Cybercrime has taken on the same hierarchy and business practices associated with legitimate enterprises, according to a draft of the Fortinet 2013 Cybercrime Report.
The draft of the report was presented to CRN at the company's Global Partner Conference, which is under way this week. The final version is expected to be made public before the end of the year.
Much like legitimate business ventures, the cybercrime-as-a-service industry "employs" people at various levels, including people with corner-office functions around decision-making and oversight, as well as other individuals responsible for infecting machines via phishing attempts, botnets, fake AV and similar efforts commonly associated with the spread of malware. "Employees" who conduct these tasks are then paid by the number of infections they deliver.
Still, others will be responsible for marketing the illegal services, often at bargain basement prices. Given the illegal nature of the activities, these efforts must be accomplished with no small degree of stealth and are often limited to specific online groups whose offerings are expected to be well received with the requisite amount of discretion.
The report states that one such service, known as "Cloud Cracking" uses high-performance, cloud-based assets to do brute-force attacks on passwords, particularly against longer passwords that would be typically assumed to be reasonably secure.
"The cloud greatly reduces the costs of computing power, and this could be used for both legal and illegal activities," said Alex Harvey, Fortinet's security strategist who co-authored the report. "It's a double-edged sword. Things that once took hours to accomplish can now be done in minutes."
Harvey described a number of websites that specialize in the cracking of passwords and usernames. At least one of them can test as many as 300 million potential passwords in a period of 20 minutes. While some people might assume that such an exploit would be very expensive, the price, according to Harvey, is only the pocket-change rate of $17.
"You can no longer rely on usernames and passwords," said Harvey. "Two-factor authentication is still effective because, even if they crack the username and password, they still need the one-time code that is delivered by the system. Also, our FortiClient product authenticates the device itself. That means the criminals would need access to your actual computer, which is usually only at risk from inside jobs."
Once the theft is complete, the criminals use tactics similar to other crime syndicates in order to launder, move funds to offshore locations and conduct similar operations.
Cybercriminals are also capitalizing on standard services and tools that can be either purchased or leased, depending on the nature of the attack, and the needs and resources of the customer. Examples include the renting of botnets for prices as low as $50 and the sale of exploit kits for similarly low investments, which open the world of cybercrime to groups that would otherwise lack the technological acumen to conduct the exploits on their own.
Combating the crime syndicates and the assortment of potential exploits is described in the report as a "game of cat and mouse."
"Once made available to the public, malicious software code is incredibly difficult to pull down," the draft report says. "The next best target to attack is the command-and-control center. Governments have been relatively powerless to stop it.
"However, maximum effectiveness for domain management requires global participation," it continues. "An international body that would act as a mediator for domain registration disputes and to dispatch resources to appropriate regions and share information of new trends would be best suited for this role."
At the moment, however, no such international body exists.
Fortinet's Global Partner Conference continues until Friday.
PUBLISHED NOV. 7, 2012