Security Experts:

The Structure of a Cybercrime Organization - Hackers Have Supply Chains Too!

Do you remember those ’80s and ’90s movies that portrayed the same hacker over and over, just in a different setting? It was always a kid wizard sitting in his parent’s basement hammering away on the keyboard. Or a student loner who hacked into the university’s administration system to change his grades. That’s the image engrained in our brains when we hear the word “hacker.” In reality, when we talk about hackers, we are talking about a fully organized, well-oiled machine intent on gaining money. And hacking is most definitely a big industry. One estimate puts the its size at $1 trillion.How Cybercrime Organizations Work

The Botnet Army

The objective today is data – the hacker’s currency. The weapon of choice is the botnet—armies of unknowingly enlisted computers controlled by hackers. Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results. These botnets operate with the same comprehensiveness and efficiency used by Google spiders to index websites. Researchers estimate that some 14 million computers have already been enslaved by botnets. This number is expected to grow quarterly at double-digit rates.

The Pillars of the Hacking Industry

The hacking industry has evolved over the years in order to efficiently operate and manage these massive cyber-armies and gain profit from them. Recently, Intel CEO Paul Otellini said that security had become the third pillar of business (the other two, in Intel’s view, are networking and power consumption). What is the equivalent for the hacking industry? The hacking industry’s pillars are supply chain, optimization and automation.

The Hacker’s Supply Chain

Inside a Cybercrime Organization

In recent years, a clear definition of roles and responsibilities has developed within the hacking community, forming a supply chain that resembles that of a drug cartel. Last year’s indictment of Albert Gonzalez, the hacker mastermind behind one of the greatest hacks in U.S. history - the theft of 40 million credit cards from TJX systems - provided us with further insight into the layered roles of the data-theft cartel. The division of labor within the hacking organization breaks down like this:

Researchers: These are vulnerability researchers and exploit developers who keep clean when it comes to the actual exploitation of systems. Researchers’ sole responsibility is to hunt for vulnerabilities in applications, frameworks, and products, and then feed their knowledge to malicious organizations for the sake of profit. In particular, they focus on browser vulnerabilities to optimize botnet infections. Stephan Watt, Albert Gonzalez’s friend, exactly fits into the researcher mold. His highly technical skills were used to write the sniffing software for TJX systems – although he claims that he was not fully aware of Gonzalez’ ultimate scheme.

Farmers: A farmer’s primary responsibility is to maintain and increase the presence of botnets in cyberspace. Farmers write botnet software and attempt to infect as many systems as possible worldwide. They control their zombies using a series of commands and controls (C&C). The farmers use the most modern technologies to keep these commands from being detected. For example, Twitter tweets and Facebook profiles have recently been used as command channels to operate zombies.

Dealers: Dealers are tasked with performing the actual attack. The dealers rent botnets, which are priced according to the size of the botnet and length of usage. They use the botnets to conduct a variety of different attacks, including:

• Probing Web application vulnerabilities to extract valuable data

• Inflicting a Distributed Denial of Service (DDoS) attack

• Disseminating spam. Last year, Alex Ralsky, who gained the notorious nickname “Spam King,” pleaded guilty to using botnets to compromise tens of thousands of computers so they could be used to send out spam.

• Executing brute force password attacks

Consumers: These are the crooks who actually monetize the stolen information. After all, the dealers gathered the data, but the data needs to be translated into money. Enter the criminal who knows how to fake credit cards, to steal identities, advertise through spam or commit fraudulent transactions. In 2008 Russian hackers committed a nearly $10 million fraud against RBS WorldPay. Recently, Viktor Pleschuk, the hacker mastermind agreed to snitch on fellow partner in crime as a “Get Out of Jail” ticket. His confessions shed light on how stolen data was used to counterfeit credit cards and translate data into cash.


Hackers are optimizing their resources in order to gain the most from compromised applications or computers. How do hackers optimize attacks?

Better management: Corporate executives are famous for their use of corporate dashboards showing corporate performance. Likewise, hackers have tools to keep detailed command and control (C&C) over the effectiveness of their operations.

Power: The more compromised servers, the larger the botnet. Also, the more powerful the computer, the easier the DDoS, as a recent DDoS attack showed. An acquired zombie machine may now be exploited for phishing and spam, to inflict a DDoS or to perform blackhat search engine optimization (SEO). Moreover, a compromised PC may be used as a relay to a corporate machine in order to retrieve enterprise data and/or to further distribute malware.

Killing Competitors: Just like in the mafia wars, hacker organizations compete against one another. The Spy Eye toolkit is known to first remove the infamous Zeus botnet software before making an installation on a zombie machine.


General Patton once said, “There is only attack and attack and attack some more.” During the industrial revolution, manufacturing was optimized by automation. And automation is the key technique of the hacking industry for maximizing the attack process. Here are several examples of processes that hackers have automated:

• The use of search engines to find potential target applications.

• The distribution of commands through forums and Web pages in order to engage zombies as part of a botnet. This whole management process is highly automated, and hackers take pride in offering a complete attack with just a few mouse clicks.

• Attack templates and kits. Hackers do not need to re-invent the wheel of cyber-crime. Kits exist for just about everything. Automation is what made a hacker community into a hacker enterprise. We’ve seen mass waves of SQL injection attacks against half a million sites within one day. As a part of Imperva’s Hacker Intelligence Initiative, we witnessed the effects of a muscular XSS attack campaign conducted in the space of just one hour.

Coming Up Next - Advice

Hackers are after your data. They are growing bigger, faster and stronger by the day. It does not help to simply recognize the problem. It is important to understand how to guard data against this industry. Once this is clear, we can dive ahead and provide solutions. So stay tuned for next week as I discuss different points of advice for protecting data from Hackers Inc.

Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.