By Alex Tilley, Head of Threat Intelligence Asia Pacific & Japan for Secureworks.
It may seem obvious, but cybercrime must constantly evolve to survive. Not only are cybersecurity veterans like me constantly working to uncover, understand and counter new crime techniques, but technology itself is always evolving.
This means cybercriminals are constantly creating new attacks to fit current trends, whist adjusting existing attacks to avoid detection. To understand how cybercrime could evolve in the future, I have looked at its colourful past as I have lived and breathed it for more than 20 years.
What is cybercrime?
Although seen by many as “secret magic” Cybercrime needs to be thought of as “just another crime type” like drugs, illegal firearms trade and money laundering. It is complete full spectrum criminality that uses technology as it’s vehicle.
Extortion, theft, property damage and fraud are amongst an extensive list of “traditional” crimes that are committed under the umbrella of “Cybercrime”.
Where it does have some differences is in its often anonymous and sometimes “impersonal” nature (although some Cybercrimes are deeply damagingly personal). And although law enforcement agencies are trying to tackle this problem, investigations can be more difficult and time consuming than some traditional crime investigations involving new and specialised skills that Law Enforcement is working to acquire.
On the whole Cybercrime continues to grow exponentially, and many people have become victims of identity theft, hacking and ransomware.
When did cybercrime emerge?
Cybercrime has been around for decades, if there have been computers connected you can be sure that someone was thinking of a way to misuse their access, even if just to get free time on old university computer systems!
Cybercrime as we know it now has really been maturing rapidly since the late 90s and early 2000s with criminals who started young with minor offences graduating to increasingly serious criminal activity as their abilities and criminal networks grew. In the 2020s cybercrime is a major threat that earns the criminals involved millions of dollars without as many of the risks of other traditional crime types.
The rationale behind cybercrime
- Financial gain is the number one!
- Politically motivated – nation state attacks and espionage
- To access confidential information to cause reputational damage
- Vandalism/property damage
Financial gain
To try and show this constant exponential loss per event amount as it relates to financially motivated cybercrime, I have called on my personal experience in working to try and counter the threat posed over the years as the criminals got better and better and the losses per criminal act climbed and climbed starting in the early 2000s.
The loss amount per event is climbing every year:
In 2002/03 the average loss amount was $500 for a dumb phishing attack –
- Responders were basically begging “please take this down”
- Action a takedown in the first four hours or almost don’t bother
- Compromised site owners quite helpful (harvest kits, learn)
- Internal code simple (it still is!)
- “Wack-a-mole” but manageable.
In 2004 Rockphish emerged, and the average loss was $5000
- “Throw product at the problem” /rock/ /r/ /r1/
- One host, 3-400 phishing sites (dozens of banks)
- Tiered transparent reverse proxy setup
- Takedown efforts focus on compromised sites and now IP takedown
- Rarely get anything but the nginx or openVPN config
In 2006 – Fast Flux and Avalanche appeared with the average loss at $5000
- Dedicated criminal hosting (no more nice site owners)
- Fast flux (round robin DNS) makes IP takedowns (more) useless
- Double and triple flux
- “Pay to play” bulletproof hosting
- Bank defences like dummy account injection become effective
- Automated defence systems built in house at banks
In 2007-8 – Enter the “banker trojans” and the losses climbed as high as $50,000 with Zeus, Bugat, Nethel and Gozi et al
- Load and hook web browser (initially BHO)
- Wait until punter visits bank or another specified site
- Web injects are the warhead on the missile
- Social engineering web inject (Best I ever saw)
- Incredibly effective
- Bank detections initially non-existent but improve (JS, browser DOM query)
In 2010 operation Trident breach occurred resulting in Jabber Zeus arrests for an automated fraud
- ACH fraud and Leprechaun automated fraud system
- Arrest of more than 50 people across multiple countries
- Mostly mules
- Some key mule handlers
- It’s always mules!
In 2011-2014 – It was Game Over Zeus and Dyre featuring prominently with losses rising to $500,000–
- Fully automated
- Massively distributed
- Has learned from all previous mistakes
- Business banking focus due to international transfer and no limits (Dyre)
- Hooked in with professional mule crews (YMCO et al.) The mules are the bottleneck
- Ability to move six figures in single transactions (Experience breeds sophistication)
The impact of cryptocurrency on cybercrime
In 2014 the proceeds had climbed to over $5,000,000 for a large-scale ransomware attack and since then the emergence of Cryptocurrency has made the historically most difficult aspect of cybercrime, moving the money a lot simpler effectively removing much of the need for traditional money laundering infrastructure.
Crypto currency removes the need for attacks on banks and their customer accounts, which makes traceability a real challenge. This move away from attacks focusing on banks and bank customers has also shown that for too long we have relied on banks to work and spend to secure our finances, whereas now the criminals are attacking individuals and organisations directly and many organisations are not prepared for this “Head on” attack.
In 2021 and beyond the drivers behind the growth of cybercrime are:
- Ransomware
- Cyber criminals getting better and better
- More and more criminals muddy the waters
- Nation state attacks that look like cybercriminal activity
- Lower barrier of entry to move more money
- Mobile phones and mobile finance transactions
Looking into the future
Given everyone is so dependent on their powerful mobile devices these days, increasingly n criminals are enacting the same types of cybercrime that used to be on computers to mobile platforms on mobile phones and tablets, theft tools such as Marcher, Exobot, Anubis and now FLUBOT, are maturing quickly which can be devastating for individuals and organisations that fall victim.
To slow the march of cybercrime, what’s needed is a globally coordinated action involving Law Enforcement and the private sector effort to tackle things like ransomware, data theft and extortion, which will all march on and on if we don’t continue to act to stop these attacks.
Cybercrime crosses borders and jurisdictions, so it needs to be investigated and mitigated as a joint effort and this will involve good old fashioned investigative police work as well as more “creative” disruption operations involving non-Law Enforcement entities (both public and private) as well.
However, organisations must take responsibility for much of their own security as have we have seen with the march of cybercrime; we can’t continue to think of it as “the banks problem” that we don’t need to put effort into addressing ourselves.