Cryptocurrency, Anonymous Networking, Hacker’s Darknet Markets, and lots of Prey
Back when the Internet was young, a type of hacker called script kiddies emerged. These were people who were passionate about hacking but lacked the expertise, so most of their successes came from running programs and exploits written by others. As more and more scanner/injector kits, malware kits, and other tools were made available, script kiddies were a small but growing part of the threat landscape.
Criminals have been around since the beginning of time but cybercrime is new to the information age. It used to be that cybercriminals needed skills at all stages of the attack: reconnaissance, exploitation, evasion, etc. That was until about five years ago when black markets opened up with an effective currency that allowed hackers to sell their merchandise. The supply and demand sides of these markets are booming and it is time we pay attention.
On the supply side, skilled hackers for the right price can package up and sell top grade exploits, exploit distribution networks, denial of service attacks, evasion packaging, ransomware capabilities, and stolen credentials, anything that makes cybercriminals successful in their attack objective.
On the demand side, cybercriminals no longer have to be experts in everything. In fact, they could just be criminals and with minimal computer skills purchase everything they need. ‘Add to cart’ all the components and capabilities of the attack and off they go to compromise targets and make money.
This marketplace would have happened earlier but two things needed to become widely available. One is a network infrastructure that could let cybercriminals operate anonymously and the other is a currency that would let them conduct commerce anonymously: these are the TOR network and Bitcoin, respectively.
The TOR network describes itself like this: “TOR is free software and an open network that help you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.” Users running the TOR software are ‘hidden’ and can conduct all kinds of activity. Sometimes called Darknet Markets, these marketplaces offer their services on the TOR network so they too remain ‘hidden’ to the normal Internet. The TOR network, intended or not, meets critical networking requirements for the rapid expansion of criminal activity.
Bitcoin is a virtual currency (aka cryptocurrency) with no central authority and no governmental support, yet it thrives in the digital realm against these significant legal tender impediments. Well before the Internet, certain transactions have required not only anonymity but also strong pseudonymity. Leveraging strong cryptography, Bitcoin delivers on all of the requirements for these markets and is slowly making its way to the fringe of digital retail. Online retailer Overstock.com recently announced support for Bitcoin and in the first day reported $126,000 USD from 800 Bitcoin transactions. This is tiny when compared to the volume of Bitcoin transactions in the Darknets. With Bitcoins in hand, a criminal can buy their way into being an incredibly effective cybercriminal, so we can expect to see cybercrime exponentially expand as both the supply and demand side of the markets are booming.
Since cybercrime is a business, it is worth a quick side note to expand on Bitcoin and specific threats it has uniquely enabled. Bitcoin (BTC) is not the only cryptocurrency available but it is one of the majors. Other majors include Litecoin (LTC), Namecoin (NMC), and PPCoin (PPC). Even if we somehow managed to take away Bitcoin, another cryptocurrency would pop up to fill its place. Until cryptocurrency, ransom types of criminal activities were underdeveloped mainly because the money trail caused too much risk to the assailants. The sudden surge in the ransom form of attacks like Cryptolocker is directly associated with the capabilities of cryptocurrency as payment. Ransomware attacks involve a malicious program cryptographically locking you out of access to your files. It then demands payment (via some cryptocurrency) within a short window of time, normally 48 hours or you will never see your files again. Files are not the only targets, as cybercriminals also target Internet services with Distributed Denial of Service (DDoS) attacks and demand a ransom payment to restore the sites availability.
I wish I could offer you a more positive view on the battlefront we know as cybersecurity. What I can offer you is a realistic projection of growing trends that will impact your business. Even if you leave out the growing Nation State and Hacktivist activities, the growth of cybercrime alone will overshadow all other types of security related events for one simple reason—there is money to be made. The statistics are going from staggering to ridiculous as more businesses and individuals put their data and lives on the Internet. Cybercriminals are making billions and in short order trending toward trillions. Until this number flattens out or starts to trend downward, your likelihood of experiencing multiple incidents per quarter is extremely high, particularly if you are “interesting” to them. Successful individuals and businesses are not only your goal, but are also appealing to the cybercriminal.
Like never before, a perfect set of conditions for cybercrime are upon us in 2014. To see it in its entirety, we must look at factors in both the threat landscape (predator) and the target surface (prey).
Enabling the Threat Landscape
– Thriving cryptocurrency like Bitcoin
– Darknet infrastructure like TOR for anonymous networking
– Thriving Darknet Markets for specialization and modularization of cybercrimeware capabilities and stolen credentials
Expansion of the Target Surface
– Automation of Everything in business and government
– E-commerce and the explosion of online retail
– The Internet of Everything (everything becomes Information Technology (IT))
Together all of these conditions lead to a perfect storm of cybercrime. An explosion of criminals and simultaneously an abundance of victims gets us to never-seen-before growth in cybercrime. Look on the bright side; everyone is going to get really good at incident response until the storm passes.
TK Keanini, CTO at Lancope
Lancope, Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch® System helps organizations quickly detect a wide range of attacks from APTs and DDoS to zero-day malware and insider threats. Through pervasive insight across distributed networks, including mobile, identity and application awareness, Lancope accelerates incident response, improves forensic investigations and reduces enterprise risk. Lancope’s security capabilities are continuously enhanced with threat intelligence from the StealthWatch Labs research team. For more information, visit www.lancope.com.