Cyberattacks for sale

Fraudsters are buying and selling online attacks to access financial information in a growing black market

anti-fraud command center 370 (photo credit: Courtesy)
anti-fraud command center 370
(photo credit: Courtesy)
You switch on your computer, as normal, but instead of the familiar welcome screen, desktop icons, file folders and web browser, a warning flashes before your eyes. It is from the National Fraud Intelligence Bureau, which says it has discovered child pornography, zoophilia and other illegal materials on your hard drive, and has locked you out of your computer until you pay a fine through the provided link. Unsure why this horrible mistake has occurred, you panic. You don’t know what to do. Your computer has essential files you need for work, not to mention your music, your photos, your memories. So you pay the “fine” and the screen goes away.
You have been hacked. But by whom? The world of online fraudsters has grown at alarming rates, according to RSA, an online security company whose Anti- Fraud Command Center is based in Herzliya Pituah. While cyber warfare attacks like Stuxnet and Flame (which targeted Iran’s nuclear program) fill the headlines, a digital criminal underground remains largely hidden. Not only are there more “bad guys” out there trying to defraud you, steal your financial information, or get into your financial institution, but they are doing so with new levels of sophistication. A digital black marketplace in which hackers buy and sell different kinds of malware designed to infect computers, spy on their users and, ultimately, access their cash involves huge sums of money each year.
“In regular markets, you have vendors yelling ‘Watermelons! Watermelons!’ Here they are selling scripts,” says Idan Aharoni, RSA’s head of cyber intelligence.
Creating a sophisticated cyberattack is no easy task; a phishing scheme could involve, for example, writing the malware program, creating an official-looking email, obtaining huge numbers of addresses to spam, building a hidden server and crafting a strategy on what to do with the stolen data. Like in the real economy, online fraudsters have begun to specialize, each learning, crafting and selling their particular wares in the underground online marketplace.
But how much impact does this have on real people, on real businesses or the real economy? “Right now there simply are no reliable figures about the true impact of cybercrime out there; they are all guesstimates at best,” says John Lyons, chief executive of the International Cyber Security Protection Alliance. “What we do know is that cybercrime is getting more industrialized, more professional, and that it’s growing.”
To paraphrase Stalin, when one person is hacked it is a tragedy, when a million are, it’s a statistic.
Interpol estimates that in 2007 and 2008 the cost of cybercrime worldwide was about $8 billion, while corporate cyber espionage stole up to $1 trillion worth of intellectual property. The 2012 edition of the Norton Cybercrime Report calculated the direct costs of global consumer cybercrime at $110b. The indirect costs they calculated for the previous year (including lost time and effort) added up to $274 billion.
Neil Robinson, a research leader at RAND Europe, notes that the disparity in estimates comes from the fact that there is little agreement on how to define and measure what constitutes cybercrime. Financial institutions prefer to mask losses, while companies selling security have a incentive to inflate figures, to highlight both the magnitude of the danger and the effectiveness of their services. A flat-screen television hanging in the entrance to RSA’s Herzliya Pituah office displays a fast-rising clock of losses prevented since January 2012, which in late January this year had reached $3.37b.
RSA’S OFFICE building feels like a futuristic luxury prison. Automated glass gates block access to the spare, button-free elevators, which are pre-programmed to reach certain floors using security keys and a number pad outside their doors. Even the coffee machine is hi-tech, automatically grinding and delivering espresso to waiting employees at the push of a button.
“Ever since ‘the breach’ we’ve hardened the infrastructure,” says Daniel Cohen, the head of Business Development and Knowledge Delivery for RSA’s managed threat services group. In 2011, a sophisticated phishing attack using a ‘Poison Ivy Trojan’ bug hit the company, making off with sensitive passwords and information.
“It’s not a good thing when a security company gets breached,” he remarks.
The facility houses the RSA’s Anti-Fraud Command Center, which processes and takes down phishing attacks 24/7 for some of the world’s biggest banks, financial institutions and corporations. The division features original Israeli technology, pioneered by a company called Cyota, of which new MK and head of Bayit Yehudi Naftali Bennett was founder and chief executive, and which RSA acquired before it was snapped up by Fortune 500 giant EMC.
Cyota found a way of automating its security services for anti-fraud, anti-phishing, anti-Trojan and other types of inter-connected tools, says Orna Berry, corporate vice president and general manager for the Israel Center of Excellence, which oversees RSA here.
“Israel is the base for this type of technology, and the services that automates them,” she says. Companies can take advantage of the security without having to install, manage and update software on their own systems, making it much easier for them, and much cheaper for RSA. “From Cyota, the automated concept has been scaled up 20-fold in terms of sales, but only 4-fold in terms of people.”
Down the hall from the anti-phishing war room, a devoted group of digital do-gooders descend into the depths of the fraudster underworld, monitoring the marketplace of hawking hackers.
The price of “Zeus,” malware that can record your computer’s every move down to your mouse clicks and keyboard strokes, commanded $3,000 in 2007.
Today, it is so readily available that the going rate has plummeted to $15. For $700, a hacker can buy access to a network of already-infected computers. Financial spies easily trade data storage space, virtual networks to execute their attacks, installation programs to run their malicious software and control infected machines, and for an extra $100, workarounds for Google’s “ultra-secure” Chrome browser.
“That’s how easy it is to become a Trojan operator,” says Cohen.
The fraudsters have their own code of honor to help them stay clear of law-enforcement agents, creating special invitation-only forums where they can buy and sell lists of stolen credit card numbers, which include precise details about their owners to help hackers mask suspicious online purchases.
IF THE existence of secret criminal backrooms off in the computing cloud weren’t unsettling enough, a new trend is letting fraudsters penetrate people’s wallets right through their pockets.
Since the introduction of the iPhone in 2007, smartphones (cellular phones utilizing mobile operating systems) have exploded (717 million smartphones shipped last year alone), creating a huge market opportunity for mobile malware. Not only do people access e-mail and the Web from their phones, they download billions of applications, or “apps,” from online stores, including banking and other financial software. Android-based phones represent about 70% of the smartphone market, and last year alone they uncovered 25,000 samples of malware.
Of those, about half are “premium service abusers,” which make quick phone calls or send text messages to premium pay services that extract cash right through phone bills. About a fifth of the malicious software installs advertising on the phone, while another fifth steals data. The remainder download additional software, give hackers access to control the device remotely and spy on the users.
To keep criminals out of their data, RCA recommends using two-step authentication processes for accessing e-mail and other accounts. Google, for example, will send you a text message with a code each time you try to log in, meaning anyone without access to your phone can’t access your e-mail. But more than individuals, it is businesses that must worry about safeguarding the financial information they collect from customers.
Though phishing and Trojan attackers don’t typically target “mom and pop” shops specifically (one might say they have bigger “phish” to fry), they would not reject any that got caught in their nets.
“Get protection on day zero,” RSA’s Aharoni urges.
“The day you have information that someone would find interesting is the day you need protection.”
It is preferable, he says, to get an RSA notification that there are hackers at your gates than to discover they’ve already made off with the goods before disappearing into the binary matrix.