by Marc Goodman
Crime-trepreneurs who bought the Blackshades tool kit could select the manner by which the malware would attack a machine in question, such as embedding the Trojan in a document, concealing it on a Web site, or placing it on a USB drive that would deliver its deadly payload when inserted innocently into a target’s computer. Because Blackshades was an advanced remote-access Trojan (RAT), it gave its developers complete and total control of an infected machine’s functions. As a result, Blackshades could capture keystrokes, steal passwords, launch denial-of-service attacks, hijack Facebook accounts, and install additional malware on the affected system. Worse, it was the tool of choice for would-be stalkers because it allowed its masters to remotely turn on any computer’s microphone and camera to capture any audio and video in its field of view, without giving any notice such as a little green recording light. So good was the Blackshades RAT that Bashar al-Assad’s Syrian regime used it to spy on democracy activists within the country. Though point-and-click crime and espionage tool kits are widely available for purchase at Crimeazon.com, each and every computer attack begins with the initial system penetration and malware infection, vulnerabilities that are widely available for sale in the digital underground.
The Malware-Industrial Complex
Nuclear scientists lost their innocence when we used the atom bomb for the very first time. So we could argue computer scientists lost their innocence in 2009 when we started using malware as an offensive attack weapon.
MIKKO HYPPONEN
In order for criminals, spies, militaries, and terrorists to carry out their offensive cyber attacks, they must first figure out how to exploit the information system they wish to target. As we saw with the Stuxnet attack against the Iranian nuclear enrichment site at Natanz, such operations can take years of planning and cost millions of dollars. Fortunately for those without the time and budget to devise their own cyber weapons, there is a vast shadowy black market where spies, soldiers, thieves, and hacktivists can shop for so-called zero-day exploits. As mentioned previously, these zero-day bugs have not yet been discovered by software and antivirus companies and thus handily defeat common security and firewall measures without sounding an alarm.
In the old days, hackers used to hold on to these exploits for their personal use or attempt to sell them to software giants such as Microsoft, Yahoo!, and Google via company-established “bug bounty” programs. The rewards, however, were paltry—a mere $500 for uncovering major security holes. In frustration, hackers realized there were much better options available, including selling their security flaw vulnerabilities on the open market to criminals and governments. This realization has led to the establishment of a highly complex network of buyers, sellers, and brokers of cyber exploits in what has come to be known as the malware-industrial complex.
Before Crime, Inc. can sell its fully packaged cyber-crime tool kits such as SpyEye and Zeus, it must amass a series of malware vulnerabilities and package them into crimeware for use by the general criminal public. It does this by funding exploit buying sprees and has the budgets to do so. One criminal hacker known as Paunch reportedly contracted with a third-party exploit dealer and provided him with a $100,000 budget to gather vulnerabilities for use in his malicious Blackhole exploit kit. Not to be outdone, another hacker, using the alias J. P. Morgan, posted a message in the Darkcode crime forum advertising that he had a budget of $450,000 to spend on zero-day exploits for use in his proprietary crimeware tool kit. Dark Net chat rooms are replete with malware shopping requirements, and posts such as “Do you have any code execution exploit for Windows 7?… If yes, payment is not an issue” are commonplace.
The trade in cyber arms is not restricted to criminals; government security services are also frequent buyers of these tools, turning to third-party brokers to obtain their technical weaponry. One such middleman by the name of the Grugq has established himself as an exploit broker of choice, capable of negotiating significant deals between those who uncover security flaws and those who are looking to buy them for operational exploitation. In 2012, the Grugq sold an exploit for the iOS mobile phone operating system to a U.S. government contractor for a cool $250,000 (minus his standard 15 percent commission).
A number of professional firms have emerged whose sole business model is the trafficking in computer malware exploits to governments. Companies such as Vupen in France, Netragard in Massachusetts, Endgame of Georgia, Exodus Intelligence in Texas, and ReVuln in Malta are all heavily involved in selling offensive exploits to customers around the world. While some zero-day trafficking firms vet their clients, others will sell to anybody, from Crime, Inc. to notorious dictators, no questions asked. The result, as pointed out by the noted security researcher Tom Kellermann, is that now anybody can download a cyber Kalashnikov or cyber grenade from a myriad of sites.
