Cyber criminals abandon 'dogs' for new, sophisticated attack methods
As defenses improve, shift is toward more professional tactics
- By William Jackson
- Jan 20, 2011
On the surface, it appears that progress is being made in the struggle for cybersecurity. Several large spammers have been shut down, the number of vulnerabilities reported to the National Vulnerability Database
was down in 2010, and an international investigation broke up an online criminal ring that had stolen millions of dollars.
“It was a watershed year,” said Cisco research fellow Patrick Peterson. “The tide began to turn in 2010.”
Seeds of international cooperation planted as long ago as 2005 are beginning to bear fruit, as are efforts to improve the quality of commercial software development.
But several assessments of the IT security landscape show that criminals are adapting by becoming more professional and more selective.
Why cybersecurity experts can never rest
Old fashioned-tactics can still beat the botnets (sometimes)
“Our risk profile by and large has not changed significantly,” Peterson said. “Criminals are out to make money and they will always exploit new opportunities. This is going to be a never-ending track.”
Cisco System’s annual security report for 2010 tracked some of the changing trends in criminal activity. Social networking scams, which only a year ago appeared to be up-and-coming moneymakers, have been relegated to “dog” status, along with such outmoded tricks as distributed denial-of-service attacks and mass phishing attacks.
The “rising stars” include Web exploits, money laundering through online money transfers and data-stealing Trojans.
The trend toward more professional and selective criminals was reflected in a “deep dive” done by Symantec on malicious Web sites and attack kits in a recent white paper.
“Symantec has detected a significant growth in the development, sale and use of increasingly sophisticated attack kits in the threat landscape in the past few years,” the report says. “Attack kits play a significant role in the continuing evolution of cybercrime into a self-sustaining, profitable and increasingly organized economic model worth millions of dollars.”
Not only are the attacks more sophisticated, but the kits are becoming more user-friendly, said Mark Fossi, the paper’s executive editor. Rudimentary attack kits date back to 1992 and featured DOS command lines. “Now you’re seeing very flashy interfaces, very simplified. They are relatively easy to use,” lowering the bar for entry and providing an almost immediate return on investment.
Notable successes by law enforcement in the past year include the shutdown of SpamIt.com in Russia, which was believed to be responsible for 20 percent of the world’s spam, mostly for low-priced drugs. The alleged operator, Igor Gusev, remains at large.
The shutdown of control servers for the Pushdo or Cutwail botnet effectively shut down a network believed responsible for another 10 percent of the world’s spam, Cisco reported, and disabling the Waledac botnet eliminated another major spammer.
“When it comes to the high-volume spammers, we’ve turned the corner,” Peterson said. “But we would not say we’ve solved the spam problem.”
The ability of spammers to push large volumes of spam virtually risk-free is being squeezed, but their response has been to become more targeted, sending out fewer messages in the hope of attracting less attention but getting a better response.
These attacks are being facilitated by the professional attack kits that use tried-and-true tools for delivering malicious code. A typical attack would use two kits. An exploit kit exploits a vulnerability to compromise a system, and a malware kit delivers the malicious content. The asking price for an effective piece of malware such as the Zeus Trojan, which usually is intended to steal financial data, can be thousands of dollars.
“I don’t know if that’s what they are actually selling for, but it’s an indication of their perceived value,” said Fossi.
It is not just the quality of the malware being offered in attack kits that makes them successful. As they become increasingly commoditized, packaging and presentation become more important. Customer support is the new differentiator, Fossi said.
“We see kits come and go; the ones that stick around are the more polished ones,” he said.
The quality of service being offered varies quite a bit, and in the criminal world as well as the legitimate, the best advice is “buyer beware.”
“We have seen that the underground economy is to an extent self-policing,” Fossi said. “Rippers” and fraudsters are publicly identified and shunned.
Like legendary bank robber Willy Sutton, online criminals are going where the money is.
“It’s an evolution,” Fossi said. “The crime always follows the money. It’s different now than it was before. That is the reality we are in. These guys aren’t going away.”
Success in fighting them does not mean they will disappear, Peterson said.
“It’s quite remarkable what a determined adversary who can make a lot of money is capable of doing,” he said. “One of the signs of success is that you make them change their business model.”