Upload File

gang culture in the online world

4
4 Network Security November 2007 The financial returns for online crime are staggering. In the UK alone, recorded online banking fraud jumped from £23.2m in 2005 to £33.5m in 2006, according to APACS, the UK payments association. In the USA, where the online payments systems are less secure than in Europe, Gartner reports that the losses through phish- ing attacks amounted to US$2.75bn in 2005. As a result, cyber gangs are emerging as the illicit and lucrative business of hacking moves beyond the reach of one perpetrator alone. A couple of years ago, when online scams such as phishing were relatively new phenomena, an email containing grammatically incorrect English may have been enough to dupe a recipient. Similarly, a phishing website may not have been an exact replica of a bank’s, but it was familiar enough to fool a significant number of people and turn a tidy profit. Consumers and businesses, however, are getting wiser and are less easily hood- winked. A curious spelling or poorly constructed sentence in an email is often enough to alert most people to its fraud- ulent nature. All of which means that black hats’ social engineering techniques need to be as sharp as their malicious code. Pooling skills and resources The problem is that a good hacker is not necessarily a natural wordsmith. Someone that finds scripting duplicitous emails easy may not have the technical nous to deliver the scam, and vice versa. And what about selling made-to-order malware? Who is going to hawk the software and bring in the orders while someone else is busy exploiting the vul- nerability before the security software research community issues a patch? For those serious about making big sums of cash, expanding from under- ground sole trader to cyber gang is a natural progression. There is no shortage of hackers willing to form a collective, because plying a criminal trade as part of a cyber gang has a number of immediate advantages over doing so in the offline world. Firstly, it is far harder to get caught. Online crimes are faceless crimi- nal acts, and the fact that gangs operate across borders makes their capture even more difficult. Secondly, even if they are caught, cross-border prosecution is prob- lematic for the appropriate authorities, and any eventual punishment is likely to be lenient. Gang origins and characteristics The majority of the gangs appear to originate from three distinct areas: Eastern Europe (Russia in particular), the US, and China. But while their motivations run more or less parallel – that is, to make money – their meth- ods for executing the scams differ. Russian gangs such as the Coders Dream Team and WebAttacker Team have grown up in an IT-proficient envi- ronment. Monitoring of IRC rooms sug- gests that some Russian IT professionals are former KGB employees, meaning that their online skills are highly sophisticated. Simon Heron, managing director, Network Box The era when script kiddies were the primary online threat has long since passed. Today, hacking and malicious code are big business. Too big, it would seem, for some black hats to manage single-handed. Gang culture in the online world Simon Heron Figure 1: Sources of spam around the world. CYBER GANGS

Upload: simon-heron

Post on 05-Jul-2016

219 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Gang culture in the online world

4Network Security November 2007

The financial returns for online crime are staggering. In the UK alone, recorded online banking fraud jumped from £23.2m in 2005 to £33.5m in 2006, according to APACS, the UK payments association. In the USA, where the online payments systems are less secure than in Europe, Gartner reports that the losses through phish-ing attacks amounted to US$2.75bn in 2005. As a result, cyber gangs are emerging as the illicit and lucrative business of hacking moves beyond the reach of one perpetrator alone.

A couple of years ago, when online scams such as phishing were relatively new phenomena, an email containing grammatically incorrect English may have been enough to dupe a recipient. Similarly, a phishing website may not have been an exact replica of a bank’s, but it was familiar enough to fool a significant number of people and turn a tidy profit.

Consumers and businesses, however, are getting wiser and are less easily hood-winked. A curious spelling or poorly constructed sentence in an email is often enough to alert most people to its fraud-ulent nature. All of which means that black hats’ social engineering techniques need to be as sharp as their malicious code.

Pooling skills and resourcesThe problem is that a good hacker is not necessarily a natural wordsmith. Someone that finds scripting duplicitous emails easy may not have the technical nous to deliver the scam, and vice versa. And what about selling made-to-order

malware? Who is going to hawk the software and bring in the orders while someone else is busy exploiting the vul-nerability before the security software research community issues a patch?

For those serious about making big sums of cash, expanding from under-ground sole trader to cyber gang is a natural progression. There is no shortage of hackers willing to form a collective, because plying a criminal trade as part of a cyber gang has a number of immediate advantages over doing so in the offline world. Firstly, it is far harder to get caught. Online crimes are faceless crimi-nal acts, and the fact that gangs operate across borders makes their capture even more difficult. Secondly, even if they are caught, cross-border prosecution is prob-lematic for the appropriate authorities,

and any eventual punishment is likely to be lenient.

