Brian Krebs – renowned security journalist and the author of KrebsOnSecurity.com blog.
I wanna try to set the tone of this discussion in a slightly provocative way. I’ve participated in enough of these round tables on security to know that they often devolve into discussions about how consumers really are the weakest link when it comes to internet security, and if we could just educate end users more, then things would be better. The idea that our security comes down to the end user seems to be something of a truism. It’s a crutch, I think, that allows us to sorta say, just shake our heads and throw up our hands and say if only people were to read our blogs more and pay more attention to the advice, we would beat this problem, we’d be in a much better place. And in many ways, you know, this thinking to me tends to minimize the seriousness of the threat that’s facing many consumers today, as well as the threat to businesses and to our respective national and economic security and prosperity.
I’d like to present a sort of preemptive point to that line of thinking by suggesting that we start looking at the notion of cybercrime in a less passive way, start looking at it for what it is, which is, in many cases organized cybercrime activity. The big differentiator between random virus attacks and organized crime attacks is that for the most part the latter has a magnitude, more resources to throw at their targets and quite a bit more success. So I think it’s fitting that I’m speaking at a conference sponsored by a company that has made such a big play for so-called Cloud-based services.
There is at the moment a kind of fascination with operating in the Cloud, i.e. having all of our data, our protection, our servers – what have you – apart from our normal operations. And the rationale here is that by doing so you can increase efficiency and resiliency, you can reduce the risk of data loss and destruction, and of course when it comes to antivirus products, Cloud Technology really can leverage the wisdom of crowds where, you know, the community of users shares information in real time about the latest threats out there. I think Cloud Computing is a phrase that is at the same time confusing because it means different things depending on who you ask. But also, it’s very useful because it helps us focus our attention on data security – what really matters. And we only have to look at the recent cyber attacks against Google and twenty other, many other top companies to see that in some way it’s pointless to spend all of our money and resources building higher and higher walls if we’re not protecting what is supposed to be protected by those walls, and that is, the data, intellectual property and so on.
But what’s most fascinating to me about Cloud Technologies is of course the bad guys got there first. The individuals and criminal gangs that are driving most of the financial fraud and more than likely the bulk of the corporate espionage that we’re hearing and reading about so much recently, are really the ones who pioneered the Cloud, or what we refer to now as Cloud Computing. These criminal gangs do most of their work in the Cloud, including data storage, data stealing, spamming, Denial of Service attacks, the distribution and delivery of software exploits. And these cybercrime groups really are operating in top-down hierarchical groups, and many of them have set up their businesses in a sort of assembly line type of operations.
I spend a lot of my time tracking the operations of an organized cybercrime gang that appears to have more than 250 members throughout Eastern Europe, and these guys operate in very discrete divisions. One group is in charge of the research and development – you know, these are the guys that write the malware, they’re in charge of making sure that it stays one step ahead or two steps ahead of the best antivirus software technologies out there. Another group is responsible for harvesting banking credentials, checking account balances. There’s still another group that’s tasked with figuring out which banks to hit based on the methods they’ve developed to circumvent the different security mechanisms that the banks have in place. And then, there are groups that specialize in recruiting people to help them launder money. And when you see this kind of criminal operation pass the job or the task along, from one division of the gang to the other, it’s very impressive sight and it’s one that’s very, it’s actually very evocative of the drug cartels, in the way that they operate and share the profits actually. In fact, I’ve taken to calling some of the larger cybercriminal gangs ‘Cloud cartels’ because I think it concisely and accurately explains how they operate and gives sort of a real-world frame for what they are doing.
We’re all familiar with the international drug cartels, right? In a lot of ways, I think the ‘Cloud cartels’ (the criminal gangs that I think are mostly responsible for much of the cybercrime that we see today) operate in very much the same way as the drug cartels, particularly when you think about one of the biggest problems on the Internet today – spam. The desire to spread spam which in most cases advertises counterfeit commercial drugs – the parallels are pretty stark. In fact, the similarities in the business operations between the drug cartels and the ‘Cloud cartels’ extend all the way down to the street level. Their operations are so similar that these two types of cartels actually share a lot of the same terminology. For example, the illegal drug market would come to a hole, really, if it were not for the activities of the ‘drug mules’, and these are tens of thousands of individuals who physically carry the narcotics on their person, and in some cases actually ingest these drugs as they’re transmitting them across the borders into the United States and Europe.
And as I mentioned earlier, I’ve spent the better part of the last year investigating the operations of a pretty massive organized cyber gang operating in the Eastern Europe. And these guys would not earn nearly as much money if it weren’t for so-called ‘money mules’ – these are willing or unwilling people who were recruited through work-at-home job scams over the Internet. And they’re basically recruited to help move money from victim corporations (companies that these organized groups have hacked into), to help them move that money out of the United States.