have skill, expertise and knowledge to continually evade our defenses and avoid apprehension by law enforcement. In this section, we explain the various roles cybercriminals fill to create a successful crime network.
Exploit writers are hackers who specialize in discovering vulnerabilities in software and creating exploit packs—a collection of vulnerabilities packaged together. The exploit writers then sell the exploit pack to less technical criminals, who use it on websites and in email attachments to embed malware on unpatched computers.
The quality of language used in many spam emails, lures and social engineering attacks has improved dramatically in recent years. It seems that the gangs behind these attacks are investing in professional translation services to improve the number of victims they can trick into falling for their scams.
The job of a bot herder is to infect all of the zombie computers that are used for creating a botnet, which the criminals use for spamming, DDoS attacks, proxying and other cloud computing needs of the criminal underground. Bot herders segregate and sell or lease computers based on geography and type of bot needed by the purchaser.
Money mules and mule managers
Financial criminals need people on the street to walk into banks and transfer funds or deposit checks. Mule managers specialize in recruiting people who are down on their luck, or willing to look the other way when asked to help commit financial fraud. Many mules are tricked into helping by work-at-home scams and other guises intended to fool them into assisting.
Partnyo’rka loosely translates to “partner network” in English. Partnyo’rkas are affiliate marketing schemes set up to encourage low-level criminals to spread the word about Canadian pharmacy offers, fake luxury goods and other spammed out goods or services. The Partnyo’rka operators pay commissions to their minions for each sale. Partnyo’rka owners promote their schemes with spam in emails, forums, chats, blog comments and social media, as well as website poisoning and Blackhat SEO.
While there isn’t anything technically criminal about writing software, there is a group of people who only write tools to aid in spreading spam and malware. For anywhere from $20 to many thousands of dollars cybercriminals can purchase exploits, toolkits, CAPTCHA solvers and a host of other tools designed to spam every online service you can imagine.
As CEO of Microsoft Steve Ballmer once said, “developers, developers, developers” are at the heart of what makes the whole cybercrime operation go. It would appear that most malware developers don’t distribute their wares directly, but sell their services to the operators of organized cybercrime operations.
How we can win
As long there is money to be made criminals will continue to take advantage of opportunities to pick our pockets. While the battle with cybercriminals can seem daunting, it’s a fight we can win. Although our adversaries have plenty of incentive to infect users, their schemes require a series of steps to be successful. We only need to break one link in their chain to stop them dead in their tracks. Simply deploying patches more quickly, eliminating unnecessary applications, and running as a non-privileged user will thwart more than 90% of these attacks.
Many attacks succeed when users let their guard down. Increasing employee awareness of the threat and providing examples can help keep your users from opening malicious attachments or clicking on links out of curiosity. Users need to understand that, while security tools enhance the security of the network, the user is the most important defense for protecting sensitive company information.
We must recognize our weak points and work together as a community to share the knowledge we need to defend ourselves. Reducing the threat surface by having fewer apps, educating your users, and restricting administrative rights can make the job so difficult for the scammers that they will look elsewhere for their victims.