Gang origins and characteristicsThe majority of the gangs appear to originate from three distinct areas: Eastern Europe (Russia in particular), the US, and China. But while their motivations run more or less parallel – that is, to make money – their meth-ods for executing the scams differ.

Russian gangs such as the Coders Dream Team and WebAttacker Team have grown up in an IT-proficient envi-ronment. Monitoring of IRC rooms sug-gests that some Russian IT professionals are former KGB employees, meaning that their online skills are highly sophisticated.

Simon Heron, managing director, Network Box

The era when script kiddies were the primary online threat has long since passed. Today, hacking and malicious code are big business. Too big, it would seem, for some black hats to manage single-handed.

Gang culture in the online world

Simon Heron

Figure 1: Sources of spam around the world.

CYBER GANGS

Page 2: Gang culture in the online world

November 2007 Network Security5

There is also an unemployment prob-lem in the region, leaving a surplus of highly-qualified personnel that are unable to apply the skills they have honed for many years in a legitimate work setting. Consequently, they can find themselves lured by the relative high gains and low risks of online crime.

The Russian gangs appear to be involved with the most serious criminal activity, using everything at their dis-posal – such as trojans, keyloggers, and phishing attacks – to snare victims. The serious money lies in identity theft and the Russian gangs are unrelenting when it comes to writing password-stealing malware.

However, it is not just the socio-eco-nomic climate in Russia that makes it such fertile ground for online crime. Provided the criminals target consum-ers and businesses outside of their own country, the Russian government is apparently reluctant to pursue them.

One eastern European gang, Rockphish, is estimated to comprise 12 members and is very prolific. The outfit is thought to be responsible for between one-third and one-half of all phishing messages sent out on any given day. From its first identification in 2004 until the end of 2006, the group is estimated to have cost banks around US$100m. There is a school of thought that Rockphish may be a script that has made it easier to run phishing scams, and that many other gangs are using it. The debate continues, and highlights just how difficult it is to track these groups.

“Laws in the USA regarding cyber crime have been tightened up, and gangs in the US do not have the same international boundaries that protect those in foreign countries”

However, the gang still has to be mindful that with expansion comes the need for greater organisation. Should the group grow any larger, it will face the same challenges as any other legitimate growing business. This includes the need for a clear direction and strategy, a cohesive structure, management, and delegation. These are potential obstacles

that if not overcome could unstitch an otherwise tight union.

The other inherent issue with a larger gang is that secrecy is a perennial con-cern. If the above challenges are not overcome smoothly, internal disquiet could result, and that is not conducive to a watertight operation.

In the USA, the history of the cyber gang is probably longest. However, laws in the USA regarding cyber crime have been tightened up, and gangs in the US do not have the same international boundaries that protect those in foreign countries. The nature of the society and the more open nature of the authorities have made the lifecycle of the cyber gang different.

There is evidence that street gangs initially began to use the internet, but in some cases this was mainly for the purpose of exchanging ideas on how to improve drug sales, or for discussions of which gun to buy. The glock3 gang was an example of this. However, back in 2003, more network based cyber gangs had already developed, coming to know each other through the internet, rather than on the street. Even then there were cyber gangs like Shadowcrew, Carderplanet and Darkprofits. Shadowcrew was estimated to have 4000 members by the time it was broken up. It netted around US$4.3m using web sites to sell its counterfeit credit cards and false IDs. They even worked together, which was a notable difference to their Eastern European counterparts. Like most cyber gangs there was an ele-ment of international co-operation with some gang members as widely spread as Sweden, the Netherlands and Poland, but the majority of these US gangs were located in the States. Now, street gangs and cyber gangs were working together. For instance, the street gang would steal a laptop and the cyber gang would extract the data from it for extortion purposes, or cyber gangs would arrange for poorly paid cleaners in large firms to steal valuable laptops from senior execu-tives or accounting employees. Another instance of this convergence is industrial espionage. Data has a value and cyber gangs have the knowledge to obtain soft copies.

