Symantec?s latest Internet Security Threat Report, covering July 1 to December 31, 2005, provides excellent raw data to support previous TRC analyses . Specifically, the Internet Security Threat Report illustrates the trend away from large-scale attacks and toward more focused and less visible attacks. This trend can be best understood by an analysis of the economic structure of cybercrime.
To better understand the new economic structure of cybercrime, the motives of the cybercriminals must be understood. In the past, the motives for the cybercriminal and hacker were the desire to satisfy intellectual curiosity or the need to boost ones ego or status by carrying out a difficult attack against a well-defended or noteworthy system. Recently, the motives of the cybercriminal and hacker have shifted toward the quest for financial gain. Ultimately, malicious hackers realized that there was a market for the information they could steal as well as value in the exploit code they developed to carry out their attacks. Evidence gathered in Symantec?s Internet Security Threat Report highlights this trend. Specifically, the report observed that 88 percent of the top 50 threats were financially driven, up from 77 percent six months earlier. Three recent examples illustrate the how cybercriminals are using various types of malicious software in the pursuit of financial gain.
First, the WMF exploit appears to have been created by hackers and then sold to cybercriminals who incorporated the exploit code into a Trojan Horse that allowed an attacker to run code on an infected computer. Alexander Gostev, a senior virus analyst at Kapersky Lab, noted that around the middle of December two or three Russian hacker groups were offering to sell the WMF exploit for $4,000. The WMF exploit illustrates how the hacker develops an exploit and sells the code to organized crime. In turn, organized crime uses the exploit to attack networked resources and steal valuable information, such as credit card information.
Second, the arrest of bot herder Jeanson James Ancheta illustrates how cybercriminals are using infected botnets for financial gain . Specifically, Ancheta used his bot as a staging areas for the distribution of adware ?clickers? and as a launching pad for distributed denial of services (DDoS) attacks. This example illustrates how hackers sell the use of their botnets to the highest bidder to carry out DDoS attacks, install spyware, or even deliver spam.
Finally, the discovery of a new flavor of Trojan that steals money directly out of a victim’s bank account illustrates how malicious hackers are profiting from cybercrime. This particular Trojan, rather than simply logging keystrokes and stealing account numbers and passwords, exploits known browser vulnerabilities. Once the exploit has been installed into a vulnerable browser, the Trojan simply waits until a user logs into an online banking site that the Trojan has been designed to exploit. Once the user has logged into the site, the Trojan transfers the money in the user’s bank account into another bank account controlled by the cybercriminal.
The increased desire for financial gain has, in turn, shaped the trend toward more focused and less visible attacks. Cybercriminals have realized that high profile attacks draw the attention of law enforcement and system administrators and, therefore, reduce the likelihood of success. Accordingly, Symantec observed in its Internet Security Threat Report that the number of bot-infected computers is 11 percent lower than the security firm’s last report from January 1 to June 30, 2005. In general, hackers and cybercriminals have realized that it is more profitable to retain control over a smaller network of bots than it is to draw the attention of authorities with a massive bot network.
Moreover, the desire for financial gain has ratcheted up the ?cyberarms? race between the attackers and defenders. As system administrators have strengthened perimeter defenses with firewalls and Intrusion Detection Systems, attackers have adapted and sought new avenues of attack. For example, hackers have increasingly targeted vulnerable web applications, which could allow a successful attacker to exploit an entire network including the valuable personal information stored inside a database.
As a result, as long as there is value in stolen information, hackers and cybercriminals will continue to seek out new and innovative ways to attacks valuable network resources and databases.