Web Security Report Outlines Structure of Cybercrime Gangs

Call it a cybercrime family.

In its trends report for Q2 2008, researchers at Finjan got inside the underground hacker economy and found that as threats have grown more sophisticated, so have the organizations pumping them out. Individual hackers and loosely organized groups have apparently gone the way of the dinosaur, replaced by well-structured organizations complete with a boss and underboss, according to the report, released July 15.

“I was surprised to see this mature structure,” said Finjan CTO Yuval Ben-Itzhak. “We believe somewhere in the end of 2007, somewhere in Q4, these organizations started to mature to what we present in this report. They started to work in high volumes of attacks, stealing a lot of data.”

During the last two months, the company focused on five groups as part of its research, Ben-Itzhak said.

Just like a mafia family, in the world of cybercrime, the boss of the operation is well insulated. The underboss manages the operation, providing Trojans for attackers and heading up the command and control of those Trojans. Below the underboss are “campaign managers” that lead their own attack campaigns and use their own affiliation networks as distribution channels to perform the attacks and steal the data. The stolen data is then sold by “resellers” uninvolved in the crimeware attacks themselves.

“From our research we found the average group size to be somewhere between eight to 12 people,” he said. “We didn’t find something larger than that yet. We spoke with five, but we are familiar with a few hundred.”

Competition between the groups can be fierce, as Finjan researchers reported the commodization of certain types of stolen data has dropped profit margins. Credit card and bank account numbers with PINs not too long ago were selling for $100 each or more, according to the report. Today, prices have fallen to $10 to $20 each in some cases.

“More and more of these organizations are offering stolen data; prices are going down,” he said. “They now want to make sure you will continue working with them.”

According to Finjan’s research, the most profitable data in today’s hacker underground seems to be healthcare-related information, single sign-on login credentials, e-mail exchanges, and Outlook and FTP accounts.

“The reason we see a spike in the malware … [is] a result of the maturity of these organizations,” he said.