Q&A of the Week - 'Tales from the Underground' featuring Brian Krebs

In the third post of its series, I chat with Brian Krebs, investigative reporter covering cyber security and cybercrime, and currently editor in chief of KrebsOnSecurity.com. We discuss the cybercrime ecosystem, the money mule problem, ATM skimmers, pharmaceutical affiliate networks, and payment processing gateways for the scareware industry.

Enjoy the conversation, and don't forget to TalkBack.

Dancho: ATM skimming is proliferating, next to the overall availability of bank plastic cards, holograms and pretty much everything a carder needs to cash out the fraudulently obtained credit card data. From ATM skimmers with bluetooth notification, to ATM skimmers with SMS notification, what are some of the latest innovations in this field that you're observing?

Brian: One innovation in skimming that I wrote about recently is that crooks are starting to turn to 3D Printers to make these devices. An investigator in California shared with me some photos of was believed to be a 3D printed skimming device, which was the news hook for that story. But as I was researching the topic, I discovered that a skimmer gang had recently been convicted of creating skimming devices made with a 3D printer they had purchased with the proceeds of their previous skimming crimes.

Dancho: Are cybercriminals a step ahead of the banking industry, and what can the banking industry do to prevent the mass adoption of ATM skimming devices? Is the problem lack of innovation, or lack of implementation of currently available solutions?

Brian: Sure. The crooks are nearly always ahead. But the real problem is not that the technology doesn't exist to cut way down on this type of fraud; it's that by and large, banks in the United States haven't adopted it. Chip-and-pin is not a panacea to the skimming problem, but it does increase the costs to the fraudsters by making ATM cards more difficult and expensive to counterfeit. Most of Europe is moving toward or has adopted this standard, and yet skimming fraud remains a big problem there. Tellingly, a majority of the skimming losses against European banks happen when skimmed card numbers are sent over to the United States, where they are encoded onto plastic and used to withdraw funds from the accounts using US ATM machines, which do not require chip and pin.

Dancho:  In your 'Pharma Wars' series, you've extensively profiled some of the key affiliate networks and payment processors behind the growth of the cybercrime ecosystem. What are some of the current and emerging trends in regard to pharmaceutical affiliate networks? Also, do you believe that pharmaceutical scams are more profitable than scareware and Pay-Per-Install schemes? Why and why not?

Brian: I think there are a few trends emerging, and they all have to do with the fact that it's getting harder for rogue pharmacies to make money. One is a shift toward more generic and herbal medications. The affiliate programs seem to be looking for drugs to sell that don't incur intellectual property violation cases, which can get them shut down in a hurry. But I think it is becoming much harder for the larger volume spam and scareware affiliate programs out there to retain reliable processing, and that's a long overdue but welcome development.

Dancho: The media often portrays a picture where Eastern Europe is the epicenter of the cybercrime epidemic. Do you believe that's still the case, or do you believe that in 2012 cybercrime has spread internationally in a way it can no longer be accounted for in terms of revenue earned and amounts stolen?

Brian: If you mean financially-motivated cybercrime that affects the rest of the world, I would say without question hackers in Russia and Eastern Europe are the most active, if not also the most profitable. I think there are cases where (dis)organized crime groups have and are conducting a lot of cybercrimes, but many of these sophisticated groups tend to be regional and stick to attacking their own (Brazil is a good example).

But generally speaking I think it is a mistake to try to measure cybercrime by actual losses, which almost never comes close to the real losses and damage done by cybercrime, costs incurred by software and hardware and personnel defenses, etc. Don't get me wrong: I strongly believe that all nations should be working harder to quantify and publish data about cybercrime losses, particularly in the financial sectors. But the reality is that even some of the most active criminal groups -- such as the rogue pharmacy "partnerka" programs like SpamIt and GlavMed and Rx-Promotion -- employed some of the biggest botmasters with the biggest botnets, and while some of them made a lot of money, most did not. And the spam partnerkas are excellent examples of cases where there are huge asymmetries between their earnings for these activities and the tens of billions of dollars companies and individuals need to spend each year to try to block all of its attendant ills.

Dancho: Microsoft's Digital Crimes Unit has been getting a lot of press attention lately, thanks to their Rustock and ZeuS take down campaigns. However, what the mainstream media is missing is the fact that Microsoft is basically shutting down U.S hosted crimeware infrastructure, a drop in the bucket when it comes to active malware/crimeware campaigns. In the age of fast-fluxed command and control servers, do you believe Microsoft's efforts have a short-lived, short-term oriented result in response to the threat posed by malicious software? Why and why not?

Brian: I think we can continue to expect to see Microsoft doing whatever it can to disrupt cyber criminal activity, because 95 percent of it or more is aimed squarely at their customer base. Whether the gains from those take downs and targeted actions have long or short-term consequences may not be so important to Microsoft. From my lengthy interviews with Microsoft's chief legal strategist on this subject, it was clear that their first order of business with these actions is raising the costs of doing business for the bad guys, and I think on that front they probably will succeed in the long run if they keep going after them as they are.

