Q&A of the Week: 'The current state of the cybercrime ecosystem' featuring Mikko Hypponen
We discuss the recent botnet take downs, OPSEC (operational security) within the cybercrime ecosystem in a a post-DarkMarket world, the rise of the cybercrime-as-a-service business model, as well as current and emerging mobile malware trends.
Go through the Q&A, and don't forget to TalkBack.
Dancho: From Kelihos, Rustock, Waledac, to the successful extraction of 33GB of raw crimeware data back in 2010, and the most recent violation of OPSEC (operational security) where a botnet master offered insights into his malicious operation on Reddit, do you think that over the past couple of years cybercriminals have failed to properly apply the OPSEC approach to their campaigns and infrastructure, potentially allowing security researchers and vendors an easier way to take down their campaigns? What are some of your most recent observations regarding the OPSEC applied, or the lack of OPSEC applied to cybercrime campaigns?
Mikko: There still are online criminals who are looking for attention. They want somebody to notice how clever they are. That's why they post on forums. That why they are on Reddit and Twitter. That's why they are still sending messages to their enemies in texts embedded inside malware code.And when we move from financially-motivated attacks to the world of movements like Anonymous, OPSEC violations are everywhere. For the most part, it's trivial to monitor the movements of groups like these, as they communicate in the open.
Dancho: From encrypted instant messaging communications, VPN service providers, to invite-only web forums, cybercriminals are increasingly becoming aware that they're being watched. How would you describe the cybercrime ecosystem in a post-DarkMarket world in terms of the growth of underground communities, increasing number of market participants,and a growing number of highly diversified underground market propositions by dedicated and highly professional vendors of the service? Have we witnessed the development of a multiplying effect resulting in dozens of newly launched communities with better OPSEC(operational security) compared to the DarkMarket, or are we basically seeing amateur copycats attempting to achieve notoriety within the cybercrime ecosystem?
Mikko: The most important movement is that many of the traditional marketplaces are moving from the traditional web to the deep web, via services like Tor and Freenet. This makes them much more anonymous and much harder to track. In my discussion with law enforcement, they clearly worry about this a lot.In the deep web, it's easy to find all kinds of illegal content - from credit card sales to botnets to DDoS to public sales of drugs all the way to apparent hitmans. Some of them are surely scams.
I believe vast majority (if not all) of the deep web hitmans will just take your money and run.A major part of the deep web is illegal content. That's exactly why they don't want to have their stuff in the public web. But criminals get caught even if they host there. This is what happened to the "Farmer's Market" drug trading site in the deep web.
Dancho: It's a public secret that, in order for a law enforcement agent or a security researcher interested in maintaining their access to an invite-only cybercrime-friendly forum, they would need to get involved in the actual trade of fraudulent goods and services inside the forum. Do you believe that on its way to catch the forum administrators, law enforcement actually gave novice cybercriminals the opportunity to socialize and gain 'know-how'? Can we quantity the prevented losses by catching the forum administrators, in between quantifying the losses out of the active socializing and networking of the novice cybercriminals that took place?
Mikko: I've maintained a set of identities across various forums for years and years without engaging to actual trade of fraudulent goods. It can be done. For a newcomer, that might be very hard to achieve, but if you have a history, it can be done.
Dancho: Do you see the actual applicability of the DarkMarket take down, or was it just an over-hyped take down taking into consideration the fact that the DarkMarket forum is just the tip of the iceberg when it comes to the number and quality of competing underground communities?
Mikko: DarkMarket takedown was important in many ways, even though it obviously did not stop the actual problem.
Dancho: Over the past few years, we've witnesses the tremendous growth of cybercrime-as-a-service underground market propositions. Years ago, a novice cybercriminal would need to posses certain technical knowledge,or at least have the right contacts. Nowadays, everything from spam, phishing to launching malware attacks and coding custom malware is available as a service. Do you believe the community somehow made a mistake by allowing the cybercrime ecosystem to scale to the point of industrial standardization of the services and products offered? What was that mistake, and what can we, as a security community do to undermine the effectiveness of this underground market concept known as scalability?
Mikko: I don't see how we could have prevented this. These are not technological problems; they are mostly social problems. And social problems are always hard to fix.Having said that, it's sobering to see just how specialized cybercrime-as-a-service have become. It's not just enough that criminals are selling hosting and spamming or botnets to each other.
Some criminals are sellings banking trojans and then other hackers are selling tailor-made configuration files for those trojans, targeting any particular bank. Going prices for such config customization seem to be around $500 at the moment.
Dancho: Next to cybercrime-as-a-service proposition, affiliate networks truly allowed the cybercrime ecosystem to scale, now that there was an efficient and market-sound way for cybercriminals to monetize their activities. Do you believe that as a concept affiliate networks are more important to the overall growth of the cybercrime ecosystem, or was it cybercrime-as-a-service propositions that allowed it grow at such an alarming rate?
Mikko: The "Partnerka" affiliate networks behind rogue AVs and ransom trojans were so succesful that they really changed the landscape. Affiliate model also provides some protection to the masters behind the schemes, as they don't need to get their hands dirty anymore.
