When we think of the cyber criminal underground, there is one country that immediately comes to mind: Russia. In many ways, Russia is the global capital of cyber crime, thanks to its incredibly powerful underground – a vast network of cyber criminals that has grown over the years. In a series of industry papers, Trend Micro contributor Max Goncharov traced the rise of the Russian cyber underground and the particular circumstances that have given rise to Russia as the locus of malware development worldwide.
In his exhaustively researched papers – including one entitled "Russian Underground 101" – Goncharov detailed the enormous array of threats that are actively being developed in Russia thanks to a carefully calculated and wide-ranging system of collaboration about the nation's threat actors. While many cyber fraudsters work in isolation, the real strength comes in numbers and big sales, and the members of the Russian underground know this. That is why they have been dedicated not only to developing new strains of ransomware, exploits, trojans, botnets, rootkits, and all other manner of malware, but also to selling these things on the underground market – a place where improvements to various malicious strains are made constantly, meaning that malware is always evolving.
While there is a lot of media attention devoted to the proliferation of cyber crime and the impact it has on every industry out there, there is decidedly less coverage on the way it functions according to a clear business model. With regard to Russia, for instance, the Russian cyber criminal underground is not something that hs gotten significant media attention outside of Goncharov's reports. It is interesting, then, to compare that lack of attention to the absolute flood of media coverage that accompanied another Russia-specific cyber event: The threat that hackers posed to Sochi visitors during the 2014 Olympic Winter Games.
At the time, it seemed that every media organization present in the city had its own take on the story. At NBC, for instance, Richard Engel provided coverage describing how he was personally hacked within a day of arriving in Moscow. There's no doubt about why the Sochi stories were so numerous: They were examples of cyber crime in action – and that's the kind of thing that makes for good headlines. In the midst of this kind of coverage, stories about the inner workings of cyber criminals can become sidelined.
The lack of focus on cyber crime as a business, however, is an oversight that people like Goncharov are seeking to correct. Just like there's a market for Internet of Things devices, health care technology, and educational software, there's a market for cyber crime – and that's what the criminal underground represents. But it's a mistake to assume that the cyber underground is something that's unique to Russia – or any other one place for that matter. The global nature of cyber crime, after all, means that hacking underground efforts can crop up wherever organization on a significant scale takes place. And there's another place where that's happened: North America.
The North American underground
A recent Trend Micro report by Kyle Wilhoit and Stephen Hilt, members of the Forward-Looking Threat Research (FTR) Team, illustrated how North America has a thriving cyber criminal underground, one that's grown over the years thanks to the significant level of competition within it. Broadly characterizing the North American underground, Wilhoit and Hilt point out that it's fundamentally dissimilar from other similar underground options in different regions.
"The North American underground does not rely on limiting access for sustainability. It does not close its doors to novices. On the contrary, it encourages cybercriminal activity," Wilhoit and Hilt wrote.
So while the Russian underground is cloaked in secrecy and requires a degree of undercover work in order to learn about, the North American underground is a bit more out in the open; some of its services, in fact, are even promoted on platforms like YouTube. The fact that the North American underground has a greater degree of visibility in general makes it ripe for the kind of study that Wilhoit and Hilt produced.
Here are some of the more notable findings to come out of their report:
- The visibility of the underground has a purpose: The subtitle of the Trend Micro report about the underground is "The Glass Tank," which aptly describes what the underground is in North America. Instead of a highly secretive arena whose dealings take place in the shadows, the North American underground is mostly an open forum – or as open as an underground operation can be, anyway. But the high degree of visibility within the underground isn't the result of sloppy organization; instead, it's a strategic move on the part of its participants to drive up the number of potential customers and ultimately reap bigger products.
- Just because the underground is often above ground doesn't mean it's easy to investigate: One might assume that the more open nature of the underground means authorities will have an easy time bringing its participants to justice. But this isn't the case. A glass tank, in addition to being transparent, is also fragile. When it comes to the underground, this fragility is manifested in the ephemeral nature of the underground sites. One minute an underground site is available, and the next it's gone. This state of flux makes it very challenging for authorities to accurately track and map the malicious activity taking place within the sector.
- Bulletproof hosting services abound: BPHS come into play because cyber criminals need to be able to carry out their criminal work while remaining undetected. In this way, BPHS are an absolute necessity: "BPHS providers allow users to store anything, including malicious content like phishing sites, pornographic materials, and command-and-control (C&C) infrastructure," Wilhoit and Hilt stated. "As such, many major cybercriminal groups would not be able to operate without the aid of BPHSs with legitimate business fronts that shield them from the prying eyes of law enforcement." Not surprisingly, within the North American underground, there are a lot of options for BPHSs: "Various BPHS offerings can be found in the North American underground. Custom BPHS tailored to specific needs can be obtained for US$75 per month. This comes with a single Internet Protocol (IP) address and 100GB of hard disk drive (HDD) space on a machine with a 2GB random-access memory (RAM). Note though that basic access to a bulletproof server can also be obtained for as low as US$3 a month."