In China, the situation is different again. The People’s Liberation Army is probably the largest organised online hacking group here, but rather than dis-cussing whether it has been carrying out attacks against the west in this article, we will focus on unofficial groups. It appears that the Triads have been heavily involved in this business. In Australia, a Triad recruited children to launder money stolen as a result of phishing schemes. There are a number of gangs in China who are trying to get user IDs, passwords and financials. These gangs seem to consist mainly of younger par-ticipants, as they are mostly interested in online game passwords which are easy to sell.

Recruitment drivesJoining a cyber gang is no easier than ingratiating oneself with any under-ground criminal organisation. If a black hat knows someone on a personal level that is already involved with online crime, then using the existing trust built up by that relationship is probably the best way of brokering the subject of how to join.

For those wanting to get involved who do not have a direct access to a member of a cyber gang, social networking in internet chat rooms are where fledgling relationships and gangs are born.

Black hats can spend months in inter-net chat rooms sounding out those with similar designs as themselves, then more months nurturing the relationship and ensuring that the faceless person they’ve ‘met’ is trustworthy. Only then will a partnership be born, and they must then repeat the process until they believe they have the optimum number of members.

The PC battlefield The battle between the gangs can essen-tially be reduced to the battle for bot-nets. Each gang wants to have control of the biggest botnets, as it is via these compromised, connected PCs that their malware is distributed. The greater the reach of their botnets, the more malware and spam they can distribute and, ulti-mately, the more money they can make.

CYBER GANGS

Page 3: Gang culture in the online world

6Network Security November 2007

One of the most common methods gangs use to infect PCs is by using trojans, and it is here that a turf war really unfurls. For example, the Storm trojan that was discovered in January 2007 and released by a Russian gang would infect a victim’s PC and conscript it into the gang’s botnet. From there, it would be used to collect information on the PC’s owner, such as usernames and passwords, or to send spam. Srizbi, a rival gang discovered in June 2007 and also from Russia, typically uses MPack, an attack kit produced by Coders Dream Team. Srizbi composed a piece malware sophisticated enough not only to detect the Storm trojan on an infected PC, but also to remove the existing Storm tro-jan and replace it with its own malware.

Predictably, the authors of the Storm trojan felt slighted by this and upped the ante. In retaliation, it started issuing DDoS attacks against the servers that the Srizbi trojan uses to download its last update. That meant that the bots controlled by Srizbi trojan could not be updated and their botnet was paralysed.

Another way of disrupting a rival gang’s botnet is to intercept its command and control operation. A botnet can com-mand the compromised PCs to release a deluge of spam emails, but is also there to relay sensitive and confidential informa-tion, such as usernames and passwords,

to the gang controlling the botnet. This latter function provides an opportunity for a rival gang to disable the IRC chan-nel used to send the information, severing the compromised PC’s connection to the botnet. The rival gang can then set about taking control of the PC.

And so the cycle continues. A war rages within the PC and the user is none the wiser. Unless, that is, there is an overlap in the uninstallation of old malware and the installation of new malware. If one gang plants malicious code, then another gang attempts to replace it with their own without properly uninstalling the old code, it may not work effectively, if at all. This is not dissimilar to installing new antivirus software before properly uninstalling the old antivirus program. Configuration will be difficult and it may not operate as it should.

The other and bigger issue when this overlap occurs is that ‘runt’ code can be left behind, which may slow the PC to such a pace that the owner becomes aware that it is infected. This defeats the object of surreptitious infection and pre-vents the gang’s covert control of the PC.

The impact of gangsAs ever, the impact of this clandestine gang warfare is felt by consumers and

businesses alike. Consumer victims are likely to see their PCs malfunctioning and their email address blacklisted by their ISP. They may also have their per-sonal details compromised, their bank accounts siphoned and, in the worst case scenario, their whole identity stolen, which can have serious financial and legal consequences.

“Like many gangs warring in the offline world, feuds between cyber gangs could prove to be their undoing”

The fallout for businesses can be enor-mous. An organisation that falls victim to an attack by a cyber gang can come to a standstill. Again, an ISP may blacklist its email addresses and website, which will then sever its connection with its partners and customers and damage its ability to trade in part or in whole. Productivity can grind to a halt because email and the internet are business-critical tools for employees. A business may also find itself a victim of ransomware, whereby the gang encrypts all of the company’s crucial documents and demands a fee for returning them to their normal format. All of this will have a devasting impact on the organisation’s reputation that can take years to recover from.

