NEW FROM CSX
The Cybercrime Business—Cybercrime Entrepreneurs
By Ali Dehghantanha, Ph.D., CISM, CISSP, GCFA, GREM, GXPN
The Nexus | 10 April 2017
It is not a new story, but data breaches continue to increase despite all of the investments in cyber security. The following are just a few of the significant data breaches over the past decade:
- In 2009, the biggest credit card scam in history resulted in a compromise of 130 million credit card account details.1
- The now-famous Sony PlayStation Network (PSN) compromise resulted in the exfiltration of data from 77 million customer accounts.2
- The second decade of the 21st century started with news of an attack against Dropbox that led to the compromise of 68.7 million user accounts.3
- The hacking of Steam that resulted in leakage of 35 million customer account details.4
- The situation worsened in 2011 when data from 117 million LinkedIn user accounts were stolen5 and hackers stole 65 million user passwords from Tumblr.6
- In 2012, 38 million Adobe user accounts7 and 50 million Evernote users’ credentials8 were stolen.
While everyone was thinking that it could not get worse, the breaches continued:
- In 2013, data from 500 million Yahoo users were leaked in one of the biggest data breaches in history.9
- In 2014, eBay10 and JP Morgan Chase11 attacks affected more than 200 million users.
There were no shortages of cyberattacks in 2015 and 2016 either, including:
- The Ashley Madison attack in which 37 million user records were stolen12
- The Mossack Fonseca attack resulted in the compromise of 11.5 million users’ private data,13 and the credentials of 43 million Weebly users were stolen14
This list leaves no doubt as to why cybercrime is now on top of the list of concerns for security strategists.15
What is really going wrong? Why, in spite of all efforts and investments in cyber security, is the number of successful attacks steadily increasing to the point that, these days, hack warnings prompt cyber security fatigue among users?16 The days of people hacking for fun or fame are long gone. Current cybercriminals are not 16-year-old teenagers who hack for curiosity. Rather, they are cybercrime entrepreneurs who run multimillion US dollar businesses recruiting the most talented people on the planet. Cybercrime is, unfortunately, becoming a huge business and advanced criminal groups are working in a very similar fashion to for-profit business enterprises.
The Cybercrime Business
The first question that anyone asks before establishing a business is how much existing business owners are making. In the first quarter of 2015, a single and not very sophisticated malware campaign that affected 10 million Android devices made more than US $1 million for its developers.17 In July 2016, a ransomware (a malware that encrypts victim data and asks for ransom to decrypt data) called Cerber generated US $195,000 revenue for its affiliates, with forecasted annual revenue of US $946,000. Even if only 40 percent of this revenue went back to the Cerber developer(s), it equates to a staggering monthly income (for only one ransomware) of US $78,000,18 almost equal to the average annual salary of a cyber security architect in the United Kingdom.19 Another, more advanced ransomware called CryptoLocker made US $27 million during 2015 for its affiliates.20
Attacks in which attackers selectively target specific clients can lead to even higher gains. The Carabank Advanced Persistent Threat (APT) group, which targets only financial organizations, caused between a US $2.5 million and US $10 million loss for each of its targets in 2015, with a total financial gain of US $1 billion,21 which is almost 10 times more than the UK £100 million budget allocated under the UK National Cyber Security program for 2011 to 2016.22 As only one-third of all cyberincidents are usually reported,23 it is reasonable to believe that cybercriminals make a lot more than the reported figures with a relatively simple business model.
Almost all cyberattacks originate from a network of compromised machines (botnets) that deliver malicious codes and receive exfiltrated data. Such infrastructures are usually provided by botmasters for a fixed rental fee. The core of the cybercrime business is vulnerability researchers and exploit developers who find weaknesses within existing platforms or software and write codes to misuse those weaknesses and develop malicious apps. These masterminds rarely involve themselves directly in any criminal activities, but allow affiliates to use their codes to conduct attacks and compromise victims, typically with a 40 percent commission out of gained revenue. The crime affiliates are those with limited technical skills, but good knowledge of potential targets. Once a target is found, an affiliate may ask for a customized malware or exploit code written for his/her own use to launch the attack. The emergence of Exploit as a Service platforms,24 which offer a range of malware (exploits) in one package, makes running a cybercrime enterprise as simple as few clicks.
There are even cyberbrokers in the Darknet who not only offer full attack packages, but conduct target valuation and, especially in the case of ransomware attacks, may suggest the best ransom rate for the given target. Their suggested ransom fee is much lower than the costs incurred for a given target to conduct a forensics investigation and recover data. This could be one of the reasons that many victims would rather pay criminals and get their data back than pay for a forensics investigator who may or may not recover data while possibly causing reputational damage as well.25 Such a neat and profitable business model provides enough cash for cybercriminals to offer 2.5 times more than what Apple’s bug bounty program offers for a serious and exploitable iOS vulnerability.26
What Can Be Done?