Many zero-day exploits enable particularly stealthy and sophisticated attacks against specific targets, giving rise to what security researchers have termed the advanced persistent threat, or APT. APTs use extensive targeting research combined with a high degree of covertness to maintain command and control of a marked system for months or years at a time, and their use is growing. Hide, watch, and wait is the modus operandi for these cyber attacks and good hackers always erase the system logs so you never know they were even there. Whether it has been developed by the U.S. government, China, or Crime, Inc., the likelihood of a consumer-grade antivirus product detecting one of these advanced persistent threats is effectively nil.
Stuxnet is perhaps the most infamous of APTs, but it has cousins such as Flame and Duqu, along with many others yet to be discovered. Worse, now that Stuxnet, a tool developed to attack industrial control systems and take power grids off-line, is out in the wild and available for download, it has been extensively studied by Crime, Inc., which is rapidly emulating its techniques and computer code to build vastly more sophisticated attacks. The deep challenge society faces from the growth of the malware-industrial complex is that once these offensive tools are used, they have a tendency to leak into the open. The result has been the proliferation of open-source cyber weapons now widely available on the digital underground for anybody to redesign and arm as he or she sees fit. How long will it be before somebody picks up one of these digital Molotov cocktails and lobs it back at us with the intent of attacking our own critical infrastructure systems? Sadly, preparations may already be under way.
Net of the Living Dead: When Botnet Zombies Attack
A zombie apocalypse isn’t the most jovial situation.
DANAI GURIRA (MICHONNE) IN THE WALKING DEAD
One of the most powerful tools in a hacker’s arsenal is a botnet, a robot network of infected computers under the remote control of the hacker. These so-called zombie-infected machines are taken over and enslaved to unite in botnets, which can be used for a variety of criminal services such as spreading malware, perpetrating DDoS attacks, disseminating spam, or hosting illicit content. Computers and even mobile phones can be drafted into a botnet army upon infection by malware, particularly that served up by the prefab crimeware tool kits such as Blackshades and SpyEye, widely available for sale in the digital underground.
Unfortunately, the malicious payload for victims of these tool kits is twofold: not only will they steal your credit card details, banking log-ons, and identity, but they also leave behind a persistent back door in your system that gives Crime, Inc. perpetual access to your machine for it to do as it pleases.
As you sit there writing a Word document or reading CNN online, the botnet master may be simultaneously and surreptitiously using your machine for any number of criminal services. Ever wonder why your computer runs so slowly? You may be unwittingly participating in an ongoing cyber attack against others, and you have no idea it’s happening. Thank you for your service.
Hackers have crowdsourced and off-loaded their attack to you and your computers, involuntarily embroiling you and them in their international criminal conspiracy. Crime, Inc. can even draft your c
omputer into a peer-to-peer child pornography network, hiding sexual abuse images on your hard drive. After all, why should it risk keeping them on its own networks? As a result of your network’s insecurity and your inability to protect your own digital devices, you too are now participating in the cyber-crime economy. Just as Facebook is monetizing you and your online life, so too is Crime, Inc.
Some of the most notorious botnets include Mariposa, Conficker, and Koobface, with new entrants such as Gameover Zeus rapidly gaining market share. According to the FBI, Gameover Zeus alone controlled more than one million computers worldwide and resulted in $100 million in financial losses. As of mid-2014, the largest botnet known to be in existence was called ZeroAccess, which on any given day had nearly two million zombie computers under its complete control. With larger and larger botnets come increasing offensive power, as these millions of computers can be trained on any target of interest selected for a distributed-denial-of-service attack. DDoS offensives work by flooding a computer system or Web site with tens of thousands of sham requests for information, thereby crashing the targeted site, leaving it off-line, unable to send e-mail, serve up Web pages, process orders, or clear bank transactions.
