Organized CybercrimeOrganized Cybercrime
Simple NomadSimple Nomadnnomad omad mmobile obile rresearch esearch ccentreentre
“With just a few keystrokes, cybercriminals around the worldcan disrupt our economy.” - Ralph Basham, Director of theU.S. Secret Service at RSA 2005.
“With just a few keystrokes, pundits can disrupt our freedoms.”- Daaih Liuh, NMRC, 2005
“With just a few keystrokes, I can turn those pundits off and watch porn instead.” – jrandom, NMRC, 2005
OutlineOutline
• The Players• The Weapons• Precision Tactics• Examples
The PlayersThe Players
The PlayersThe Players
• Former Soviet Military• Russian Mafia• Professional Hackers• Spammers• Traditional Mafia• Basic Cybercrime
Organizations
Former Soviet Military
• Military industrial complex in Soviet Russia was even more corrupt than their USA counterparts
• With the collapse of communism, many upper military personnel in Russia had few skills that paid well– Good at money laundering– Good at moving goods across borders– Connections with international crime
Russian Mafia
Sergei Mikhailov, head of the Moscow-based Solntsevskaya Organization, with 5000+ members worldwide. Starting with extortion, counterfeiting, drug trafficking, and blackmail, his own organization eventually graduated to arms dealing, money laundering, and infiltration of government and legitimate business. Mikhailov’s Solntsevskaya Organization owns banks, casinos, car dealerships, and even an airport. Solntsevskaya is believed to be behind many cyber-related online crime ventures.
Russian Mafia
Dolgopruadnanskaya is the second-largest gang operating out of Russia. They are considered ruthless and also are believed to be behind numerous current cybercrime activities, in addition to numerous other standard criminal ventures. They are believed to be behind a rash of bank robberies conducted over the Internet in 2001 against banks using vulnerable Windows NT web servers.
Russian Mafia
• Cybercrime elements are considered “divisions”– The actual hackers themselves are kept compartmentalized
• Due to protection from a corrupt Russian government, most “big cases” do not net the big players, e.g. Operation Firewall
• There are thousands of organized crime gangs operating out of Russia, although most are not involved in cybercrime.
• When new hacking talent is needed, they will force hackers to work for them (or kill them and/or their families)
Professional Hackers
• Paid per the job, usually flat rates• State-side hackers can earn up to $200K a year• The work is usually writing tools for others to
use, developing/finding new exploits, and coding up malware
• Occasionally they will do a black bag job, but these are rare, unless they are simply looking for “loot” on easy targets
Spammers
• They earn millions per year selling their direct mail services
• They are not picky and do not consider the person doing the selling is committing fraud, including the Russia Mafia
• After years of jumping from ISP to ISP, it is much easier to lease “capacity” from hacker botnets or develop their own
• They are the main employer of professional hackers
Traditional Mafia
• They are currently leaving most of the “work” to others
• Online ventures are sticking close to such things as pr0n, online gambling, etc
• They are taking advantage of technology, using computers heavily, and using reliable encryption
Basic Cybercrime Organizations
• Fluid and change members frequently• Will form and disband on a “per project” basis• Rife with amateurs, take a lot of risk considering
the small payoffs• Although the most troublesome, they are
considered the bottom feeders– Think criminal script kiddies– This is usually who the Feds get, not the big guys
The WeaponsThe Weapons
The WeaponsThe Weapons
• Botnets– Average size is 5000 computers, some have been as large as
500,000 computers– New command and control software allows botnet capacity
leasing of subsections of the botnet
• Phishing– You guys *do* know what phishing is, right?
• Targeted Viruses– Used to create quick one-time-use botnets– Also used when specifically targeting a single site or
organization
• The usual Internet attack tools– Metasploit, etc
Precision TacticsPrecision Tactics
Precision Tactics - HotelPrecision Tactics - Hotel
• Hacking the PC in the hotel room– Can do remote– Will check into the same hotel as target if need be– Will resort to wiretaps, closed circuit video cameras, and other
physical penetration attempts• Known times when the target is out of the room are
especially dangerous– Speakers and trainers are especially vulnerable, since they have
to be in their talks, other do not• Law enforcement regularly bugs hotel rooms at security
conferences– Hotels (especially Vegas, Atlantic City) will comply to avoid LE
looking at their computers• Organized crime outfits *do* attend conferences
Precision Tactics – Office
• Posing as regular office personnel• Planting network-based or hardware-based
sniffing devices• Conventional listening devices (bugs) are not
uncommon
Precision Tactics – Infiltration
• Will pose as script kiddies, and “gain skills” fairly quickly, rising in status in various IRC channels
• Will join and form hacking groups• Will direct attacks for the group to perform, usually
directing blame toward the kiddies rather than themselves
• This is not a new technique – it is in use today by some governments, most notably French Intelligence
ExamplesExamples
Examples – Internet Black Market Pricing Guide
• Exploit code for known flaw - $100-$500 if no exploit code exists– Price drops to $0 after exploit code is “public”
• Exploit code for unknown flaw - $1000-$5000– Buyers include iDefense, Russian Mafia, Chinese and French
governments, etc
• List of 5000 IP addresses of computers infected with spyware/trojan for remote control - $150-$500
• List of 1000 working credit card numbers - $500-$5000– Price has increased since Operation Firewall
• Annual salary of a top-end skilled black hat hacker working for spammers - $100K-$200K
Q & AQ & A
FinFin
Images © 2005 NMRC www.nmrc.org