Dancho: On a periodic basis, you and I often receive the attention of cybercriminals who leave messages embedded in the source code of malicious page, an actual file name, or within the source code of a particular piece of malware in general.

In 2011, F-Secure intercepted a trojan where the authors left a "DANCHODANCHEV_AND_BRIANKREBS_GOT_MARRIED" mutex. What was your initial reaction when you saw this? After all these 'touch points' left by the cybercriminals, does this mean that you work is actually making an impact within the cybercrime ecosystem, and is logically getting noticed by sophisticated cybercriminals, or do you believe it basically kids looking for public attention?

Brian: I consider it a badge of honor that these guys bother to thumb their noses at me. The most recent one I'm aware of was whoever was in charge of coding the Citadel Trojan added some strings in the malware that said, ""Coded by BRIAN KREBS for personal use only. I love my job & wife". Sort of a friendly jab and a vague, nonspecific threat rolled into one. Sometimes it is just kids looking for attention, but by and large I think most of these guys truly resent having any outside light -- especially from "amers" or Americans -- shed on their operations. They also don't like it when you distill their operations, norms or processes into bite sized chunks that demystify their ecosystem or forums.

Dancho: As a compliment to you research, you blog is often subjected to DDoS (denial of service attacks) attacks. How often do you get them, and do you have your ISP's full support in mitigating them? Are you also aware who's attacking you based on the data gathered in the log files? What tools are they using?

Brian: As I write this, my site is under attack, and has been for roughly two weeks straight now. My ISP has been fully supportive in helping me out. I'd rather not comment on the frequency, but sometimes I am aware who the cowards are. For instance, last year some rogue pharmaceutical spam gangs took out my site with the help of servers at Microsoft, and then proceeded to register tens of thousands of porn and pill domains in my name with stolen card data.

I've also suffered DDoS attacks at the hands of Russkill, which is a popular DDoS bot kit.

Late last year, my inbox was bombed with 100,000+ emails using a commercial fraud tool that is typically leveraged against cyberheist victims as a way to obscure an email alert or authorization from the target's bank.

Go through previous Q&As of the Week:

• Q&A of the Week - ‘The current state of the crimeware threat’ featuring Thorsten Holz
• Q&A of the Week: ‘The current state of the cyber warfare threat’ featuring Jeffrey Carr
• Q&A of the Week: 'The current state of the cybercrime ecosystem' featuring Mikko Hypponen

Dancho: Occasionally, the security community in combination with law enforcement, shuts down a widely popular underground community, or releases the results of a successful sting operation, proving that they have infiltrated this community. Do you think that cybercriminals act in a different way when they know that they're being watched? Do you believe that a researcher's or a LE agent's involvement in underground market trade for the sake of preserving access to this community is worth it? What is the best way to handle these communities? Infiltrate them, passively observe them, or shut them down as soon as you come across them?

Brian: I can't speak for law enforcement activity, but as a journalist and investigative reporter, I'm always sad to see these communities go away. I think it's safe to say that most of them are already infiltrated by several national law enforcement organizations. I'd be very surprised if they were not. Some operating right now probably were even set up by law enforcement. We've seen them do that a few times before. I think most of the fraudsters who've been doing this long enough probably understand that and act accordingly. Others do not, and that is why you tend to see lots of people come and go, but the same core group of a few hundred guys are the top dogs on most important forums.

Communities and crime forums are great places to learn intelligence about upcoming and ongoing attacks, breaches, 0days, etc. Shutting them down seems to me to be counterproductive, since you almost always force the forums to go more underground and use more security features to keep untrusted people out, and known sources of intelligence go away, or worse yet change their nicks and contact info and all of a sudden a source you have developed you may never see or hear from again.

Dancho: Risk-forwarding has been an inseparable part of the cybercrime ecosystem for years. From malware-infected hosts as stepping stones, to the one of the most prolific problems in recent years - the rise of money mule recruitment. Based on personal research, I'm currently aware of a single -- market leader -- vendor offering web site templates and full documentation for potential money mule recruiters. Are you also observing the standardization of  the recruitment process thanks to a single vendor offering the advertising creative, or are you currently observing multiple vendors of web site templates and full documentation?

Brian: I've identified quite a few distinct money mule recruitment networks. I don't know about templates, but many of them tend to recycle the same HMTL content and change the names of the fake companies. That's handy I guess for keeping track of which group recruited which mules, but beyond that I'm not sure it tells you much. What I have noticed is that money mules are the bottleneck for this type of fraud, and often times the cyber crooks will leave money in the victim's account because they simply didn't have enough mules to help them haul all of the loot. So with any one victim, it's typical to find mules recruited through 4-6 different mule recruitment gangs, because the fraudsters who outsource this recruitment will simply go from one to the other purchasing the services of these recruitment gangs until they've got enough to help them haul the loot, or they've exhausted the available mule supply. But usually, the mule gangs don't have any problem finding new recruits.

