Security Experts:

Revisited: The Optimist's Cybercrime Predictions for 2011

Around this time last year you may have read my SecurityWeek article, The Optimist's Cybercrime Predictions for 2011. Now that the year is drawing to an end, I thought it would be an interesting opportunity to look back to my 2011 predictions and see how each of them panned out.

Awareness is rising

Predictions Report CardIn the prediction I made last year, I forecasted a rise in threat awareness within organizations. That was mainly due to 2010 events, which included the publicized “Operation Aurora” and the revelation of Stuxnet, both of which made big waves not only in the security industry, but in the press as well. In its 2011 Global Information Security Survey, which was published in October, Ernst & Young noted that “72% of survey respondents see an increasing level of risk due to increased external threats.” This represents a notable increase from their 2010 report, in which only 60% of respondents perceived an increase in risks. While this perception of increased risk is attributed in the report to trends such as moving to cloud computing, social networks and the increasing number of employees using personal devices in the enterprise, from our experience, those who are trusted with the security of the enterprise certainly follow news of security events – and 2011 was not lacking in that regards.

In a sense, “Operation Aurora” was just the introduction to “Advanced Persistent Threats,” as in 2011 things went up a notch with the RSA breach and subsequent attacks on Lockheed Martin, Northrop-Grumman, and L-3 communications. Since then, multiple organizations claimed being targeted by similar types of attacks, some of which were the French finance ministry and Mitsubishi Heavy Industries. McAfee’s report on “Operation Shady-RAT” shed additional light on the subject while a number of security experts suggested that the attacks were carried out by Chinese hacktivists. It was also noted that these attacks were nothing new and have been going on for several years now. True as it may be, these recent events have sure put the spotlight on APT attacks and generated interest not only from security experts but from the general population as well.

Other hacktivists also made a splash this year, with the Anonymous-spun LulzSec group hacking their way into Sony and FBI affiliate InfraGard Atlanta. Joining forces with other Anonymous factions, LulzSec continued their cyber rampage under the “AntiSec” operation – a call for hackers to attack government bodies, steal their information and make it public. LulzSec and Anonymous reminded everyone that while there are new and advanced threats out there, a lot of damage can still be inflicted by hackers using more common attack methods, such as SQL Injection and XSS.

Law Enforcement is Getting Better

My second prediction was that since law enforcement agencies are hard at work with streamlining international collaborations between different countries, we should see these projects bear fruit in the shape of more cybercriminal arrests. This year did not lack in arrest stories linked directly with malware, including ones that had international elements. Perhaps the best example would be the “biggest cybercrime takedown,” according to the FBI, operation Ghost Click. The investigation, conducted with the help of security company TrendMicro, led to the take down of Estonian-based company Esthost/Rove Digital and the arrest of the people who operated it. Another great example of international collaboration is the FBI and Philippines’ police arrest of 4 people linked with a $2m scam which dialed a premium number from AT&T customers’ phones to fund terrorist groups.

As law enforcement continues to invest effort into building cross-continent relationships, we should continue hearing of success. On an encouraging note, the FBI already has agents stationed in Estonia, the Ukraine and the Netherlands.

It’s getting harder to become a fraudster

Online FraudThis is one prediction that was a miss. Yes, in certain aspects, learning how to become a fraudster is becoming harder. Forums are less friendly to newcomers than the forums of yore, but in other aspects, things have actually become much easier. In 2011, the trend of CC stores (which I already wrote about) simply blew up – dozens and dozens of these automated shops opened up for anyone to purchase compromised payment cards and much more. These days, the term “CC Stores” no longer does justice to these platforms, as fraudsters use them to offer compromised online banking accounts, RDP access, private information and related automated services. The sale of ready-made store platform kits enable every fraudster interested in selling his goods to set up shop quickly and easily, and those who don’t want to manage their own website can always supply cards to existing stores or use the services of third parties who manage stores for others.

As for the buyers, CC stores streamline the fraud process. Instead of trying to find out who the best vendor in town is, they can simply register to a store with a lot of positive feedback in the forums and purchase some cards. Many stores check whether the card is still valid during the purchase process so the fraudster knows if he received valid cards – one less headache to worry about.

However, obtaining credentials is just half the battle. After the credentials were obtained – one needs to cash them out somehow, right? Well, luckily for the fraudsters, they have automated stores for that as well! Underground sites offer an automated process in which the “buyer” receives a mule address to send items bought with stolen credit cards to – and they will take care of the rest. While this is not much different than how fraudsters used to work before the proliferation of CC stores, now there isn’t even the pesky requirement of finding an accomplice. A turnkey web-based interface allows fraudsters to send the item, wait a few days… and get paid. There may be fewer tutorials out there for newcomers to find, but in the meantime, the process of conducting fraud is becoming even simpler and more streamlined.

Let’s hope that 2012 will be better for infosec and fraud-prevention than 2011.

Happy holidays!

Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.