The promise of easy money remains the biggest motivation for cybercrime today. Cybercriminals thus make it their main objective to steal information that would lead them to the money, like online banking information. Once stolen, the information can be used to transfer funds illegally from victims’ accounts.

In 2013, the total amount of money stolen through this exact method in Japan has amounted to 1.4 billion yen. This is purportedly the biggest amount to date, and it seems 2014 is well on its way to catching up, with 600 million yen already stolen, according the publication of the National Police Agency (NPA). We have reason to believe that those numbers will continue to climb, which poses a challenge on how to stop cybercrime once and for all.

As part of our efforts to stop cybercrime, our dedicated team of researchers, the Forward-Looking Threat Research Team have been doing research about what it takes to prevent financial losses from online account theft by cybercriminals. Moreover, we have identified some methods to track down and identify these cybercriminals responsible, such as command-and-control (C&C) server analysis, analyzing stolen information, and malware analysis.

For instance, cybercriminals behind the recent popular banking Trojan called Citadel (TSPY_ZBOT) use WebInjects to display fake screen displays needed to carry out online banking logging theft. By analyzing the WebInject modules, it is possible to find out more about the server where the stolen information has been sent to.

Because any information from victims which victims input in the fake screen will be stored in the server, we can immediately pinpoint the existence of victims by monitoring the server’s stored information. As a result, we can quickly prevent actual financial loss through reactionary methods, such as freezing the compromised bank accounts before the money is transferred to the cybercriminals.

Figure 1. Webinject Banking Trojan’s Infection Chain

These kind of measures, of course, can’t be pulled by just a security vendor such as TrendMicro. It is absolutely necessary to collaborate with concerned organizations such as the police and the bank involved. Trend Micro’s TM-SIRT, which is a contact point of cooperation for security-raising activities in Japan, provides concerned organizations with information obtained from internal research groups such as the FTR (forward-looking threat research) team in order to help combat this kind of theft by cybercriminals.

Taking down the server involved in the financial theft is another method of combating such cybercriminal activity, but it is a temporary solution at best. This is because it may not affect the cybercriminal’s efforts as much as we would like it to be, and it may even motivate them to more sophisticated attacks.

Server monitoring is a more preferable. It allows security experts to grasp the picture of attack and control the situation better. Moreover, it may help to identify the cybercriminals by simply waiting for them to log into the server to obtain their stolen information. Server monitoring can then be expected to prevent new attacks by the same cybercriminals and also to prevent other attacks.

On April 28, Trend Micro received a certificate of appreciation from the Japan Metropolitan Police Department. This commendation was awarded for providing useful information in combating online financial theft in Japan. Trend Micro will continue to study and provide a holistic and fundamental approach to security, as well as cooperate with law enforcements around the globe for our company vision: a world safe for exchanging digital information.

The Russian Underground has been around (in an organized manner) since 2004, and has been used both as a marketplace and an information exchange platform. Some well-known centers of the Russian underground include zloy.org, DaMaGeLab, and XaKePoK.NeT. Initially, these forums were used primarily to exchange information, but their roles as marketplaces have become more prominent.

Many parts of the Russian underground today are now highly specialized. A cybercriminal with ties to the right people no longer needs to create all his attack tools himself; instead he can buy these from sellers that specialize in specific products and services. For example, you see groups that do only file encryption, or DDoS attacks, or traffic redirection, or traffic monetization. Groups are able to specialize in each of these items do what they do best and produce better, more sophisticated products. 

Perhaps the most popular product in the Russian underground economy today is traffic and various traffic-related products. Examples include traffic detection systems (TDSs), traffic direction, and pay-per-install (PPI) services. This purchased Web traffic not only increases the number of cybercrime victims; it may also be used to gather information about potential targeted attack victims.

Like any other economy, the laws of supply and demand are followed in the Russian underground. As we mentioned last week, the prices of underground goods have dropped across the board. This is generally because of the increased supply for these goods available – for example, stolen American credit cards are widely available; as a result the price has fallen. This is evident in the following chart of stolen credit card prices:

Figure 1. Prices for stolen credit cards

The same is true for stolen accounts:

Figure 2. Prices for hacked accounts

With falling prices, however, comes a loss in reliability: goods or services are not always as high-quality as advertised. Sometimes, escrow providers (known as garants) are used to try and give both parties (buyer and seller) reassurances that neither party is scamming the other.

Today, we released our updated look at the Russian Underground titled Russian Underground Revisited. This is an update to our earlier paper discussing the items which are bought and sold in various parts of the Russian underground. For this edition, we have clearly outlined the products and services being sold and what their prices are. In addition, we discuss the changes since the original paper to highlight the continued evolution of the cybercrime threat landscape.

This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.