Like all of Crime, Inc.’s tools and services, zombie botnets can be purchased or rented online, bringing this offensive capability into the mainstream on the cheap. In the Russian digital underground, powerful DDoS botnets can be purchased for $700 or rented for just $2 an hour, long enough to take down the typical Web site or call center. On average, nearly three thousand such attacks are launched around the world daily. Moreover, the threat is growing in sophistication as both Crime, Inc. and state actors such as Iran and China increasingly turn to the massive distributed computing power of the cloud to carry out DDoS attacks. One zombie network, known as Storm.bot 2.0, for sale on the digital underground in mid-2014 for a mere $3,000, has usurped fifteen cloud servers around the world and is capable of generating an unfathomable three hundred gigabytes per second of attack traffic, advertised as being more than sufficient to “knock small countries off-line.” The result of these botnet zombies has been the weaponization of cyberspace by Crime, Inc.
The toll of victims affected by this type of botnet cyber extortion is growing, and even high-profile companies such as Evernote and MeetUp.com have been attacked. The panoply of malware tool kits and the millions of botnet zombies around the world are providing Crime, Inc. with powerful tools of domination that can be used as offensive weapons, cash-making machines, or both. Consequently, we’ve entered the Industrial Age of Crime, with malicious computer code churned out in assembly-line fashion, specifically developed and scripted to run on autopilot, toiling away day and night committing offenses while hackers earn healthy profits in their sleep.
Committing Crime Automagically
Though Crime, Inc. engages in constant business process improvement, it is not committing new crimes from scratch each and every time. In the age of Moore’s law, these tasks have been readily automated and can run in the background at scale without the need for significant human intervention. Crime automation allows transnational organized crime groups to gain the same efficiencies and cost savings that multinational corporations obtained by leveraging technology to carry out their core business functions. That is why today it’s possible for hackers to rob not just one person at a time but 100 million or more, as we saw with the Sony PlayStation and Target data breaches.
Exploit tool kits like Blackhole and SpyEye commit crime “automagically” by minimizing the need for human labor, thereby dramatically reducing costs to Crime, Inc. They also allow hackers to pursue the “long tail” of opportunity, committing millions of thefts in small amounts so that victims don’t report them and law enforcement has no way to track them. While particular high-value targets (companies, nations, celebrities, high-net-worth individuals, or objects of affection or scorn) are specifically and individually targeted, the way the majority of the public is hacked is by automated scripted computer malware—one large digital fishing net that scoops up anything and everything online with a vulnerability that can be exploited. Given these obvious advantages, as of 2011 an estimated 61 percent of all online attacks were launched by fully automated crime tool kits, returning phenomenal profits for the Dark Web overlords who expertly orchestrated them. Modern crime has become reduced and distilled to a software program that anybody can run at tremendous profit.
Not only can botnets and other tools be used over and over to attack and offend, but they are even enabling the commission of much more sophisticated crimes such as extortion, blackmail, and shakedown rackets. In an updated version of the $500 million Ukrainian Innovative Marketing solutions “virus detected” scam, Crime, Inc. has unleashed a new torrent of malware that can hold your computer hostage until a ransom is paid to regain access to your own files. Known as ransomware, these attack tools are included in a variety of Dark Net tool kits, such as Gameover Zeus. There are several varieties of this scam, including one that purports to come from law enforcement. Around the world, users who become infected with the Reveton Trojan suddenly have their computers lock up and their full screens covered with a notice, allegedly from the FBI. The message, bearing an official-looking large, full-color FBI logo, states that the user’s computer has been locked for reasons such as “violation of the federal copyright law against illegally downloaded material” or because “you have been viewing or distributing prohibited pornographic content.”