To effectively fight against organized cybercrime, the first step is to increase the risk of business for cybercriminals. In one published interview, a hacker mentioned that the only reason he/she is not going after compromising US-based bank cards is the high risk of getting caught by the US Federal Bureau of Investigation (FBI) and/or the US National Security Agency (NSA) while he/she can always find a way to deal with Canadian or European Union law enforcement agents.27
The next step is to not only increase government funds for research and educational programs in cyber security, but it is essential that training actually leads to not only higher pay for cyberprofessionals, but also more efficient cyberdefense strategies for organizations. Current salaries for many cyber security professionals are well below what they can earn by working in Darknet underground markets and such a gap may push some talented individuals, especially those with a good education and technical skills, to consider working in the gray zone between cyberdefenders and cybercriminals. Cyberprofessionals need to make sure that educated cybergraduates do not even consider moving to the dark side.
The final suggestion is to reduce cybercrime business profits by implementing better security solutions, equipping highly skilled employees with the latest and most effective tools, and never, ever making a payment to any criminal group. Payments only further intensify their capabilities while leaving organizations weak and a willing, paying target for future attacks.
Ali Dehghantanha, Ph.D., CISM, CISSP, GCFA, GREM, GXPN
Is a EU Marie Curie International incoming post-doctoral fellow in cyberforensics (the Marie Curie Fellowships are Europe’s most competitive and prestigious research award) and a fellow of the UK Higher Education Academy (HEA). Dehghantanha has long history of working in different areas of computer security as security researcher, malware analyst, penetration tester, security consultant, professional trainer and university lecturer. He is a coauthor of Contemporary Digital Forensic Investigations of Cloud and Mobile Applications and a guest editor of a special issue of the Future Generation Computer Systems Journal on Internet of Things: Security and Forensics Trends and Challenges. He is also a guest editor for a special issue on Big Data Applications in Cyber Security and Threat Intelligence in IEEE Transactions on Big Data.
1 Pepitone. J.; L. Remizowski; “'Massive' Credit Card Data Breach Involves All Major Brands,” CNN Money, 2 April 2012
2 Kessler, S.; “Sony Promises All PlayStation Service Will Return This Week (Again),” Mashable, 31 May 2011
3 McGoogan, C.; “Dropbox Hackers Stole 68 Million Passwords—Check If You're Affected and How to Protect Yourself,” The Telegraph, 31 August 2016
4 BBC News, “Valve's Online Game Service Steam Hit by Hackers,” 11 November 2011
5 Pagliery, P.; “Hackers Selling 117 Million LinkedIn Passwords,” CNN Tech, 19 May 2016
6 Franceschi-Bicchierai, L.; “Hackers Stole 65 Million Passwords From Tumblr New Analysis Reveals,” Motherboard 30 May 2016
7 Krebs, B.; “Adobe Breach Impacted At Least 38 Million Users,” Krebs on Security, 29 October 2013
8 Mogg, T.; “Evernote Hack: 50 Million Users Forced to Reset Passwords,” Digital Trends, 4 March 2013
9 Leswing, K.; “Yahoo Confirms Major Breach—And It Could be the Largest Hack of All Time,” Business Insider UK, 22 September 2016
10 Finkle, J.; “Hackers Raid eBay in Historic Breach, Access 145 million Records,” Reuters, 22 May 2014
11 Silver-Greenburg, J.; M. Goldstein; N. Perlroth; “JPMorgan Chase Hacking Affects 76 Million Households,” The New York Times, 2 October 2014
12 Krebs, B.; “Online Cheating Site AshleyMadison Hacked,” Krebs on Security, 19 July
13 Obermaier, F.; “About the Panama Papers,” Suddeutsche Zeitung
14 Conger, K.; “Weebly Hacked, 43 million Credentials Stolen,” TechCrunch, 20 October 2016
15 BlackHat USA, “The Rising Tide of Cybersecurity Concern,” 2016
16 BBC, “Hack Warnings Prompt Cyber ‘Security Fatigue,’” 6 October 2016
17 Neal, D.; “HummingBad Malware Rips Into 10 million Android Devices,” The Inquirer, 6 July 2016
18 Abrams, L.; “Criminals Earn $195K in July with Cerber Affiliate Ransomware Scheme,” Bleeping Computer, 16 August 2016
19 Glassdoor, Security Architect Salaries, updated 23 February 2017
20 Lee, B.; “Ransomware: Unlocking the Lucrative Criminal Business Model,” Palo Alto Networks, 2016
21 GReAT; “The Great Bank Robbery: The Carbanak APT,” 16 February 2015
22 Cabinet Office, “The UK Cyber Security Strategy 2011-2016 Annual Report,” United Kingdom, April 2016
23 Allan, D.; “Most Cyber-attacks on UK businesses Are Never Reported,” Techradar Pro, 3 March 2016
24 Cabrera, E.; “Exploits as a Service: How the Exploit Kit + Ransomware Tandem Affects the Company’s Bottom Line,” TrendMicro, 12 October 2016
25 Yadron, D.; “Los Angeles Hospital Paid $17,000 in Bitcoin to Ransomware Hackers,” The Guardian, 17 February 2016
26 Vaas, L.; “Exploit Broker Offers 2.5 Times What Apple Offers for Serious iOS Bugs,” Naked Security, 2016
27 Glenny, M.; “Hire the Hackers!,” TedGlobal 2011, July 2011