Never-ending cycleLike many crimes, online scams are here to stay. To an extent, trying to eradicate the gangs is a futile exercise; as soon as one gang is caught, another will simply spring up in its place.

However, like many gangs warring in the offline world, feuds between cyber gangs could prove to be their undoing. Making money is undoubtedly the pri-mary motive for developing malware, but the gangs are not without ego. In the hacking world, there is still kudos ascribed to developing intelligent and perplexing malicious code, and each gang wants to be seen as the best in the business – as demonstrated by the Srizbi and Storm gangs’ battle of wits. In the battle to outsmart each other, gangs may temporarily take their eyes off the efforts of the security industry, leaving behind

Figure 2: The battle of the bots. What happens when one gang’s network attacks another.

CYBER GANGS

Page 4: Gang culture in the online world

November 2007 Network Security7

The original objective of many web application attacks was to gain control of a target server, which was usually a static system in public IP space that offered a range of internet-facing services. Successful attacks often required initial reconnaissance and foot-printing of avail-able services, then an exploit (such as a buffer overflow or remote file inclusion) that targeted a vulnerability in either the web server or a hosted web application running in the context of the web server user. Usually, the ultimate goal of the attacker was web site defacement and uploading of suspect content, or gaining a foothold to attack other servers within an organisation. Theft of confidential data, such as user credentials or credit card bill-ing information, also occurred regularly. Additional tools would often be down-loaded from remote sites to assist in privi-lege escalation to SYSTEM/root level, cleaning up evidence of the compromise

and to gain total control of the underly-ing server OS.

As financial motivations have increased and criminal organisations have become more involved in computer intrusions, attackers have shifted the focus of their attacks towards end user data. Theft of personal information such as contact details, credit card records and social security numbers can facilitate identity theft and fraud, or they can provide an economic resource to be traded in the electronic underground. Attackers initially focused on extracting stored personal data that was mistakenly accessible through badly designed or weakly defended web applications. This often involved attacks against membership lists and back-end ecommerce databases, such as the August 2006 compromise of AT&T’s online DSL service provisioning system.1 As secure web development and server side security prac-tices have improved, the millions of often

poorly managed desktop PCs and relatively gullible end users still offer attackers easy pickings. This makes end user systems some of the most attractive and highest value targets, and the weakest links in the web security chain. It also raises some new challenges for the attackers.

Traditional contact techniques such as the mass mailing of virus-laden spam mes-sages and phishing lures may still provide returns, but users are becoming increasingly savvy when it comes to detecting obvious email-based scams. Unsolicited attachments are usually no longer automatically opened and anti-spam systems are slowly improv-ing. System defenders such as CastleCops’s PIRT or Spamhaus have also become more responsive and successful in shutting down or black-holing phishing scams and other clearly malicious domains. This has signifi-cantly reduced the active life time of many overtly malicious web sites.2,3

“End users must be induced into interaction with an external system before any potential vulnerability can be exploited”

Improvements in OS and application secu-rity have continued to reduce the threat from self-propagating network-based

The evolution of web application attacksDavid Watson, director, Isotoma Ltd & UK Honeynet Project

Last month, part one of this article discussed common types of vulnerability in web applications and the evolution of attacks against web servers. Part two con-siders recent shifts in attacker focus, how compromised web servers are increas-ingly becoming an important stepping stone in attacks against web clients, and the threat of automated web attacks.

clues to their identity that could lead to their eventual capture.

Tackling the gangsSecurity professionals are not idly wait-ing for gangs to slip up. The industry is as committed as ever to staying one step ahead of the black hats – individuals or groups – and making IT systems as secure as possible. But in terms of tackling and disbanding the gangs themselves, the industry is relatively powerless.

Despite online crime slowly begin-ning to be seen for the burgeoning and far-reaching crime it is, more needs to

be done. Authorities in this country, and particularly those abroad where they frequently pretend that the problem isn’t their responsibility, need to be pressured to take action against the perpetrators.

Of course, the path to a clear inter-national legal framework, with pun-ishments sizeable enough to act as a deterrent, is laden with barriers – cross-border jurisdiction, extradition, inter-national relations and political agendas to name but a few significant obstacles. But it must be addressed sooner rather than later. Otherwise, existing gangs – and the inevitable emergence of new gangs – have all the impetus they need

to continue their global attacks on consumers and businesses.

