They don’t call it “the war against cybercrime” for nothing. What goes on today in the cyber realm has many comparisons to a full-blown war between two factions. On one side you have the evil carder empire, a group of shady individuals collaborating for the sake of personal gain. On the other, you have the “Alliance”.
While not exactly a group of rebels, its members do come from various parts of the galaxy – law enforcement, industry and independent security researchers. Each faction has its own weapons. The fraudsters have malware, phishing, social engineering and other tools at their disposal, while the “Alliance” mainly has the ability to take legal actions and to “sit” on the infrastructure. There’s a constant arms race between the two factions, with current tools being improved and new ones being developed. The fraudsters keep adding more sophisticated features to their malwares and productize services in order to streamline the fraud process. On the other hand, security companies invest a lot of resources in the development of better security measures and policies, while law enforcement agencies invest in education and improving the collaboration of the various members within this “Alliance”.
Warlike tactics are employed by each of the factions; security companies and financial institutions – the main defensive arm of the faction – build barricades to stop attackers. The fraudsters, on the other hand, try to outflank them by finding ways to circumvent these defenses, whether those are based on technology or on social engineering. Another tactic that is often used in real-life wars is the targeting of the enemy’s infrastructure.
Wars are won and lost based on supplies and taking those out could be a crucial blow to the enemy, one that would be reflected on the front lines. The cyber warfare is no different and fraudsters’ infrastructures have been a target since the early days of online fraud. Multiple organizations (RSA included) invest resources into taking down Phishing and malware attacks, with additional efforts focused on disconnecting rogue hosting providers. Bulletproof (rogue) hosting providers are the ones that host malware attacks and other services for their miscreant customers.
Alas, gunning down the enemy’s infrastructure isn’t exclusive to the good guys. In fact, fraudsters are also pointing their weapons at our infrastructure. While their infrastructure is taken down with “Cease & Desist” letters and court orders, fraudsters have their own arsenal of weapons at their disposal – malware that is capable of launch distributed denial-of-service (DDoS) attacks. The recent RSA FraudAction Research Lab blog discussing SpyEye’s new features mentions that SpyEye now has a plugin which enables the malware to launch DDoS attacks against SpyEye Tracker. As the name suggests, the abuse.ch operated site tracks resources used by SpyEye botnets – infection points, drop servers, C&Cs and more. The volunteer-operated site provides important updated information to security researchers, becoming part of their infrastructure and arsenal.
DDoS attacks against the good guys’ infrastructure is old news, and are quite common an occurrence. “Zeus Tracker”, the sister-site of “SpyEye Tracker” was also hit by DDoS attacks in the past, much like websites the likes of BobBear and Spamhaus. These sites are a popular target for fraudsters since they affect their bottom lines by reducing attacks’ shut down times.
While such attacks are not uncommon, this is the first time we’re seeing an actual plugin for a banker Trojan that specifically targets the security site that would most likely track it.
DDoSing a website is not the only weapon in the fraudsters’ arsenal used for targeting our infrastructure. Another recent development discovered by the FraudAction Research Lab is a list of “collectors” for a SpyEye Trojan. This list includes URLs from which the Trojan downloads its configuration files. While these lists are not a novel Trojan concept, this particular list contains the domains “google.com”, “vkontakte.ru” (a popular Russian social networking site) and “myspace.com” as sources for the malware’s configuration updates. The bot-herders behind this botnet didn’t hack into Google, nor did they compromise MySpace or Vkontakte; they merely added these domains to the list in hopes that security researchers will automatically submit them to “SpyEye Tracker” (and other similar sites), reporting them as the botnet’s resources. This in turn would “pollute” the tracking websites with legitimate domains, undermining the Trojan trackers’ credibility. A similar tactic was used with a fake mules’ story reported by the RSA Research Lab in October 2009; one designed in an attempt to throw malware researchers off their tracks.
As the arms race continues in full steam and the war rages on, it is safe to assume that both opponents will continue to develop their existing tactics and adopt new ones. Organizations and individuals who operate sites used as cybercrime analysis infrastructures should know that they are becoming prime targets in this battle and could benefit from preparing accordingly. As fraudsters harden their network to counteract the security industry’s takedown attempts, strategic steps should be taken in order to insure that our infrastructure is safer yet.
Long live the Alliance!