Dancho: We've been seeing quite a lot of attacks targeting Mac OS X lately. Flashback was a game-changer in terms of infected hosts. We've even seen Mac OS X based ransomware experiments being conducted next to working copies of scareware variants running on Mac OS X. However,these attacks are not reaching the epidemic growth of malware attacks targeting Microsoft's Windows OS. Personally, I believe that we're not seeing an epidemic growth of Mac OS X malware due to the lack of an affiliate network monetizing Mac OS X infected hosts? Do you believe that's the case, why and why not?
Mikko: Historically, Flashback.K outbreak is very important.Just a month ago, the general guidance was that you didn't really need an antivirus for your Mac. Now you do.At it's peak, somewhere between 2% to 5% of all the OS X machines on the planet were infected. That's huge.However, that's just one case. We are not seeing a wave of Mac malware. We're seeing one successful gang going at it.
Dancho: Every then and now, in an attempt to raise more awareness on the growth and the impact of cybercrime, the mainstream media compares the revenues from cybercrime to the revenues earned from drug trade. Do you believe that cybercrime is more profitable than drug trade?
Mikko: No, it's not. Can't be.
Dancho: Also do you believe we now posses mature and scientific approaches to accurately quantify the revenues earned and lost in both of these markets?
Mikko: We don't. I think the most interesting number would be how much online crime is generating profits to the criminals - ie. how much are they pocketing. Obviously the losses they generate are far higher. But the actual earnings would be really interesting to know. And we don't - except in isolated cases. We do know of individual groups which have made tens of millions of dollars. But not hundreds.
Dancho: The majority of end and corporate users still live in a "Patch Tuesday" reality, where they believe that vulnerabilities found in Microsoft's products still dominate the threat landscape, and that this is exactly what the cybercriminals are exploiting. However,that's no longer the case. These days, the majority of vulnerabilities are found in third-party applications and browser plugins.
Cybercriminals are naturally quick to follow, by embedding these very same flaws in their web malware exploitation kits. Do you believe that the security community should do a better job in building awareness among end and corporate users by alerting them on the current practice of exploiting flaws in third-party software and browser plugins,compared to exploiting flaws related to Microsoft's products in general? For instance, Mozilla's Plugin Check is a great initiative.Do you believe it deserves more visibility? Has the time come for search and social networking giants to start embedding this feature within their interfaces in an attempt to better protect millions of end and corporate users?
Mikko: In the Windows world, drive-by-downloads via exploits targeting browser add-ons and plugins are clearly the most common way of getting infected. That's why anything we could do to improve patching (or disabling) of vulnerable extensions would really make a difference. Mozilla's initiative is great, but in practice the Chrome model of sandboxing and replacing third-party add-ons with their own replacements seems to work really well.
We can see this when we look at real-world data from the statistics of exploit kits: Chrome users get exploited less than Firefox or IE users. Which is great news, as Chrome is about to become the most common browser on the planet.Chrome might have privacy issues, but from technical security viewpoint, it's pretty good.
Go through previous Q&As:
- Q&A of the Week - 'The current state of the crimeware threat' featuring Thorsten Holz
- Q&A of the Week: 'The current state of the cyber warfare threat' featuring Jeffrey Carr
Dancho: Over the past couple of years, we've witness the rise of the so called 'Opt-in botnets' where patriotic hacktivists -- often average Internet users -- on purposely infect themselves with agents distributed in an attempt to gain control of their bandwidth for launching distributed denial of service attacks (DDoS) against a particular target, or do it by themselves thanks to the publicly obtainable DoS and DDoS attack tools.
First pioneered by China as the "People's Information Warfare" concept, it has been pretty popular in each and every cyber conflict we've seen over the past couple of years. Were you surprised when you first witnessed it in action in the context of actual impact it had on the targets? Do you believe 'Opt-in' botnets are the future, or are we going to see hybrid attacks consisting of both, end users who 'opted-in' in combination with DDoS bandwidth offered by good old fashioned botnets? Is this a trend, or a fad?
Mikko: I really dislike DDoS as a concept and I wish we wouldn't have to fight this problem any more in 2012. But we do, and it's likely to stay with us forever.Akamai has already reported seeing DDoS attacks launched from a botnet of mobile phones. We're likely to see DDoS botnets move to totally new platforms in the future. Think cars and microwave owens launching attacks.Tools as LOIC and HOIC have brought the "Opt-in botnet" model to the masses, and it works. Unfortunately.
Dancho: Iran has recently announced that it's banning the import of foreign security software, and that it has been secretly working on its own antivirus software. Taking into consideration the fact that the majority of antivirus solution also detect DoS and DDoS attack tools distributed in an event of a cyber conflict, do you believe that Iran is setting up for the foundations for successful hacktivist attacks in the long term, given the fact that it could on purposely not detect the attack tools distributed to its netizens?
From a strategic perspective, is this in-house patriotic sentiments driven move a step in the right direction, or is the country potentially exposing its entire Internet infrastructure to attacks from malware authors that would now only need to bypass a single antivirus product,Iran's own security solution?
