DOCSLIB.ORG

Measuring Botnets in the Wild: Some New Trends

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Measuring Botnets in the Wild: Some New Trends Measuring Botnets in the Wild: Some New Trends ∗ Wentao Chang1 Aziz Mohaisen2 An Wang1 Songqing Chen1 1George Mason University 2Verisign Labs {wchang7, awang10, sqchen}@gmu.edu [email protected] ABSTRACT machines [14, 16, 17] . While the passive analysis approach does Today, botnets are still responsible for most large scale attacks on reveal much valuable information about particular botnet-related the Internet. Botnets are versatile, they remain the most power- behaviors, some of the insight on longitudinal activities is absent ful attack platform by constantly and continuously adopting new since the approach only considers a small portion of bots at a given techniques and strategies in the arms race against various detec- time [28,8]. Infiltration is another technique adopted in recent tion schemes, . Thus, it is essential to understand the latest of the studies [4,1, 10], where an actual malware sample or a client is botnets in a timely manner so that the insights can be utilized in to simulate a bot. However, attackers have unfortunately learned to developing more efficient defenses. In this work, we conduct a adapt, and most current botnets use stripped-down IRC or HTTP measurement study on some of the most active botnets on the In- servers as their centralized command and control channels. It is ternet based on a public dataset collected over a period of seven unlikely to obtain a lot of information about other bots by simply months by a monitoring entity. We first examine and compare the joining the botnet. An effective effort to understand botnets would attacking capabilities of different families of today’s active botnets. require reverse engineering, passive and active measurements. Our analysis clearly shows that different botnets start to collaborate On the defense front, a lot of efforts have been made to detect when launching DDoS attacks. bots and botnets. While many detection schemes have been de- veloped [25, 16, 22], attackers have been constantly adopting new technologies and improving their attacking schemes. For example, 1. INTRODUCTION various generations of botnets have been shown to use HTTP and Botnets are one of today’s most challenging cybersecurity threats, P2P technologies, instead of IRC, for their operations [11, 15, 27]. and promise to remain a serious threat for many years to come. A The arms race between malware developers and defenders is botnet is typically comprised of a network of infected machines endless. Thus, it is essential to continuously track and understand called bots, which are often under the control of a malicious entity, the latest strategies of attackers in manipulating botnets for attacks. called the botmaster. Botnets are notoriously known as one of the A timely understanding can provide important insights to guide the primary attack platforms that cybercriminals use to carry out ma- building of effective defenses. To this end, in this study we perform licious and harmful actions, such as distributed denial of service an in-depth analysis of botnet strategies based on recent botnet traf- (DDoS) attacks, spam distribution, phishing, scanning and network fic, resources enumeration and activities profiling. Data used in this exploration, against pieces of infrastructures and services. Reports study is obtained by utilizing active and passive monitoring, and us- have highlighted the devastating operational impact, size, and con- ing state-of-the-art reverse-engineering and protocol analysis tech- sequences that a botnet attack can bring to Internet services. For ex- niques for 23 different botnet families. The data obtained in this ample, it was recently reported that a collection of just 3,000 open study is enriched by traffic observed at a large number of Internet Domain Name System (DNS) resolvers were capable of generating vantage points on the Internet in about seven months of monitoring. 300 Gbps DDoS attack traffic [19], and taking down Spamhaus, a Our study reveals several interesting new trends of botnet man- popular spam tracking service. agement. In this paper, our contributions include the following: On the botnet analysis front, significant research efforts have been made to gain a better understanding of the botnet phenomenon • We conduct a large-scale measurement study to investigate and landscape. A common approach to study botnets is to perform botnet characteristics and describe botnet behaviors. The passive analysis of abnormal behaviors produced by bot-infected analysis results help make better comprehension of the wide variety of existent botnet families in the wild. ∗The views and opinions expressed in this paper are the views of the author, and do not necessarily represent the policy or position • Some bots are dedicated and heavily re-used by different bot- of VeriSign, Inc. net families. Similar collaborations are also found within various generations of the same botnet family. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed To the best of our knowledge, some of the insights and opera- for profit or commercial advantage and that copies bear this notice and the full cita- tion aspects of botnets in this paper are not reported before. We tion on the first page. Copyrights for components of this work owned by others than expect these results can help improve our understanding of botnet ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- operations and devise new defense schemes. publish, to post on servers or to redistribute to lists, requires prior specific permission The remainder of the paper is organized as follows. Section 2 de- and/or a fee. Request permissions from [email protected]. scribes our dataset and section 3 presents characterization of botnet ASIA CCS’15, April 14–17, 2015, Singapore.. Copyright c 2015 ACM 978-1-4503-3245-3/15/04 ...$15.00. families. In Section 4, we discuss the possibility of collaborations http://dx.doi.org/10.1145/2714576.2714637. among the botnets by identifying reused bots, while Section 5 dis- cusses related work. We conclude in Section 6 with a discussion about future work. Table 1: Summary statistics of 16 Botnet Families Family Name Active Period Botnet Size 2. DATASET Aldibot 11/01/12-03/24/13 12,075 Armageddon 08/29/12-03/24/13 171 Some research efforts on botnet measurements have focused on Blackenergy 08/29/12-03/24/13 498,925 the taxonomy and classification of botnets by analyzing botnet be- Colddeath 08/29/12-12/19/12 1,859 havior and common characteristics, such as architecture, command Conficker 08/29/12-03/24/13 667,523 and control channels, communication protocols and evasion tech- Darkcomet 12/02/12-03/24/13 4,019 niques [12, 20]. These efforts have mainly been done via passive Darkshell 08/29/12-03/24/13 4,886 measurement or infiltration. Thus, they usually focused on specific Ddoser 11/13/12-03/07/13 35 botnets. Different from these approaches, our dataset is provided Dirtjumper 08/29/12-03/24/13 837,297 by the Team Cymru Community Service [26]. The dataset is based Illusion 08/29/12-03/24/13 47,887 on Team Cymru’s constant monitoring of Internet critical infras- Nitol 08/29/12-03/24/13 15,230 tructure to aid intelligence gathering concerning the state of the art Optima 08/29/12-03/24/13 362,157 of attack posture, using both active and passive measurement tech- Pandora 10/11/12-03/24/13 17,418 niques. For active measurements and attribution, malware families Torpig 08/29/12-03/24/13 1,260 used in launching various attacks are reverse engineered, and la- Yzf 08/29/12-02/11/13 7,937 beled to a known malware family using best practices. Hosts par- Zeus 08/29/12-03/24/13 175,343 ticipating in the given botnet, by either communicating with pieces of infrastructure infected by that malware family (e.g. the com- mand and control) are then enumerated and monitored over time, and their activities are logged and analyzed. Similar to the metrics used in [1], we define the botnet size as As each botnet evolves over time, new generations are marked by the total number of unique IP addresses that were once recruited in their unique (MD5 and SHA-1) hashes. Traces of traffic associated their lifetime by the specific botnet. As the last column of Table1 with various botnets are then collected at various anchor points on shows, the botnet size of different families varies significantly. The the Internet, via the cooperation of many ISPs all over the world, botnet size is as large as 837 thousand for Dirtjumper or as small and analyzed to attribute and characterize attacks. The collection as 35 for Ddoser. Based on the botnet size, we can classify them of traffic is guided by two general principles: 1) that the source of into different groups. The large botnet families own more than the traffic is an infected host participating in a botnet attack, and 2) 100 K bots with unique IP addresses, including Dirtjumper, the destination of the traffic is a targeted client, as concluded from Conficker, Blackenergy, Optima and Zeus in descend- eavesdropping on C&C of the campaign using a live sample. ing order. 90% of bots found in our dataset are employed by these By tracking temporal activities of 23 different known botnet fam- large botnet families at least once. The medium group includes ilies in the wild, the monitors of the company generate a log dump botnet families with the number of bots ranging from 10 thousands every hour from 08/29/2012 to 03/24/2013, a total of 207 days, or to 100 thousands, such as Illusion, Pandora, Nitol and about 7 months.
