Sophistication of cyber-enabled crime frequently underestimated

The image of a lone, hoodie-clad hacker continues to lead organisations to underestimate the sophistication of cyber-enabled crime, according to David Warburton, senior threat research evangelist for F5 Networks.

“Cyber crime is a very generic, catch-all term and it refers to anything that’s done maliciously on the Internet,” Warburton told Computerworld during a recent visit to Australia. “The problem is that encompasses a really big gamut of individuals.”

Not only have organised groups increasingly become involved in cyber crime, an underground ecosystem with a sophisticated division of labour has facilitated the emergence of what has been dubbed ‘crime as a service’ (CaaS).

The CaaS model draws together, generally on a temporary and ad hoc basis, individuals and groups that possess particular skills necessary for a particular cyber-enabled criminal activity.

“When they require something outside their own area of competency, they need only to find someone offering the appropriate tool or service in the digital underground; they can simply buy access to what they need,” explains the 2017 edition of Europol’s Internet Organised Crime Threat Assessment.

“It is also on this basis of reciprocity and complementary skills that cybercriminals come together to commit crime in more coordinated groups, although other factors are also important here, such as language. Such associations are often transient however, only remaining together for the execution of a particular project, before disbanding.”

Online forums, generally concealed using Tor, are the key hub for CaaS activity, according to Europol.

“While such forums provide a crucial environment for access to cybercrime tools and services, it is not fully clear to which extent some of this activity may have shifted to more structured markets on the Darknet,” the police agency notes.

“They will all have their own different skill sets; there will be the coders, the people that write things like malware and ransomware, but they themselves can’t conduct an entire attack,” Warburton said.

“We see examples on darknet markets where really advanced programmers and coders will create very competent malware, but they'll actually reach out, asking for assistance to help distribute it because they don't know to send out genuine-looking phishing campaigns,” he said.

Organised crime groups frequently help develop the social side of an attack, he said: “Researching a [target] organisation and researching the individuals that work for the organisation — a big part of that is using social media sites like LinkedIn, in particular to get things like names of colleagues, names of projects that people have worked on, just to make phone calls and emails look that much more authentic.”

Warburton said that a distinction can be drawn between two broad types of criminal groups: Small groups or individuals that engage in cyber-dependent crimes including DDoS attacks and distribution of malware and “cyber enabled crime groups” — more “traditional career criminals” that are now using technology to be more effective.

However, there is a “blurring between the cyber-enabled crime gangs and the cyber-dependent ones,” he added. “Those traditional career criminals are now migrating to do far more cyber-only crimes just because it's far more profitable for them.”

In some cases, members of the public are unwittingly recruited to play a role in criminal activities: “If a crime group is looking to launder money, quite often they'll advertise jobs on roadsides: ‘$60 an hour. Working from home. No experience needed.’ Unbeknownst to them, [individuals are] transferring money illegally from one account to another account.”

Another example are language specialists recruited to provide translation services. “Without realising it, they're translating text between ransomware victims and the crime gangs who are demanding the ransom,” Warburton said.

Social engineering

Tackling so-called ‘spear phishing’ remains a key challenge for enterprises, Warburton said, particularly because of the amount of information an attacker can obtain from social media.

“We've even seen cases in America where National Security Agency staff have posted things like project names, and internal codenames of things they've worked on,” he said. “All this information really helps attackers build up an incredibly realistic looking and sounding, very targeted, spear phishing campaign. “

“What’s admittedly very hard with [preventing] any social engineering or spear phishing attack, is that it really just takes one person to be tricked into it,” he said.

Work that F5 has done with security company Webroot has shown that consistent security awareness and phishing training can reduce clicks on malicious emails from about 33 per cent down to 13 per cent.

“There’s a huge reduction, in terms of the amount of people that would click on links,” he said “That's still 13 per cents of people that are clicking on links potentially.”

“It’s actually getting increasingly difficult to block them because attackers are now looking for ways to hide their attacks,” he added.

Security systems are “pretty good” at detecting malicious PDF and archive attachments, for example. But the majority of email-based attacks (with the exception of pure social engineering attempts) now rely on convincing a recipient to click a link.

“If you click on that link, then, ultimately the victim’s connection is going somewhere else on the Internet; the organisations have got very little control over it,” Warburton said.

In addition, attackers are getting a “far more sneaky,” with where they’re hosting phishing campaigns — including in some cases Microsoft’s Office.com being used to host forms intended to steal credentials.

“You can very easily host a form which is used like it’s a genuine tool of Office 365, used to gather feedback from customers and provide polls and Q&As,” he said. “People have used it to create very crude-looking phishing sites — but what's really tricky from enterprise security point of view, is that’s incredibly hard to detect to block. It’s hosted on a valid Microsoft domain — it’s on Office.com. No organisation in their right mind is going to go and block Office.com at the firewall or proxy level.”

Although enterprises “might be getting a bit better at security awareness and training”, attackers are “getting ever sneakier in terms of where they're hiding their phishing domains and phishing sites,” he said.