About the author

Simon Heron is the managing director of managed security company, Network Box (UK) Ltd. He has more than 16 years’ experience in the IT industry, including eight years’ experience in internet security. During this time he has developed and designed a range of technologies, including firewalls, anti-virus, LANs and WANs. Heron has an MSc in Microprocessor Technology and Applications, and a BSc in Naval Architecture and Shipbuilding.

CYBER GANGS


Language and Culture©³細.… · Language and Culture Online Program New online format! We are excited to offer our popular Language and Culture Summer 2020 program in a new online

Gang gang May 2011 - Canberra Birdscanberrabirds.org.au/.../07/GangGang/GanggangMay2011.pdf · 2012-07-18 · Gang-gang May 2011 1 Gang-gang May 2011 Newsletter of the Canberra Ornithologists

Cooperation, decision time, and culture: Online

Globalization, Culture, and Online Distance Learning

Brand Experience & Culture: Recruiting Physicians Online

gang 2007 - HASTINGS GANG SHOW

Gang Gang 9844 2749 - warrandytehigh.vic.edu.au

Gang-gang August 2007

Culture Shock: Your Online Artistic Profile

MSP Gang Programmer (MSP-GANG) User's Guide … · MSP Gang Programmer (MSP-GANG) User's Guide Literature Number: SLAU358B September 2011– Revised June 2012

Necromunda gANG rostER - mingadynasty.de fileNecromunda gANG rostER Gang RatInG: Gang nAMe: hoUse: stash: terRiTory: incoMe: terRiTory: incoMe: leAder: fIGhter: fIGhter: NamE: exp.:

C2000 Gang Programmer (C2000-GANG) (Rev. C) · C2000 Gang Programmer (C2000-GANG) User's Guide Literature Number: SPRUHS0C February 2014–Revised March 2016

Talking the Hardest. Taking on Gang Culture in London....Talking The Hardest - Taking on Gang Culture in London 4 Individual Support Orders and Parenting Orders to ensure parental

Gang Gang 9844 2749 - Warrandyte High School

Interacting & Responding: Gang Culture Learning Objectives: To work collaboratively to discuss the question What is a gang? To use stimulus material and

Interpersonal communication skills - semiotics and culture in a gang related environment, session 4

TOTAL CATALOG - seunelectric · Standard type RCS-201 1-gang socket RCS-202 2-gang socket RCS-203 3-gang socket RCS-204 4-gang socket RCS-205 5-gang socket RCS-206 6-gang socket

FIGHTING GANG VIOLENCE LEVERAGING SOCIAL MEDIA...other on social media to exchange insults. Killed gang members are memorialized online, making their deaths fuel for online feuds

Changing Culture Through Online Faculty Certification

Can A Gang Culture Ever Be Justified In A Culture Of Peace?

Gang Education and Prevention - Charlotte, North Carolina7) Born into a family with gang members. 8) Acceptance of gangs in Pop Culture. What is a Gang ? A gang as defined by the North

PGS Report and Community - Online - Provincial Gang Strategy

Smart School Improvement Online Survey System bymedia.aero.und.edu/cs.und.edu/documents/GangZhang.pdfSmart School Improvement Online Survey System by Gang Zhang Bachelor of Science,

Culture and Online Distance Learning

AND CULTURE ONLINE - Infobase Publishing

Walter Miller, "Lower Class Culture as Generating Milieu of Gang Delinquency," 1958 (Roxbury Ethnography)

The Online Flower Shopping By Ying Zhou, Yue Wu, Shan Wei, Zhao Gang Wo, Omotola Talabi

Culture Study Online!!

Causes, Effects, and Treatments: Impact of Gang Culture ... · PDF fileCauses, Effects, and Treatments: Impact of Gang Culture and ... Traumatic stress and developmental psychopathology

Online assignment topic seri culture

Gang Gang Dance

Made of Awesome: The Online Culture of Nerdfighteria of Awesome--Caroline Proulx.pdfMade of Awesome: The Online Culture of Nerdfighteria Abstract This study examines the culture of

Online Culture IS The Culture

Culture & Narrative Demystifying Online Reports... · Demystifying Online Culture & Narrative March 26, 2020 @therealyonder #onlineculture . ... of online social media culture created

~. 5a~,gang. - Osttirol Online · ~. 5a~,gang. - Osttirol Online ... t iu