- There are ample opportunities for malware buyers to learn new hacking tips: Some malware developers prefer to remain secretive about their methods, selling their malicious strains but otherwise having no communication with those who are buying them. But this is not the dynamic on display within the North American underground, where, as Wilhoit and Hilt discovered, much of the malware for purchase is accompanied by technical support that comes straight from the developers. This support puts buyers in a better position to do more damage with whatever malicious strain they're buying.
- DDoS attacks are being sold for cheap: If you've ever wondered why DDoS attacks occur with such frequency, one of the reasons has to do with the price of purchase. According to the Trend Micro report, DDoS packages are now being sold for pretty cheap prices. Wilhoit and Hilt provided examples of DDoS attack service packages that were going for as cheap as $4. With prices like these, it's not hard for amateurs with little to no malware development experience to carry out attacks of their own. It's important to keep in mind, after all, that cyber crime is a for-profit venture, and that those at the bottom of the ladder are unskilled individuals whose infractions amount to petty theft.
- Stolen account credentials also a big issue: Hate having to shell out the $7 or so dollars a month for your Netflix account? Or do you want Hulu Plus without those pesky fees? Cyber criminals cater to these individuals – who also don't mind committing a crime – by offering them stolen account credentials. The idea behind these is that you pay a small sum for the credentials and then get unfettered access to the compromised individual's account – provided, however, that the compromised user does not alter his or her password. These days, the going rate for access to a stolen Spotify account is $2. If you want access to a verified PayPal account, however, that will cost you $9, since of course you can do more damage with that kind of access. Of course, you could always settle for a middle ground between these two services by getting illegal access to a Netflix account, the going rate for which is $5.
- The future of the underground might not be so bright: There's one key difference between North America and other regions that will work in favor of the good guys: the strength of law enforcement. As Wilhoit and Hilt stated, North America collectively has one of the best and most coordinated law enforcement efforts in the world. And law enforcement isn't standing around and watching passively as cyber criminals carry out their dirty work. Instead, law enforcement officials in North America are on the forefront of cutting-edge strategic efforts to track and bring down cyber criminals. Just as hacking is evolving, so is policing, and as authorities develop more sophisticated strategies for nabbing hackers, that could spell serious trouble for the North American underground.
Where hackers like to hide
The key element of the cyber underground is its secrecy. Everything happens below the surface, in arenas that are very hard to monitor and trace. The covert nature of cyber criminals within the underground points to the broader issue of cyber criminals succeeding at consistently flying under the radar. These days, hackers are hiding practically everywhere they can, meaning that a threat could be just around the corner for you if you're not careful.
The underground illustrates how effective hackers can be at organizing in an under-the-radar way. It's this same silent-but-deadly approach that makes them such a threat to their victims, whether those are organizations or individual computing users. Here are some of the places that hackers like hiding the most:
- Inside Dropbox accounts: People use Dropbox to easily store significant volumes of personal data. But the service may be playing unwitting host to more than your files, since as Beta News reported, hackers a group of hackers called admin@338 – currently suspected to be tied to the Chinese government – are carrying out malicious attacks whose command center can be tied to Dropbox accounts. The fact that cyber criminals are able to use Dropbox for their malicious purposes should give you an idea of the legitimate service that they are able to stealthily harness for their own criminal ends.
- On adult websites: It should come as no surprise that hackers love to target pornographic websites. But as Komando's Justin Ferris pointed out, most of the malicious activity that we typically associate with porn sites happens via efforts that require some action on the part of the individual – i.e. downloading – in order to unleash. Downloads that contain malware are one of the most common malicious types linked to porn sites, but these require decisive action on the part of the computing user – i.e. making the conscious decision to download something. The concern these days, however, is that malvertising is becoming increasingly common on porn sites, and as Ferris stated, this malware type "skips embedding malicious code on a website and instead puts it in the system serving ads to the website." That can be a problem for visitors to these sites who think that just because they do not download something that means they're not at risk.
With threats mounting for organizations, the time has arrived to bolster security measures with top-tier protection. After all, the North American underground has a strong presence, and hackers are apt to hide just about anywhere. They're always lurking waiting to carry out that next attack, which is why it's imperative for individuals and organizations to drive up their defenses and always operate in a proactive mode. A total user protection package can play a significant role in providing that proactive solution.