Before the end of the month, we will release a new paper in our Cybercriminal Underground Economy Series titled Russian Underground Revisited. This is a followup to our earlier paper Russian Underground 101; both papers examined the Russian Underground and looked at the goods and services being sold inside these underground communities.

While the full details will not be published until next week, the overall finding of the report is clear: cybercrime has never been more affordable and accessible, even for lesser-skilled cybercriminals.

The lower ranks of the underground communities are often derisively referred to as “script kiddies”, but this does not mean that the damage they cause is any less consequential. Technical understanding of security flaws is not a prerequisite to exploiting them at all; they are just like the “users” of any other organization: they just want their code “to work”; the only difference here is that their code is carrying out malicious behavior.

What does this mean? For starters, it means that the volume of threats will keep on increasing for the foreseeable future. We may also see more variety in threats, if only because the attackers are more numerous than before. (One shouldn’t interpret falling prices as a sign of a failing business.) In addition, the scope and variety of the products for sale are also improving, making the resources available for “script kiddies” more powerful.

Cybercrime is a business, and the prices we’ve seen validate what we already know: that times are good, victims are plentiful, and the risk is relatively low. This is all in spite of technical solutions that have increased the security of computing devices overall. It highlights the need for cybercrime solutions that focus not just on technical issues, but also economic and legal ones as well.

How the Heartbleed bug works

In previous blog entries, we’ve discussed various aspects of the Heartbleed vulnerability in OpenSSL. Last Tuesday, our first blog post covered an analysis of the vulnerability itself, as well as some steps that IT administrators of affected systems could do in order to protect themselves. Later entries looked at how popular websites and mobile apps were, in their own ways, vulnerable to the threat.

To help deal with the Heartbleed vulnerability, we’ve released several tools that can be used to detect possible exposure to the risks:

We have released into the Google Play app store the Trend Micro Heartbleed Detector. This tool is designed to help users tell if they are vulnerable to any aspect of this threat. In particular, it checks for three things:

• It checks whether the version of OpenSSL used in the device’s version of Android may be vulnerable.
• It checks whether any OpenSSL libraries embedded in the user’s installed apps may be vulnerable.
• It checks whether the user’s installed apps communicate to any unpatched (and therefore, vulnerable) servers.

Figure 1. Detector application

If any vulnerable apps are detected, the detector offers to uninstall the app for the user:

Figure 2. Vulnerable app detected

We don’t recommend for users to immediately uninstall all vulnerable apps, but this is something everyone should consider for applications that handle critical information, such as mobile banking applications. In addition, it’s a good idea for users to contact the companies that maintain these vulnerable apps to update their apps or websites as soon as possible.

For Chrome users, we’ve also released the Trend Micro OpenSSL Heartbleed Scanner app. The scanner allows for users to check if specific sites are vulnerable to Heartbleed. The tool can be downloaded from the Chrome Web Store.

For other users who want to check if a site is vulnerable or not, you may also do so through our Trend Micro Heartbleed Detector website.

We will continue to monitor this issue and release more information as needed.  For other posts discussing the Heartbleed bug, check our entries from the past week:

• Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed
• Heartbleed Bug—Mobile Apps are Affected Too
• Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M
• Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability
  

A key part of our cybercrime research focuses on the communities that cybercriminals form. These are used in much the same way that communities of other shared “interests” are – to socialize, to get together, and to buy and sell various items of interest.

For security researchers, the activities of these underground communities – and the corresponding economies that they form – is a valuable source of threat intelligence. This allows us to examine current trends in the threat landscape, as well as look into and prepare for future threats.

Our research in the past has highlighted the wide variety of good and services available in the cybercrime underground. These range from crypters, exploit kits, and Trojans – to denial of service (DoS) attacks, proxy servers, and web traffic, and everything in between. Our research into the underground has included findings related to malicious traffic management, the reaction to the fall of the BlackHole Exploit Kit, as well as overviews of the Chinese and Russian undergrounds.

One consistent trend has been the continuing fall in prices of most goods and services. The average price of items has been dropping across the board, making these items accessible to more would-be cybercriminals. Pricier, more effective versions of these goods are available, of course – but the “average” versions of these tools are more than adequate for their purposes.

There is no shortage of targets either, with much of the world today now online. The following chart shows the number of countries with the most Internet users and thus, potential victims:

Figure 1. Countries with largest online population

There are multiple cybercrime communities around the world with various ties to each other, but they have unique characteristics that differentiate them as well. Throughout the year, we will be publishing various papers that describe various communities, as well as the economies that they create. These papers are all part of our Cybercriminal Underground Economy Series, or CUES. These papers will highlight the unique characteristics of each market, provide a summary of the good and services available, and the prices for these items.

The first paper of CUES, covering the mobile cybercrime underground in China, was released earlier this month. The CUES portal will be updated as more papers covering other economies such as those in Russia and Brazil are released.