As an information security professional for more than 15 years, I have seen and experienced many aspects of security. I thought I knew what cybercriminals were doing and how they were doing it, but I was wrong. During one of my periods of research, I found papers authored by Trend Micro on the malicious cyberunderground. The papers were a presentation of their research in Russia, Brazil and China. I found the findings enlightening and scary not only to the world’s technology environment, but to everyone who uses it.
The Russian underground provides cybercriminals a place to market their products and services. They sift through traffic stored in botnet command and control (C&C) servers for information useful for targeted attacks. Cybercriminals verify that malicious products support their claims (to avoid false advertising), and there are brokers who make a percentage of the escrow while the product is tested.
The Brazilian underground threatens banks with bolware that changes bar codes to redirect payments to the attacker. These Trojan horses can also redirect users to malicious websites, steal information keyed into fake browser windows, capture personal data and reconfigure the browser proxy settings to redirect to malicious web sites. Their bolware tool kits can monitor and manage infections and malicious activities. These cybercriminals sell their source code so that hackers can modify the code to their advantage. Other products include credit card number checkers (or testers), credit card number generators, malware crypters that evade detection, phishing pages, phone number lists (for phone-based scams) and spamming software. They also provide crypter programming and fraud training services for cybercriminal wannabes.
The most popular products and services of the Chinese underground are compromised hosts (to spread malware and spam), distributed denial-of-service (DDoS) attack services and remote access tools (RATs) that can evade detection. Some hosting servers can support proxy and virtual private network (VPN) services. Other product offerings include botnets, exploit kits, fake follower postings, fake online game sites, fake documents, software product keys, account stealers and cracking services for encrypted files.
As a result of these many threats, it is important that security professionals know what they are up against. My recent ISACA Journal article titled “The Underground Threat” presents a summary of what Trend Micro found, some suggested countermeasures and some things to think about. What are some of your ideas on how to counteract these threats?
Read Larry Wlosinski’s recent Journal article:
“The Underground Threat,” ISACA Journal, volume 5, 2015.