Load more

Recommended publications
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Fortinet's March Threatscape Report Shows Domination of Ransomware and Troublesome Zero-Day
    Fortinet's March Threatscape Report Shows Domination of Ransomware and Troublesome Zero-Day Rise of Ransomware Is Primarily Driven by Bredolab and Pushdo Botnets SUNNYVALE, CA, Apr 01, 2010 (MARKETWIRE via COMTEX News Network) -- Fortinet(R) (NASDAQ: FTNT) -- a leading network security provider and worldwide leader of unified threat management (UTM) solutions -- today announced its March 2010 Threatscape report showed domination of ransomware threats with nine of the detections in the malware top ten list resulting in either scareware or ransomware infesting the victim's PC. Fortinet observed the primary drivers behind these threats to be two of the most notorious botnet "loaders" -- Bredolab and Pushdo. Another important finding is the aggressive entrance of a new zero-day threat in FortiGuard's top ten attack list, MS.IE.Userdata.Behavior.Code.Execution, which accounted for 25 percent of the detected activity last month. Key threat activities for the month of March include: -- SMS-based Ransomware High Activity: A new ransomware threat -- W32/DigiPog.EP -- appeared in Fortinet's top ten malware list. DigiPog is an SMS blocker using Russian language, locking out a system and aggressively killing off popular applications like Internet Explorer and Firefox until an appropriate code is entered into a field provided to the user. To obtain the code, a user must send an SMS message to the provided number, receiving a code in return. Upon execution, DigiPog registers the user's MAC address with its server. It is the first time that SMS-based ransomware enters Fortinet's top ten list, showing that the rise of ransomware is well on its way.
    [Show full text]
  • PC Anti-Virus Protection 2011
    PC Anti-Virus Protection 2011 12 POPULAR ANTI-VIRUS PROGRAMS COMPARED FOR EFFECTIVENESS Dennis Technology Labs, 03/08/2010 www.DennisTechnologyLabs.com This test aims to compare the effectiveness of the most recent releases of popular anti-virus software1. The products include those from Kaspersky, McAfee, Microsoft, Norton (Symantec) and Trend Micro, as well as free versions from Avast, AVG and Avira. Other products include those from BitDefender, ESET, G-Data and K7. The tests were conducted between 07/07/2010 and 22/07/2010 using the most up to date versions of the software available. A total of 12 products were exposed to genuine internet threats that real customers could have encountered during the test period. Crucially, this exposure was carried out in a realistic way, reflecting a customer’s experience as closely as possible. For example, each test system visited real, infected websites that significant numbers of internet users were encountering at the time of the test. These results reflect what would have happened if those users were using one of the seven products tested. EXECUTIVE SUMMARY Q Products that block attacks early tended to protect the system more fully The nature of web-based attacks means that the longer malware has access to a system, the more chances it has of downloading and installing further threats. Products that blocked the malicious and infected websites from the start reduced the risk of compromise by secondary and further downloads. Q 100 per cent protection is rare This test recorded an average protection rate of 87.5 per cent. New threats appear online frequently and it is inevitable that there will be times when specific security products are unable to protect from some of these threats.
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • The Trojan Wars: Building the Big Picture to Combat Efraud
    THE TROJAN WARS: BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC THREAT INTELLIGENCE UNIT White Paper TABLE OF CONTENTS INTRODUCTION ................................................................................3 THE INITIAL TORPIG CAMPAIGN ......................................................4 • Infection Cycles ..........................................................................................5 • Ice IX – Downloading Torpig and Pushdo ...................................................6 • Torpig Campaign C&C infrastructure ..........................................................9 • Ice IX Takedown Avoidance Technique .......................................................10 THE FOLLOW-ON P2P ZEUS CAMPAIGN ..........................................11 • Infection Cycles ...........................................................................................12 • Neurevt – Downloading P2P Zeus ..............................................................13 THE WAY FORWARD: CONCLUSIONS AND RECOMMENDATIONS ....14 ABOUT MNEMONIC ..........................................................................15 REFERENCES ...................................................................................16 THE TROJAN WARS - BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC AS INTRODUCTION Trojans are a very sophisticated type of malware and their use by cybercriminals to perform widespread eFraud is now well established. They are rarely operated in a standalone mode and the infrastructure used to spread and maintain Trojans is
    [Show full text]
  • Dgarchive a Deep Dive Into Domain Generating Malware
