Industry Trends

Anatomy of a Crimeware Syndicate, Part I

By Stefanie Hoffman | February 09, 2012

The first of a three-part series, delineated by Fortinet's Derek Manky, which closely examines crimeware syndicates' infrastructure, the current threat environment that sustains these underground networks and possible protection mechanisms for targeted organizations.

It's no secret that cyber criminals have evolved from out-of-the-basement hackers to highly organized and efficient networks employing thousands of “workers” to achieve their criminal objectives. But the criminal underground had a little help. Thus, its not entirely surprising that the foundation and components of crimeware syndicates are often modeled after tried-and-true--and eerily familiar--legitimate corporate management infrastructure. Here's a quick and dirty breakdown.

Affiliate Partners: “If the criminal syndicate could be likened to a company’s C-level bench, then the workers running affiliate programs could be likened to a company’s middle managers,” Manky said. “The affiliate’s job responsibility is to simply infect as many machines as he/she can.”

**Recruiters: **While affiliates are the ones devising and executing large-scale malware campaigns, often larger organizations will actually be the ones to actively recruit and manage the workers—or infantry--to infect multitudes of victim machines.

Infantry: “As with every organization, infantry are the ground-level forces that initiate the actual infection on a user’s machine,” Manky said. Subsequently, infantry's specific function is to infect victim computers via a multitude of vectors, including poisoned attachments and PDF files, infected social networking links, SEO attacks and malicious Web sites, among others.

**Web portal(s): **To help recruit infantry, recruiters and affiliate program leads will establish fully-realized Web portals--often closed, invitation-only online forums that provide all of the necessary tools required to successfully begin and sustain a malware campaign.

**Programs: **Every good workforce should have an arsenal of tools at their disposal to help do their job, which usually includes fake antivirus, ransomware, adware and botnets.

And of course, like every growing business, crimeware syndicates rely heavily on a slew of flourishing services, including:

Advertising: “One of the most practical ways to recruit infantry is through a general purpose advertising campaign,” Manky said. “These ads could appear on Internet job boards, hacking message forums and underground IRC chat channels.”

**Crime services: **In order to grow profits, crimeware syndicates will most likely enlist crime services, usually offered by middle-men, which include consulting services, infection or spreading services, botnets and rentals, affiliate programs and onshore and offshore hosting.

**Software manufacturers/developers: **These are the people who are actually creating the malicious code by writing private botnets, fake antivirus software, ransomware, deployment systems and other exploit code to attack and infect systems.

Hosting provider: This is the place where an affiliate stores the attack content (exploit code, malware, stolen data, etc...).

Domains: Domains work in conjunction with the hosting provider, routing the potential victim to the malicious content on the hosting provider.

**Connections: **In order for a crimeware syndicate to grow their operation over time, they need to be connected with other organizations/distributors. And with increasing competition, merger and acquisitions are already occurring, such as with Zeus and SpyEye.

**Money mules: **Money mules are generally grunt workers who launder crime syndicates’ stolen profits, often recruited through advertisements, and are used to anonymously move money from one country or bank account to another.

**Business Models & Monetization: **Yes, even an illegal company needs a business model in order to continue functioning on a day-to-day basis. Models could include pay-per-click, pay-per-purchase and pay-per-install, or more insidious methods such as ransomware or corporate blackmail.

**Management: **Management is key once the money starts flowing in. Management databases and Web portals are usually established to determine how much money they're making, how many machines have been infected and how many accounts have been cracked.

Join the Discussion