Dancho: Are reshipping mules more popular than money mules in general, or it depends on the recruiting organization's objectives?

Brian: I think reshipping mules tend to be more useful. Most regular money mules are one-and-done. They're used for a single task and then discarded (although one group I am following re-uses money mules as many times as they can before the mule starts to ask for their monthly salary). Typically, a reshipping gang will get 3-5 packages reshipped per weekday per mule, and the average reshipping mule works for 30 days before figuring out they've been working for free and great personal risk and they're never going to get paid, or the check they got from their employer just bounced. But several mule gangs I'm aware of do both reshipping and money mules interchangeably.

Dancho: The Dutch Rabobank is rumored to be blocking access to its debit cards outside the EU in order to prevent successful ATM skimming attacks. Are you aware of a practice called "Credit Card Tourism" where dozens of people with multiple plastics take buses and travel across Europe, taking money out of ATMs on the road?

Brian: No, but it sounds like a nice way to see Europe, if you can avoid the slammer along the way. :)

Dancho: Do you believe gullible money mules should hold no responsibility for their actions, or do you believe they are basically aware of the fraudulent nature of the job proposition, even before the start? Do you think policy makers are on the right track when it comes to addressing the money mule recruitment problem internationally? Why and why not?

Brian: I think about half are just not the sharpest crayons in the box. Many of them will request benefits and mileage reimbursement, and some will believe they're even getting promised insurance benefits. The other 50 percent probably know or suspect it's fraud but aren't asking too many questions because they're out of a job or a single parent (or quite often both) and they need to make their rent. Do I think they should be held accountable? Absolutely. I see no difference between this activity and writing bad checks, which people get put in jail for all the time. Will a prosecutor be able to understand the crime and explain it well enough to a jury of the mule's peers -- many of whom aren't smart enough to figure out how to get out of jury duty in the first place -- that THEY wouldn't have fallen for a similar scheme -- that he can get a conviction? That's another question entirely.

Dancho: DDoS for hire vs DDoS extortion - Which of these underground market segments is more popular these days, based on your own personal observations?

Brian: No idea, sorry.

Dancho: With Facebook's rumored interest in online gambling do you think it will successfully position itself as a target for DDoS extortionists once the platform scales enough and starts attracting huge portions of U.S based Facebook users? Or will cybercriminals continue targeting lower profile sites in an attempt to avoid attracting the attention of law enforcement?

Brian: I'm almost certain that Facebook get attacked constantly, but you should probably ask them. I don't know much about any ambitions they may or may not have in the gambling space, sorry.

Dancho: Do you believe in the concept of cyber fraud insurance? Should a bank that fails to protect it customer's assets be held responsible for the fraudulent transactions that took place, or is it ultimately the responsibility of the customer to ensure that he's E-banking in a secure fashion?

Brian: I think it's a nice idea, but it merely glosses over the underlying problem. Cyber insurance is basically a way of shifting the risk, but doing so in a way that may not be where the cost for assuming that risk ought to reside. What's easier and makes more sense: A bank spending a few million dollars more and really thinking about and implementing adaptive security, or doing the bare minimum and having all of their customers have to either buy insurance or take extreme measures to protect themselves when banking online? The latter is the situation we have today, for better or for worse.

Dancho: There's been a lot of buzz recently, surrounding advanced persistent threats (APT attacks). Do you differentiate between targeted attacks and APTs, or from a marketing perspective, the buzz was basically re-branding of a well known process in order to reboot its public awareness life cycle?

Brian: I think if there has been a net positive about the shift in focus (at least from the mainstream security industry) away from traditional threats to APT attacks it is in the increased attention paid to social engineering attacks, which form the basis of most successful attacks today. 0day threats get a lot of press and are frequently associated with APT attacks, but it is far more common for these attacks to leverage known vulnerabilities for which there are patches, much like exploit packs that are used in many Zeus attacks and other more traditional cyber crimes. Unfortunately, educating users about what not to click on or trust or open is always an uphill battle. There are some things that companies could be doing more on this front, and I'd like to see more firms randomly test their employees to help speed the process of learning how not to fall for phishing and social engineering scams.

Dancho: Despite the numerous shut downs of payment processing gateways working with the scareware industry, scareware remains one of the most profitable monetization strategies within the cybercrime ecosystem? Do you agree or disagree, why and why not? Also, do you believe that the scareware business model can be best undermined for targeting the payment gateways, or perhaps you may have something else on your mind?

Brian: I don't think scareware is the same scourge it used to be, although it's clearly still a problem. I would say this problem -- like the pharma spam problem -- must be attacked at the payment processing point; that is where it makes the most sense. There are some things afoot in the payment processing space that I think will probably start to show major results in the coming months on this front, but the proof will be when the scareware partnerka programs start dying off completely because the business model has dried up. I think we can expect to see the costs of acquiring banks taking on this business continue to rise, and that will help make the scareware industry less profitable and less attractive for scammers.

Find out more about Dancho Danchev at his LinkedIn profile, or follow him on Twitter.