Welcome to the age of the professional hacker.
As we have covered recently, cybercrimes have taken on a new urgency over the past several years. Names like Zero Day, Heart Bleed and CryptoLocker have made headlines, making average computer users learn far more than they’d care to know about the back end of their personal laptops. For some, less fortunate consumers, the education has been harder, delivered in the form of personal attacks that steal identities, credit card information and sometimes entire systems.
If the role of cybercriminals has seemed to grow more ambitious, there’s a bit of good news: you’re not crazy. Cybercrime, indeed, has grown more ambitious. The scope, frequency and severity of hacks have increased with every passing year. One of the driving factors behind this, say security experts is a new corporatization and professionalism of hackers.
What was once a rebellious teenager has all grown up and gotten a job… except his 401(k) comes in ransomware bitcoins.
“We say it’s corporate,” said Steve Barone, founder and CEO of the cybersecurity firm CBI. “We don’t believe, we know, that there’s organized businesses stealing data… China is absolutely doing it nonstop, the Eastern Bloc countries are absolutely doing it nonstop.”
“[Security firms] have these really cool, these very impressive war centers that show the data coming in,” he added. “It looks like missile strikes, and they’re all coming from the far side of Asia or the Eastern Bloc.”
As day to day life has moved online, crime has followed, because nothing is so true as the fact that criminals will always follow the money.
And they have. According to security experts such as Barone increasingly hackers are able to operate in the daylight, running entire businesses in permissive jurisdictions or organizing large, underground networks facilitated by the anonymity of the Internet.
It’s the model that Christopher Budd suggests that companies use when thinking about the threats they face. Budd, a global threat communications manager with Trend Micro, has called this a natural evolution. As there’s more money to be made, criminals will get increasingly sophisticated in how to make it.
“Ultimately,” he said, “we’re talking about business. And as business sectors are established they grow and they evolve. You see a process of specialization that happens and componentization, people go into focus areas.”
Specialization has allowed hacking “corporations” to grow in scale and scope, taking advantage of the same compartmentalization of any major business. As members of the team grow into their roles they become increasingly skilled at narrow sets of an operation, whether it’s moving stolen merchandise, identifying targets or coding the necessary malware.
The result, according to Budd, is not just ambitious targets but more and more dangerous attacks.
“We see increasing sophistication with what is already known, and we see increasing diversification,” he said. “Malware today is much more innovative and effective than it was ten years ago.”
He cited polymorphism as a good example that his own team faces, a form of programing in which the code itself can be built to change and adapt over time. It’s highly sophisticated coding, but can result in malware that actually rewrites itself as it spreads from system to system.
Despite the expertise required to program polymorphic software, according to Budd it has become “the norm, not the exception” in modern security risks. It’s the result of professionalized teams, ones which recruit and develop talent to a very high level.
The Infrastructure Effect
In 2008 when the auto industries looked like they may crash, President George W. Bush began to talk about an automobile bailout and the risks of a halo effect from letting the car industry die. It’s not just autoworker jobs we have to worry about, he stressed. It’s also all of the networked jobs that rely on them, the suppliers, lawyers, food truck operators and everyone else who builds a career supporting companies like Ford and General Motors.
This happens whenever an industry hits a certain level of maturity, other businesses begin to grow around them, sharing in the profits and stability. Hacking has hit that high water mark. Today entire support services exist to allow hackers access to the resources they need, starting with the bulletproof server farm.
“Back in the day if you wanted to engage in cybercrime activities you’d have to make your own hosting,” Budd said. “You’d either stand up your own server or go out and find servers and compromise them.”
“These days, you don’t have to do that," he added. "There are companies that specialize in what they call ‘bullet-proof hosting.’ They advertise on underground forums, they have pricing models, they have package deals and, my favorite, they even have support.”
A bullet-proof server is one run for criminals, often by criminals, in places safe from prosecution. Operators pick countries with dicey rule of law, such as the Ukraine or many parts of South America, or they’ll operate in countries where the police can be bribed. In fact, as a way of avoiding attention many bulletproof server farms have specific policies against hosting anyone who is directing attacks inward, toward the country of residence.
It often works.
Hacking as a service industry has grown to depend on an increasingly legitimate customer base as well.
This is a diverse field, increasingly serving the needs of government and private enterprise as well as criminals. To be sure, criminal profiteering remains an enormous component of a hacker’s business model. The health care industry has become a special target for cybercrime, specifically because of the special opportunities it creates for identity theft, ransomware and intellectual property.
However day-to-day citizens increasingly provide the bread and butter of the hacking community. Although once a holy grail of cybercriminals, products like credit card and banking information have become so cheap that hackers will sell thousands for little more than a few dollars. Today high volume hackers have begun to target more easily commercialized products, for example entertainment and social media passwords.
“Profiling buyers in our North American Underground papers," said Budd, “we highlight how Netflix and Spotfiy accounts are being sold.”
“Why would you sell a Netflix account? Who would be buying?" he added. "Well, at the end of the day, someone is deciding, ‘I want to watch Netflix but I don’t want to pay $8-15 a month. I will however pay $5 and piggyback off of someone’s account and watch for as long as I can… For something like Netflix, it almost has to be, by definition, individuals.”
The new customers are run of the mill consumers, college kids or workers looking to save a few dollars on a cheap password, or backpackers out in countries like Indonesia or Cambodia where brick and mortar storefronts will load up an iPod with as much media as it can hold for $50.
One retail shop in Southeast Asia alone has five retail locations across Laos and Cambodia. Rogue Music has a website, a Facebook page and, at the time of this writer’s last visit, second stories filled with computers and employees dedicated to combing the Internet for pirated media. The shop also sells T-shirts.
On the other end of the spectrum are the big money customers. They’re in the market for corporate secrets and, just like the bread-and-butter, sales are booming.
“IP’s a big deal,” Barone said. “They’re taking IP from manufacturers that have really been innovative, and the next thing you know the exact thing that took you four years to build is showing up in China in 90 days. It’s happening… We have so many customers who built the perfect mousetrap and then they see it show up in China a short time afterwards.”
“The stealing of corporate meetings and notes to get a competitive advantage is ridiculously real,” Barone added, “They’re stealing blueprints, because they want to see where this company is going to build next and what their security infrastructure looks like behind it.”
And it’s not, Barone said, just international. Customers are lining up absolutely everywhere, very much including here in the United States. As firms such as Barone’s have tracked, any company which houses secrets can become a target. Law firms, designers, factories, anyone who can have potentially valuable information can be a target.
If it sounds like the plot of a John Grisham novel, that’s not far off. But when billions of dollars are at stake even the most legitimate company is tempted to cheat. From there it takes little more than a sneeze to set off a race to the bottom.
Cybercrime has become for all intents and purposes a career, with specialization, infrastructure and networks of legitimate clients spanning the world. It’s also one whose business model is constantly evolving. Barone has said that his firm expects traditional antivirus to become increasingly useless in the years to come, at least for high-end clients.
“The attacks are more malicious now than ever, and they don’t subscribe to traditional signatures, which is how antiviruses stopped them forever,” he said, referring to the structure of a virus’s code that antivirus software knows how to look for. “Signatures won’t be around much longer. [Instead] it’s going to be about being able to analyze real time code and look for abnormalities.”
But, he added on a hopeful note, between increasing sophistication by firms and increasing awareness on the part of average users, security is an increasingly possible thing.
“It’s such a winnable race, I can’t even tell you,” he said.
Even in the age of the corporate hacker.