Security Experts:

Hackers Feel the Heat, Look for New Revenue Streams

As 100+ New York and New Jersey area mobsters learned recently, “You can run, but you can’t hide.” Does the same apply to hacking?

Part 10 in a Series on Cybercrime - Read Noa's Other Featured Cybercrime Columns Here

It seems it might. In an attempt to throw off the hackers from their game, the security community has taken on a proactive security approach. The impact: we foresee attack campaigns and techniques and quickly adapt to changes in the “threat-scape.” And guess what happened? Hackers are feeling the heat.

The Unearthing of Cyber-Criminal Groups

In the past few months we have heard about the uncovering of a surge in cyber-criminal groups. These are not single-shot, lucky-hits by the feds. Rather, these are the culmination of lengthy investigations, at times in collaboration with world-wide law enforcement agencies.

Take for example the arrest of Zeus botnet ring members at the end of September. With an international effort, 11 people were arrested in the UK. A couple of days later, 60 people in the U.S were arrested. One of the techniques used by the security researchers that investigated the group, was to infiltrate the C&C servers belonging to the hackers.

But the Zeus individuals were not the only ones to be caught. That same month, Facebook declared that the authors of the Koobface worm were close to capture. And as October ended, the master mind behind the Bredolab botnet was arrested.

Even when specific individuals were not being sought, the security industry did not rest. The weapons and vehicles of attack suffered damage. ISPs pulled the plug on the C&C servers of the infamous Pushdo botnet, while other security researchers searched for ways to hijack Zeus’ C&C channels.

Feeling the Heat, Hackers Look for new Revenue Streams

Inventing new techniques to bring in revenue is a trend not only because it makes business sense, but also because it helps insulate hackers in the event some component of the business is exposed to law enforcement. It’s a simple principle: diversify your portfolio. And we are seeing numerous examples of this.

For example, we witnessed the Avalanche phishing group changing their tactics. The group was notorious for being the most prolific phishing group, yet as they realized where the real money resided they started distributing Man-in-the-Browser Trojans. In October they completed this two-year long move.

Hacktivists provide yet another example. The Iranian-Cyber Army (ICA) was looking for other sources of revenue. This group is infamously known for engaging politically motivated DDoS attacks. Last year, for example, they attacked Twitter and Baidu, China’s most widely used search engine provider. Yet, as 2010 rolled to an end, the security industry became aware that the ICA was advertising their bots for rent. The ICA, it seems, have asked themselves why they can’t make extra on the side if the infrastructure already.

Hackers and Competitive Pressure

As the hacker industry grows, competition becomes fiercer. While the market for toolkits flourishes, hackers are taking a lesson from corporate. Features are added, products are enhanced, and customers’ opinions count. For example, the developers of a DDOS attack software have taken their customer support to a new level. In this case, the developer takes pride in offering real software support to their DDoS system, with a separate help-ticketing system in place!

Black Market Support

Business practices also tend to change in course of competition. Take the two botnets, SpyEye and Zeus, which are intent on taking control of a victim’s machine. As rules of competition go, when installing SpyEye there is even the “Kill Zeus” capability. If this bit is chosen, the SpyEye installer first checks whether there are any installations of the Zeus Trojan, and uninstalls it before installing SpyEye. Interestingly, the two sides seem to have changed course. Towards the end of October, the bot code developers of SpyEye and Zeus bots showed signs of an upcoming merger.

The Trend: The Wal-Mart of Cybercrime

Security researchers will continue to look into hacker operations and unearth less diligent criminals. In general, the hacker industry will react by investing more resources in their attack techniques and detection evasion. In fact, a variant of Zeus put in place a “hacker-honeypot” in order to foil researchers attempting to track the criminals’ activities.

The hackers that cannot step up their game will go out of business. Other cybercriminal organizations will buy out other groups or merge their operations with others. This will lead to the second change. The current powerful cybercrime organizations will consolidate their power and grow. After all, antitrust laws don’t apply to them.

Coming Up Next – Valentine’s Day, Do Hackers Have Hearts?

It will be interesting to follow the “threat-scape” as hackers evolve and attempt to counter proactive security approaches. Taking a further look into the hacker industry, we realize that hackers lack morals. The follow-up question though is whether hackers even have feelings. Stay tuned for the exclusive Valentine’s Day column!

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.