Guest Article: The Evolution of Cyber Crime

The following article has been compiled by Bev Robb. Bev owns Teksquisite, a Southern Oregon IT Consulting business that specializes in Internet security technologies and social media. She is currently consulting with Virtual World Computing (VWC) on their flagship product Cocoon, a Firefox plug-in that protects Internet users from viruses, malware and online tracking.  She blogs at the Tekblog and the Cocoon blog and currently administers five Facebook fanpages.

She has also been an Experts-exchange (EE) Dinosaur (since 2000) and was an active participant for many years in the Windows, malware and security areas at their site. She has been mentioned around EE corporate offices as an "Experts-Exchange Staple." She is Comptia A+ certified and holds a number of Dell, HP and Samsung certifications. With over 17 years of hardware and software experience she has been known to troubleshoot/repair Cisco routers, commercial printers, network issues, servers and once crawled around a cow pasture in Vermont looking to resolve a satellite ticket for a remote business.

The Evolution of Cyber Crime

The Second Annual Cost of Cyber Crime Study from the Ponemon Institute noted that cyber attacks have become common occurrences, they disrupt business operations and incur significant costs (from loss or theft of information) and the most costly cyber crimes are those caused by web-based attacks.

"The fact that discernible attacks in this year’s study have increased – coupled with the fact that the time to resolve attacks has also increased – suggests the cyber crime landscape continues to evolve in terms of attack severity and frequency.  In other words, results of the present study suggest things might be getting worse." –Ponemon Institute

Last week McAfee released the McAfee Threats Report: Second Quarter 2011 with a toppling 12 million unique malware samples for the first half of 2011 – a 22 percent increase over 2010.  Android devices were the most attacked mobile operating system (up a whopping 76 percent from the previous quarter) and stealth malware also increased 38 percent from 2010.

Back in the old days, hackers (MIT/Stanford) hacked to flaunt their knowledge (bragging rights), gain recognition and bolster their egos.  Hackers of old were also known for liberating information. They were esteemed for having strong programming skills where almost everything was based on command line. The majority of viruses created were for the most part, harmless pranks.

Today, hackers do not have to have any programming knowledge because they have a wide variety of automated hacking tools at their fingertips. Automation has simplified their ability to exploit zero-day vulnerabilities in software and websites before anyone has the opportunity to patch the vulnerability. Tools such as script-kiddy-friendly Havij can automate the process of SQL injection and extract sensitive database information within seconds of using it.

Brian Krebs remarked in a blog post in June at KrebsonSecurity: “The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter.”

Though there is still demand for actual programmers in the underground economy, the requirement is not to hire a hacker to write entire software packages, only to assist in raising the features and stealth of existing malware.

2011- The Year of the Data Breach

According to F-Secure, RSA was one of the biggest hacks in history. It only took one RSA employee to open a spoofed email and click on the XLS attachment replete with an embedded flash object (in the spreadsheet) to drop a backdoor (RAT). This infected the workstation – giving the attacker full remote access to the workstation and network drives that the employee had rights to. At the time that the employee opened the Excel file – it was a zero-day exploit and they would not have been able to protect their system anyway. [Source]

RSA, Sony, Wordpress, HBGary Federal and Epsilon were a few of the more notable data breaches this year. Money is not always the chief motivation behind an attack; data can be just as valuable.

Social Engineering

With the rise of social media (Facebook and Twitter) as a popular attack vector to distribute malicious links, conduct strategically coordinated phishing campaigns, hijack accounts, and even run botnets – social engineering tactics still have the potential to play a strong role in cybercrime by enabling the victim to trust the message.

If the message arrives in an email (such as RSA) that looks legitimate and comes from a company that is known (though spoofed) and trusted, there will probably be an employee on the receiving end who will download the infected attachment.

The message can come in many forms; an urgent email from the bank, a Facebook distress message from a vacationing friend needing more money or a fake Smartphone app – the end result always involves the exploitation of trust.

What do the malware and security experts have to say?

I asked three experts to answer some questions…

1) Graham Cluley, Senior Technology Consultant at Sophos, is well known in the security industry shares his thoughts on malware, social engineering and the Internet.

Bev: How much do you think the malware scene has changed over the past decade?

Graham: It's steadily grown more commercial.  Money is normally the motive. There is still some hobbyist malware being written, but it's a much smaller proportion than it used to be. But it's not *all* about the money - recently we've seen internet attacks which appear to have been about gaining an economic/commercial or even (dare I say it) potentially military advantage over another. Countries have recognized that they can use the internet to do their spying, as it's easy to deny and probably less dangerous than more traditional methods.

Bev: How much of this change do you attribute to "social engineering" tactics?"

Graham: Social engineering is a very important element to many any attacks.  You can have your computer patched all you want, the user can still undo everything if they make a bad decision. It's frustrating to see that people haven't learnt much from old tricks.  The offer of a sexy video still catches many people out for instance.

Bev: What do you think is currently the biggest security threat on the Internet?

Graham: The biggest threat on the internet is careless users.  It can be end users making bad decisions like clicking on a link which is obviously suspect, or it can be someone in a web team not coding a website securely enough and leaving a vulnerability in place for a data-stealing hacker to waltz past.

2) Maxim Weinstein, President & Executive Director of StopBadware.org on malware.

Bev: What do you think about the changing landscape of malware today?

Maxim: Malware is constantly changing; due both to necessity (keeping ahead of evolving defenses) and technology (malware is very different today than it was pre-Web, for example). For all that, though, two core elements of malware have remained the same. Except for highly targeted attacks, malware spreads opportunistically, typically using whatever forms of data transfer or communication are most popular. And malware consistently depends on abusing the user's trust.

Several years ago, these would have manifested themselves as a worm spreading from friend to friend by email, or a Trojan disguising itself with a Microsoft Word icon. Today, you see malicious links spread from friend to friend via Facebook, or fake antivirus alerts disguised as Microsoft security warnings. The techniques aren't new, just the particular variations.

3) Andre' DiMino, Security Researcher, Forensic Analyst and Co-Founder & ex-Director of The Shadowserver Foundation.

Bev: What is your primary area of concern for cybercrime in 2012?

Andre': I would say that mobile malware will be an area of concern for 2012. As the mobile and desktop platforms continue to converge in functionality and utility, we will certainly see attacks ramp up on the mobile side. Targeted attacks will continue to evolve and cross over to a wider victim area.  I would say that even the info-sec community will recognize that APT isn't just a buzzword, the threat is active and genuine, and in place even as we speak.

Closing Thoughts

With more dependency on mobile devices, the cybercrime landscape is sure to introduce intense competition in the development of Smartphone MalApps (malware applications). With more people banking, browsing the Internet, gaming and visiting social networking sites via their Smartphone, windows-based systems may see a major downturn in attacks in 2012.

Thanks to Bev for compiling the insightful article with valuable inputs from Graham, Maxim and Andre'. You may contact Bev on Twitter @teksquisite.

- Kakroo