To unlock their computers, users are informed that they must pay a fine ranging from $200 to $400, only accepted using a prepaid voucher from Green Dot’s MoneyPak, which victims are instructed they can buy at their local Walmart or CVS. To further intimidate victims and drive home the fact that this is a serious police matter, Crime, Inc. prominently displays the alleged violator’s IP address on their screen as well as snippets of video footage previously captured from the victim’s Webcam. The scam has successfully targeted tens of thousands of victims around the world, with the attack localized by country, language, and police agency. Thus users in the U.K. see a notice from Scotland Yard, other Europeans get a warning from Europol, and victims in the United Arab Emirates see the threat, translated into Arabic, purportedly from the Abu Dhabi Police HQ.
Another, even more pernicious type of automated extortion has emerged in the form of CryptoLocker, a Trojan that actually encrypts all the files on a victim’s computer so that they can no longer be read or accessed. Alarmingly, the malware presents a ticking-bomb-type countdown clock advising users that they only have forty-eight hours to pay $300 or all of their files will be permanently destroyed. Akin to threatening “if you ever want to see your files alive again,” these ransomware programs gladly accept payment in Bitcoin. The message to these victims was no idle threat. Whereas previous ransomware might trick users by temporarily hiding their files, CryptoLocker actually uses strong 256-bit Advanced Encryption Standard cryptography to lock user files so that they become irrecoverable. Nearly 250,000 individuals and businesses around the world have suffered at the hands of CryptoLocker, earning an estimated $30 million for its developer.
Automated ransomware tools have even migrated to mobile phones, affecting Android handset users in certain countries. Not only have individuals been harmed by the CryptoLocker scourge, so too have companies, nonprofits, and even government agencies, the most infamous of which was the Swansea Police Department in Massachusetts, which became infected when an employee opened a malicious e-mail attachment. Rather than losing its irreplaceable police case files to CryptoLocker, the agency was forced to open a Bitcoin account and pay a $750 ransom to get its files back. The police lieutenant Gregory Ryan told the press he had no idea what a Bitcoin was or how the malware functioned until his department was struck in the attack.
As we have seen throughout this chapter, a journey into the abyss can be a dark and scary place. Yet within this world, Crime, Inc. has evolved highly sophisticated methods of operation to sell e
verything from methamphetamine to child sexual abuse live streamed online. It has rapidly adopted tools of anonymity such as Tor to establish Dark Net shopping malls, and criminal consulting services such as hacking and murder for hire are all available at the click of a mouse. Untraceable and anonymous digital currencies, such as Liberty Reserve and Bitcoin, are breathing new life into the underground economy and allowing for the rapid exchange of goods and services. With these additional revenues, Crime, Inc. is becoming more disciplined and organized, significantly increasing the sophistication of its operations. Business models are being automated wherever possible to maximize profits and botnets can threaten legitimate global commerce, easily trained on any target of Crime, Inc.’s choosing. Fundamentally, it is done. The computing and Internet crime machine has been built. With these systems in place, the depth and global reach of Crime, Inc.’s power mean that crime now scales, and it scales exponentially. Yet for as bad as this threat is today, it is about to become much worse, as we hand Crime, Inc. billions of more targets for them to attack as we enter the age of ubiquitous computing and the Internet of Things.
CHAPTER 12
When All Things Are Hackable
We’re still in the first minutes of the first day of the Internet revolution.
SCOTT COOK, INTUIT
Even in the age of the Internet, buying a car can be an expensive, frustrating, and laborious process. It’s even worse if you are unemployed or have limited resources. Fortunately, Texas Auto Center in Austin caters to just these customers, promising a car for everyone, “no matter if you have good credit, bad credit, a bankruptcy, repossession, or no credit at all.” Of course when times are rough, people do get behind in their loan payments, and repossession rates at some dealerships run as high as 45 percent. Repossessing cars is never fun, either for those who are about to lose their primary means of transportation or for the dealers who have to send out a fleet of tow trucks in search of the car. These vehicles are often purposefully hidden by those who know they are facing repossession. When the repo man and his tow truck eventually come calling, tempers flare, and many repo men have been punched, kicked, spit upon, bitten, stabbed, and even shot to death trying to recover the dealer’s property. Surely there had to be a better approach, and Texas Auto Center thought it had found just the solution.
