FBI and SOCA plot cybercrime smackdown

White hats get proactive on e-crime


RSA Europe 2009 The FBI and the UK’s Serious and Organised Crime Agency have drawn up a program for dismantling and disrupting cybercrime operations. The effort relies on a better understanding of the business models of carders, malware authors and hacker groups which have increasingly come to resemble those of legitimate businesses.

The three prong strategy aims to target botnet and malware creators, so-called bullet-proof hosting providers that offer hosting services to cybercrooks, and digital currency exchanges. Digital currency exchanges such as WebMoney and Liberty Reserve are central to the operation of the black economy, according to Andy Auld, head of intelligence at SOCA’s e-crime department.

During a keynote presentation at the RSA Europe Conference, Auld and FBI special agent Keith Mularski used the Russian Business Network (RBN) cybercrime network as an example of the type of criminal enterprise they were targeting. The now disbanded group used an IP network allocated by RIPE, a European body that allocates IP resources, to host scam sites, malware and child porn.

RIPE actions might lend themselves to interpretation, viewed in the harshest terms, as being complicit with cybercriminals and "involved in money laundering offences".

"We are not interpreting it that way. Instead we are working in partnership to make internet governance a less permissive environment," Auld said.

The RBN – described as a purpose-built criminal ISP – allegedly paid off local police, judges and government officials in St Petersburg.

"This was a well organized organization not a cottage industry,” Auld explained. “RBN was the e-crime component in a wider criminal portfolio.

“There were strong indications RBN had the local police, local judiciary and local government in St Petersburg in its pocket. Our investigation hit significant hurdles.”

Auld said that although western law enforcement efforts were frustrated, the group was put under surveillance for a short time, during which the group travelled around the Russian city in an Armoured Audi A8 that was always escorted by a Range Rover.

As the heat was turned up on RBN, the group applied a disaster recovery plan, activated in November 2008. However, foreknowledge allowed the FBI and SOCA to shut down new systems before RBN was able to complete its migration.

“All we achieved was disruption, not a prosecution,” Auld explained. “We believe RBN is back in business, pursuing a slightly different business model.”

Zombie botnet taxonomy

The well attended presentation also included a comprehensive taxonomy of botnet types. Network of compromised PCs can be used for multiple purposes include proxies that supply anonymity (based on machines infected by malware strains such as Xsox), credential stealing (the notorious banking Trojan ZeuS and Torpig being the chief irritants in this category), web hosting (ASProx), spam distribution (Srizbi, Storm worm) and malware dropping botnets.

Another vital component of the cybercrime economy is carder forums, described by Mularski as e-crime “supermarkets” for exploits, tools and stolen data that have adopted a mafia-style organisational structure. These forums have splintered after law enforcement efforts that led to the demise of forums such as Shadowcrew and Carderplanet in 2004.

New generation forums are split between Russian and English language sites. Each have hierarchical structures with administrators who take a percentage for running escrow services and control membership at the top. Below these bosses are reviewers who handle site management (capos).

Hackers, carders and data thieves occupy the rung below with mainstream members (associates) below them. The quality of stolen credit card data, for example, is reviewed before a vendor is allowed to sell through these forums.

Counteroffensive

SOCA and the FBI intend to infiltrate groups or cultivate inside sources. The law enforcement agencies will also go after the money by targeting electronic exchanges that are used to transfer funds between criminals. Working with internet governance organisations, such as groups that allocate IP addresses to crooks without realising that the address space will be used for cybercrime, also form part of the clampdown.

The two law enforcement agencies also want to encourage the targets of cybercrime to improve their security while going after locations where crackers upload and store stolen data.

“Traditional policing is reactive,” Auld explained. “Cybercrime enforcement, by contrast, has to be pro-active.” ®

Similar topics


Other stories you might like

  • Google Pixel 6, 6 Pro Android 12 smartphone launch marred by shopping cart crashes

    Chocolate Factory talks up Tensor mobile SoC, Titan M2 security ... for those who can get them

    Google held a virtual event on Tuesday to introduce its latest Android phones, the Pixel 6 and 6 Pro, which are based on a Google-designed Tensor system-on-a-chip (SoC).

    "We're getting the most out of leading edge hardware and software, and AI," said Rick Osterloh, SVP of devices and services at Google. "The brains of our new Pixel lineup is Google Tensor, a mobile system on a chip that we designed specifically around our ambient computing vision and Google's work in AI."

    This latest Tensor SoC has dual Arm Cortex-X1 CPU cores running at 2.8GHz to handle application threads that need a lot of oomph, two Cortex-A76 cores at 2.25GHz for more modest workloads, and four 1.8GHz workhorse Cortex-A55 cores for lighter, less-energy-intensive tasks.

    Continue reading
  • BlackMatter ransomware gang will target agriculture for its next harvest – Uncle Sam

    What was that about hackable tractors?

    The US CISA cybersecurity agency has warned that the Darkside ransomware gang, aka BlackMatter, has been targeting American food and agriculture businesses – and urges security pros to be on the lookout for indicators of compromise.

    Well known in Western infosec circles for causing the shutdown of the US Colonial Pipeline, Darkside's apparent rebranding as BlackMatter after promising to go away for good in the wake of the pipeline hack hasn't slowed their criminal extortion down at all.

    "Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory," said the agencies in an alert published on the CISA website.

    Continue reading
  • It's heeere: Node.js 17 is out – but not for production use, says dev team

    EcmaScript 6 modules will not stop growing use of Node, claims chair of Technical Steering Committee

    Node.js 17 is out, loaded with OpenSSL 3 and other new features, but it is not intended for use in production – and the promotion for Node.js 16 to an LTS release, expected soon, may be more important to most developers.

    The release cycle is based on six-monthly major versions, with only the even numbers becoming LTS (long term support) editions. The rule is that a new even-numbered release becomes LTS six months later. All releases get six months of support. This means that Node.js 17 is primarily for testing and experimentation, but also that Node.js 16 (released in April) is about to become LTS. New features in 16 included version 9.0 of the V8 JavaScript engine and prebuilt Apple silicon binaries.

    "We put together the LTS release process almost five years ago, it works quite well in that we're balancing [the fact] that some people want the latest, others prefer to have things be stable… when we go LTS," Red Hat's Michael Dawson, chair of the Node.js Technical Steering Committee, told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2021