    DGArchive A deep dive into domain generating malware Daniel Plohmann [email protected] 2015-12-03 | Botconf, Paris © 2015 Fraunhofer FKIE 1 About me Daniel Plohmann PhD candidate at University of Bonn, Germany Security Researcher at Fraunhofer FKIE Focus: Reverse Engineering / Malware Analysis / Automation Projects ENISA Botnet Study 2011 [1] Analysis Tools PyBox, IDAscope, DGArchive, … Botnet Analysis Gameover Zeus / P2P protocols [2] DGA-based Malware [1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence [2] http://christian-rossow.de/publications/p2pwned-ieee2013.pdf © 2015 Fraunhofer FKIE 2 Agenda Intro: Domain Generation Algorithms / DGArchive Comparison of DGA Features Registration Status of DGA Domain Space Case Studies © 2015 Fraunhofer FKIE 3 Intro Domain Generation Algorithms © 2015 Fraunhofer FKIE 4 Domain Generation Algorithms Definitions Concept first described ~2008: Domain Flux Domain Generation Algorithm (DGA) An algorithm producing Command & Control rendezvous points dynamically Shared secret between malware running on compromised host and botmaster Seeds Collection of parameters influencing the output of the algorithm Algorithmically-Generated Domain (AGD) Domains resulting from a DGA © 2015 Fraunhofer FKIE 5 Domain Generation Algorithms Origin & History Feb 2006 Sality: dynamically generates 3rd-level domain part July 2007 Torpig: Report by Verisign includes DGA-like domains July 2007 Kraken: VirusTotal upload of binary using DDNS
    [Show full text]
  • Banking Trojans: from Stone Age to Space Era
    Europol Public Information Europol Public Information Banking Trojans: From Stone Age to Space Era A Joint Report by Check Point and Europol The Hague, 21/03/2017 Europol Public Information 1 / 16 Europol Public Information Contents 1 Introduction .............................................................................................................. 3 2 The Founding Fathers ................................................................................................ 3 3 The Current Top Tier ................................................................................................. 5 4 The Latest .................................................................................................................. 9 5 Mobile Threat .......................................................................................................... 10 6 Evolutionary Timeline ............................................................................................. 11 7 Impressions/Current Trends ................................................................................... 11 8 Banking Trojans: The Law Enforcement View ......................................................... 12 9 How are Banking Trojans used by Criminals? ......................................................... 13 10 How are the Criminals Structured? ......................................................................... 14 11 Building on Public-Private-Partnerships - The Law Enforcement Response ........... 15 12 How to Protect Yourself .........................................................................................
    [Show full text]
  • CS 3700 Networks and Distributed Systems
    CS 3700 Networks and Distributed Systems Lecture 20: Malware/Botnets Slides stolen from Vern Paxson (ICSI) and Stefan Savage (UCSD) Motivation 2 Internet currently used for important services ! Financial transactions, medical records Increasingly used for critical services ! 911, surgical operations, water/electrical system control, remote controlled drones, etc. Networks more open than ever before ! Global, ubiquitous Internet, wireless Malicious Users 3 Miscreants, e.g. LulzSec ! In it for thrills, street cred, or just to learn ! Defacing web pages, spreading viruses, etc. Hacktivists, e.g. Anonymous ! Online political protests ! Stealing and revealing classified information Organized Crime ! Profit driven, online criminals ! Well organized, divisions of labor, highly motivated Network Security Problems 4 Host Compromise ! Attacker gains control of a host ! Can then be used to try and compromise others Denial-of-Service ! Attacker prevents legitimate users from gaining service Attack can be both ! E.g., host compromise that provides resources for denial-of- service Definitions 5 Virus ! Program that attaches itself to another program Worm ! Replicates itself over the network ! Usually relies on remote exploit (e.g. buffer overflow) Rootkit ! Program that infects the operating system (or even lower) ! Used for privilege elevation, and to hide files/processes Trojan horse ! Program that opens “back doors” on an infected host ! Gives the attacker remote access to machines Botnet ! A large group of Trojaned machines, controlled
    [Show full text]
  • [Recognising Botnets in Organisations] Barry Weymes Number
    [Recognising Botnets in Organisations] Barry Weymes Number: 662 A thesis submitted to the faculty of Computer Science, Radboud University in partial fulfillment of the requirements for the degree of Master of Science Eric Verheul, Chair Erik Poll Sander Peters (Fox-IT) Department of Computer Science Radboud University August 2012 Copyright © 2012 Barry Weymes Number: 662 All Rights Reserved ABSTRACT [Recognising Botnets in Organisations] Barry WeymesNumber: 662 Department of Computer Science Master of Science Dealing with the raise in botnets is fast becoming one of the major problems in IT. Their adaptable and dangerous nature makes detecting them difficult, if not impossible. In this thesis, we present how botnets function, how they are utilised and most importantly, how to limit their impact. DNS Dynamic Reputations Systems, among others, are an innovative new way to deal with this threat. By indexing individual DNS requests and responses together we can provide a fuller picture of what computer systems on a network are doing and can easily provide information about botnets within the organisation. The expertise and knowledge presented here comes from the IT security firm Fox-IT in Delft, the Netherlands. The author works full time as a security analyst there, and this rich environment of information in the field of IT security provides a deep insight into the current botnet environment. Keywords: [Botnets, Organisations, DNS, Honeypot, IDS] ACKNOWLEDGMENTS • I would like to thank my parents, whom made my time in the Netherlands possible. They paid my tuition, and giving me the privilege to follow my ambition of getting a Masters degree. • My dear friend Dave, always gets a mention in my thesis for asking the questions other dont ask.
