Around this time last year you may have read my SecurityWeek article, The Optimist’s Cybercrime Predictions for 2011. Now that the year is drawing to an end, I thought it would be an interesting opportunity to look back to my 2011 predictions and see how each of them panned out.
Awareness is rising
In a sense, “Operation Aurora” was just the introduction to “Advanced Persistent Threats,” as in 2011 things went up a notch with the RSA breach and subsequent attacks on Lockheed Martin, Northrop-Grumman, and L-3 communications. Since then, multiple organizations claimed being targeted by similar types of attacks, some of which were the French finance ministry and Mitsubishi Heavy Industries. McAfee’s report on “Operation Shady-RAT” shed additional light on the subject while a number of security experts suggested that the attacks were carried out by Chinese hacktivists. It was also noted that these attacks were nothing new and have been going on for several years now. True as it may be, these recent events have sure put the spotlight on APT attacks and generated interest not only from security experts but from the general population as well.
Other hacktivists also made a splash this year, with the Anonymous-spun LulzSec group hacking their way into Sony and FBI affiliate InfraGard Atlanta. Joining forces with other Anonymous factions, LulzSec continued their cyber rampage under the “AntiSec” operation – a call for hackers to attack government bodies, steal their information and make it public. LulzSec and Anonymous reminded everyone that while there are new and advanced threats out there, a lot of damage can still be inflicted by hackers using more common attack methods, such as SQL Injection and XSS.
Law Enforcement is Getting Better
My second prediction was that since law enforcement agencies are hard at work with streamlining international collaborations between different countries, we should see these projects bear fruit in the shape of more cybercriminal arrests. This year did not lack in arrest stories linked directly with malware, including ones that had international elements. Perhaps the best example would be the “biggest cybercrime takedown,” according to the FBI, operation Ghost Click. The investigation, conducted with the help of security company TrendMicro, led to the take down of Estonian-based company Esthost/Rove Digital and the arrest of the people who operated it. Another great example of international collaboration is the FBI and Philippines’ police arrest of 4 people linked with a $2m scam which dialed a premium number from AT&T customers’ phones to fund terrorist groups.
As law enforcement continues to invest effort into building cross-continent relationships, we should continue hearing of success. On an encouraging note, the FBI already has agents stationed in Estonia, the Ukraine and the Netherlands.
It’s getting harder to become a fraudster
As for the buyers, CC stores streamline the fraud process. Instead of trying to find out who the best vendor in town is, they can simply register to a store with a lot of positive feedback in the forums and purchase some cards. Many stores check whether the card is still valid during the purchase process so the fraudster knows if he received valid cards – one less headache to worry about.
However, obtaining credentials is just half the battle. After the credentials were obtained – one needs to cash them out somehow, right? Well, luckily for the fraudsters, they have automated stores for that as well! Underground sites offer an automated process in which the “buyer” receives a mule address to send items bought with stolen credit cards to – and they will take care of the rest. While this is not much different than how fraudsters used to work before the proliferation of CC stores, now there isn’t even the pesky requirement of finding an accomplice. A turnkey web-based interface allows fraudsters to send the item, wait a few days… and get paid. There may be fewer tutorials out there for newcomers to find, but in the meantime, the process of conducting fraud is becoming even simpler and more streamlined.
Let’s hope that 2012 will be better for infosec and fraud-prevention than 2011.
Happy holidays!