RSA Europe 2009 The FBI and the UK’s Serious and Organised Crime Agency have drawn up a program for dismantling and disrupting cybercrime operations. The effort relies on a better understanding of the business models of carders, malware authors and hacker groups which have increasingly come to resemble those of legitimate businesses.
The three prong strategy aims to target botnet and malware creators, so-called bullet-proof hosting providers that offer hosting services to cybercrooks, and digital currency exchanges. Digital currency exchanges such as WebMoney and Liberty Reserve are central to the operation of the black economy, according to Andy Auld, head of intelligence at SOCA’s e-crime department.
During a keynote presentation at the RSA Europe Conference, Auld and FBI special agent Keith Mularski used the Russian Business Network (RBN) cybercrime network as an example of the type of criminal enterprise they were targeting. The now disbanded group used an IP network allocated by RIPE, a European body that allocates IP resources, to host scam sites, malware and child porn.
RIPE actions might lend themselves to interpretation, viewed in the harshest terms, as being complicit with cybercriminals and "involved in money laundering offences".
"We are not interpreting it that way. Instead we are working in partnership to make internet governance a less permissive environment," Auld said.
The RBN – described as a purpose-built criminal ISP – allegedly paid off local police, judges and government officials in St Petersburg.
"This was a well organized organization not a cottage industry,” Auld explained. “RBN was the e-crime component in a wider criminal portfolio.
“There were strong indications RBN had the local police, local judiciary and local government in St Petersburg in its pocket. Our investigation hit significant hurdles.”
Auld said that although western law enforcement efforts were frustrated, the group was put under surveillance for a short time, during which the group travelled around the Russian city in an Armoured Audi A8 that was always escorted by a Range Rover.
As the heat was turned up on RBN, the group applied a disaster recovery plan, activated in November 2008. However, foreknowledge allowed the FBI and SOCA to shut down new systems before RBN was able to complete its migration.
“All we achieved was disruption, not a prosecution,” Auld explained. “We believe RBN is back in business, pursuing a slightly different business model.”
Zombie botnet taxonomy
The well attended presentation also included a comprehensive taxonomy of botnet types. Network of compromised PCs can be used for multiple purposes include proxies that supply anonymity (based on machines infected by malware strains such as Xsox), credential stealing (the notorious banking Trojan ZeuS and Torpig being the chief irritants in this category), web hosting (ASProx), spam distribution (Srizbi, Storm worm) and malware dropping botnets.
Another vital component of the cybercrime economy is carder forums, described by Mularski as e-crime “supermarkets” for exploits, tools and stolen data that have adopted a mafia-style organisational structure. These forums have splintered after law enforcement efforts that led to the demise of forums such as Shadowcrew and Carderplanet in 2004.
New generation forums are split between Russian and English language sites. Each have hierarchical structures with administrators who take a percentage for running escrow services and control membership at the top. Below these bosses are reviewers who handle site management (capos).
Hackers, carders and data thieves occupy the rung below with mainstream members (associates) below them. The quality of stolen credit card data, for example, is reviewed before a vendor is allowed to sell through these forums.
SOCA and the FBI intend to infiltrate groups or cultivate inside sources. The law enforcement agencies will also go after the money by targeting electronic exchanges that are used to transfer funds between criminals. Working with internet governance organisations, such as groups that allocate IP addresses to crooks without realising that the address space will be used for cybercrime, also form part of the clampdown.
The two law enforcement agencies also want to encourage the targets of cybercrime to improve their security while going after locations where crackers upload and store stolen data.
“Traditional policing is reactive,” Auld explained. “Cybercrime enforcement, by contrast, has to be pro-active.” ®