    [Show full text]
  • SHS Branding LAUNCH
    MESSAGELABS INTELLIGENCE MESSAGELABS INTELLIGENCE FEBRUARY 2010 Spam Surges in February while Message Size Shrinks Welcome to the February edition of the MessageLabs Intelligence monthly report. This report provides the latest threat trends for February 2010 to keep you informed regarding the ongoing fight against viruses, spam and other unwelcome content. REPORT HIGHLIGHTS Spam – 89.4% in February (an increase of 5.5% since January) Viruses – One in 302.8 emails in February contained malware (an increase of 0.02% since January) Phishing – One in 456.3 emails comprised a phishing attack (an increase of 0.04% since January) Malicious websites – 4,998 websites blocked per day (an increase of 184% since January) 41.6% of all malicious domains blocked were new in February (a decrease of 0.1% since January) 13.3 of all web-based malware blocked was new in February (an increase of 1.2% since January) Grum and Rustock to Blame for February Spam Surge While Volume Grows, Spam File Size Shrinks Waledac Botnet Makes a Comeback before its Demise Olympics-Themed Targeted Malware Gumblar Update REPORT ANALYSIS Grum and Rustock to Blame for Surge in February Spam As expected this time of year, spammers launched a number of spam campaigns related to St. Valentine‟s Day, celebrated on February 14. Around this time, spammers often change their spam runs to include references to the special date. However, the 5.5% increase in spam this month cannot be completely blamed on St. Valentine‟s Day alone. Figure 1 highlights the most recent spam surges in February, and further analysis reveals the underlying cause of these increases.
    [Show full text]
  • KOOBFACE: Inside a Crimeware Network
    JR04-2010 KOOBFACE: Inside a Crimeware Network By NART VILLENEUVE with a foreword by Ron Deibert and Rafal Rohozinski November 12, 2010 WEB VERSION. Also found here: INFOWAR http://www.infowar-monitor.net/koobface MONITOR JR04-2010 Koobface: Inside a Crimeware Network - FOREWORD I Foreword There is an episode of Star Trek in which Captain Kirk and Spock are confronted by their evil doppelgängers who are identical in every way except for their more nefarious, diabolical character. The social networking community Facebook has just such an evil doppelgänger, and it is called Koobface. Ever since the Internet emerged from the world of academia and into the world-of-the-rest-of-us, its growth trajectory has been shadowed by the emergence of a grey economy that has thrived on the opportunities for enrichment that an open, globally connected infrastructure has made possible. In the early years, cybercrime was clumsy, consisting mostly of extortion rackets that leveraged blunt computer network attacks against online casinos or pornography sites to extract funds from frustrated owners. Over time, it has become more sophisticated, more precise: like muggings morphing into rare art theft. The tools of the trade have been increasingly refined, levering ingenuous and constantly evolving malicious software (or malware) with tens of thousands of silently infected computers to hide tracks and steal credentials, like credit card data and passwords, from millions of unsuspecting individuals. It has become one of the world economy’s largest growth sectors—Russian, Chinese, and Israeli gangs are now joined by upstarts from Brazil, Thailand, and Nigeria—all of whom recognize that in the globally connected world, cyberspace offers stealthy and instant means for enrichment.
    [Show full text]