Mikko: I'll skip this question as I didn't even know Iran has announced that. But as a side note, have you seen this? http://av.0days.ir
Dancho: Mobile malware is growing at at exponential rate, with the cybercriminals behind these campaigns clearly "thinking market share". In the past, we've also seen malware systematically bypassing Symbian's code signing procedure, potentially compromising the trust of end and corporate users. We're also currently seeing the systematic abuse of legitimate app marketplaces, with cybercriminals successfully using them for distributing malicious software. Which are the most commonly targeted mobile operating system?
Mikko: As our latest Mobile Threat Report shows, Android has made malware for Linux a reality. Old Symbian malware is going away. Nobody is targeting Windows Phone. Nobody is targeting iPhone. And Android is getting targeted more and more.iOS, the operating system in iPhone (and iPad and iPod) was released with the iPhone in the summer of 2007 - five years ago. The system has been targeted by attacker for five years, with no success. We still haven't seen a single real-world malware attack against the iPhone. This is a great accomplishment and we really have to give credit to Apple for a job well done.Out of all Linux variants, Android is the clear leader in malware.
Dancho: Mobile payments (a.k.a micro payments) are gaining a lot of popularity. Now that we've seen a ZeuS crimeware variant targeting mobile operating systems, do you believe that this is the next frontier for mobile malware authors in comparison to the low-revenue earning fraudulent techniques where mobile malware-infected devices would send SMS message to premium rate number, or a ransomware requesting a micro-payment for unlocking the device? Is the mobile payments industry ready to fight mobile banking malware, or is it currently lacking behind in truly understanding the dynamics of the threat?
Mikko: I believe the near-future mobile malware will be cashing out by sending text messages and placing calls to expensive premium-rate numbers. It works and it's easy to do. Eventually, we'll probably see more mobile banking trojans and new trojans targeting micropayments.
Dancho: On a periodic basis, the security community intercepts a malicious attack targeting human rights activists and their supporters. These targeted attacks against the organization's employees and supporters are becoming increasingly common. What are some of the latest trends you're observing in this field? Do you believe that we're ever going to properly attribute the source for these attacks, behind the obvious common sense applied by the researchers profiling them?
Mikko: Attribution is not problematic here: it's the Chinese. Proving that is hard though.We've also been able to link some of these targeted attacks against human rights organizations and minority support groups to attacks targeting huge defence contractors and governments, proving that they we're coming from the same source.
Dancho: In an attempt to trick web reputation filters, cybercriminals are increasingly relying on legitimate infrastructure for launching their campaigns, and actually hosting the command and control servers inside the cloud. From Facebook, to Twitter, Amazon's EC2, LinkedIn, Baidu, Blogspot and Google Groups, each of these services have been abused by cybercriminals in the past. Do you believe this is a trend or a fad?
Mikko: Professionally run services like Amazon or Facebook will kick out abusers like this fairly quickly, forcing them to host their stuff on more crime-friendly network.
Dancho: How would you comment on the recent SOCA/FBI operation that took down 36 criminal credit card stores? A job well down, or a drop in the bucket taking into consideration the fact that a significant number of the carder web sites that I exposed and profiled in 2011, remain active, sometimes just responding to a periodically changed domain?
Mikko: What else are they supposed to do? They do their best in trying to go after at least some of these guys and we should commend them on that - even if it wouldn't really change the big picture by much.
Dancho: What do you think South Korea's proposed 'Zombie PC Prevention Bill' making security software mandatory on all users' PCs? Should other countries also follow this example? A report published in 2011,for instance, indicated that even PCs with antivirus software running on them, were still getting infected with malware? How would you comment?
Mikko: I believe in giving people the freedom to use their computers as their wish. However, I also like giving strongs guidance to users who don't really know what they should be doing. I believe operators are in a key position to move security from a product to service and to protect the masses with both managed security solutions on end-user devices as well as behind-the-scenes monitoring and filtering of malicious traffic.
Dancho: In March, 2011 I proposed that all ISPs should quarantine their malware infected users until they prove they can use the Internet in as afely manner, by taking care of their information security flaws. Do you think this is a good idea? Why and why not? Has the time for ISPs to start at least alerting users that they're infected with malware, in between raising awareness on the long-term and short-term consequences of that infection?
Mikko: I love this idea and we are successfully doing this with our solutions together with several operators. It works.
Dancho: The Carberp Trojan case attracted the media attention as among the few examples where Russian law enforcement actually did its job. From a strategic perspective, do you believe that the cybercrime gang behind the campaigns made a mistake by targeting Russian users, thus attracting the attention of Russian law enforcement?
Mikko: We believe they got greedy, and made the wrong people angry. They were making significant profits partly by building complicated networks of packet mules, keyloggers and local proxies to make fraudulent purchases of electronics in online stores. These goods ended up being resold to buyers at far below the market value. Such actions get detected fairly easily.
Find out more about Dancho Danchev at his LinkedIn profile, or follow him on Twitter.