Bromium Into the Web of Profit
Total Page:16
File Type:pdf, Size:1020Kb
Into The Web of Profit An in-depth study of cybercrime, criminals and money. Researched and written by Dr. Mike McGuire April 2018 Project funded by Bromium, Inc. 2 Acknowledgements Many thanks to the various experts from U.S. and European criminal justice agencies, financial institutions and to academic informants who were consulted during the research conducted for this report. Particular thanks go to the U.K. National Fraud Intelligence Bureau as part of the City of London Police for providing invaluable data and to The National Crime Agency, The Metropolitan Police and the Home Office Cybercrime Research Unit for their helpful suggestions and support. 3 Table of Contents FOREWORD _________________________________________________ 7 GREGORY WEBB CEO, BROMIUM _________________________________ 7 FOREWORD ________________________________________________ 10 DR. MICHAEL MCGUIRE SENIOR LECTURER, UNIVERSITY OF SURREY _________ 10 INTRODUCTION ____________________________________________ 12 THE EMERGING CRIMINAL ECONOMY: CYBERSPACE AND THE WEB OF PROFIT __ 12 CYBERCRIME REVENUES REACH $1.5 TRILLION _______________________ 15 POST-CRIME AND PLATFORM CRIMINALITY __________________________ 17 MOVING REVENUES __________________________________________ 18 DISPOSAL OF CYBERCRIME FUNDS ________________________________ 20 METRICS: AT-A-GLANCE ______________________________________ 23 UNDERSTANDING THE WEB OF PROFIT THROUGH NUMBERS ______________ 23 CHAPTER 1: THE WEB OF PROFIT ______________________________ 29 THE CYBERCRIME ECONOMY AND THE EMERGENCE OF PLATFORM CRIMINALITY _ 29 WEAPONISING EXISTING PLATFORMS ______________________________ 32 CYBERCRIME-SPECIFIC PLATFORMS ________________________________ 35 CHAPTER 2: REVENUES FROM CYBERCRIME _____________________ 39 4 CYBERCRIME REVENUES VS. TRADITIONAL CRIME REVENUES ______________ 45 INDIVIDUAL REVENUES FROM CYBERCRIME __________________________ 48 CHAPTER 3: KEY REVENUE SOURCES FOR CYBERCRIMINALS ________ 54 REVENUES FROM ILLICIT ONLINE MARKETS __________________________ 55 IP AND TRADE SECRET THEFT ___________________________________ 58 REVENUES FROM DATA TRADING _________________________________ 64 REVENUES FROM CRIMEWARE & CAAS _____________________________ 67 REVENUES FROM RANSOMWARE _________________________________ 70 CASE STUDIES AND EXAMPLES ___________________________________ 73 CHAPTER 4: LAUNDERING DIRTY MONEY ________________________ 75 TRADITIONAL LAUNDERING _____________________________________ 76 CYBER-LAUNDERING _________________________________________ 82 USE OF PAYMENT SYSTEMS LIKE PAYPAL ____________________________ 83 CASE STUDIES AND EXAMPLES ___________________________________ 86 USE OF CRYPTOCURRENCIES FOR LAUNDERING ________________________ 89 CASE STUDIES AND EXAMPLES ___________________________________ 91 ONLINE GAMING AND LAUNDERING _______________________________ 97 CASE STUDIES AND EXAMPLES ___________________________________ 98 CHAPTER 5: DISPOSING OF CRIMINAL REVENUES ________________ 100 DISPOSING OF CYBERCRIME REVENUES ____________________________ 103 CASE STUDIES AND EXAMPLES __________________________________ 112 REINVESTMENT INTO CRIME ___________________________________ 114 CHAPTER 6: IMPLICATIONS AND RECOMMENDATIONS ___________ 120 RECOMMENDATIONS FOR LAW ENFORCEMENT_______________________ 123 RECOMMENDATIONS FOR CYBERSECURITY PROFESSIONALS ______________ 124 RECOMMENDATIONS FOR ACADEMIC AND OTHER RESEARCHERS ___________ 125 APPENDIX: METHODOLOGY _________________________________ 128 5 NOTE ON REVENUE CALCULATIONS ______________________________ 129 INDEX ___________________________________________________ 139 BIBLIOGRAPHY ____________________________________________ 150 BIOGRAPHY DR. MICHAEL MCGUIRE __________________________ 165 SENIOR LECTURER, UNIVERSITY OF SURREY _________________________ 165 RESEARCH SPONSOR BROMIUM, INC. _________________________ 167 APPLICATION ISOLATION AND CONTROL ___________________________ 168 UNTRUSTED TASKS ARE PROTECTED ______________________________ 169 THE BROMIUM CONTROLLER PROVIDES HIGH FIDELITY ALERTS ____________ 172 VIRUSTOTAL.COM EXPLAINS THE MALWARE ________________________ 173 VIRTUALIZATION TARGETS TYPICAL THREAT VECTORS __________________ 175 Table of Figures FIGURE 1: MONTHLY RANSOMWARE PAYMENTS 2014-2017 _____________ 71 FIGURE 2: BITCOIN WALLETS TIED TO RANSOMWARE ATTACKS ____________ 94 FIGURE 3: HTTP://BITCOIN-REALESTATE.COM _______________________ 108 FIGURE 4: HTTPS://WWW.BITDIALS.EU/ ___________________________ 108 FIGURE 5: HTTPS://WWW.BITDIALS.EU/ ___________________________ 109 FIGURE 6: HTTP://THEWCOMP.COM _____________________________ 109 FIGURE 7: BROMIUM LIVE VIEW OF WORD DOCUMENT ________________ 171 FIGURE 8: BROMIUM WARNS ABOUT MALWARE _____________________ 172 FIGURE 9: THE BROMIUM CONTROLLER PROVIDES KILL CHAIN INFORMATION __ 173 FIGURE 10: FILES IN RED MEAN THIS MALWARE IS STILL SEEN AS MALICIOUS__ 174 6 Foreword Gregory Webb CEO, Bromium We invested in this research because we think it’s important. The findings of Dr. McGuire’s research explain how cybercrime proceeds are being generated, laundered and reinvested into the criminal economy. By gaining a better understanding of the systems that support cybercrime, we think we can better understand how to disrupt them. Essentially, we want to make life harder for hackers. Cybercriminals are always one step ahead of the cybersecurity industry; an industry that is generally struggling to fix the problem. Data is a valuable commodity that can be traded and sold – cybercrime is therefore a lucrative business, with relatively low risks compared to other forms of crime. Cybercriminals are rarely convicted. And now that anyone can buy pre-packaged malware and hire hackers-on-demand, it’s easier than ever. In this report, Dr. McGuire has identified the emergence of “platform criminality” – where the cybercrime economy is now 7 taking the same form as new digital businesses, making it even easier to conduct cyberattacks. They have automated the process so we’re likely to see more, frequent attacks. “It is society that is suffering the consequences of our failure to stem the tide.” The walls between the criminal and legitimate worlds are blurring; we are not simply dealing with ‘hackers in hoodies’, we are tackling an economic ecosystem that enables, funds and supports criminal activity on a global scale – from drug trafficking to terrorism. It is society that is suffering the consequences of our failure to stem the tide. The report shows that cybercriminals are both innovators and early adopters of technology. It is unrealistic to think that law enforcement alone will be able to track and disrupt new systems. Because we are a community with a common goal, we need to collaborate and be willing to do things differently. We share a social and moral obligation to disrupt the core systems that underpin this criminal ecosystem. We need to make it more difficult for hackers to gather our most precious resource – data. The cybersecurity industry needs to come to terms with the limitations of detect-to-protect security and find better ways to isolate the problem. We need to approach cyber-defenses in a totally different way, by focusing on the most vulnerable – and easiest to attack – vectors in our organizations. The criminals know where we are vulnerable – most often where humans put fingers to keyboards. We know changing human behavior is both challenging and costly. 8 Instead, by focusing on protection, rather than detection, we can disrupt cybercrime in significant ways. Research is vital to our understanding of cybercrime and may help us one day put an end to The Web of Profit. In the meantime, we will work with our peers to continue to protect the internet and the organizations that rely on it to communicate, collaborate and conduct business. Let’s work together now to disrupt The Web of Profit. 9 Foreword Dr. Michael McGuire Senior Lecturer, University of Surrey Awareness of cybercrime is at an all-time high, yet understanding of how cybercrime functions as an integrated set of criminal practices remains far less clear. While there is far greater comprehension of the scope and scale of the threat, developed understanding of how cybercrime functions and the factors which drive and support it remains limited. To date, attention has been primarily focused on the mechanisms of cybercrime – that is, how it happens. As a result, technical factors, such as malware types, security holes and the prevention of certain types of attack, are most frequently discussed. More recently the ‘human factor’ – that is, the way that human error and poor judgement may contribute to the success of cybercriminals in breaching systems – has begun to be treated more seriously as a causal factor. However, what remains far less developed is an understanding of cybercrime as a system; one where criminals, victims, policing and security professionals, companies, nation states, financial institutions, service and support mechanisms 10 interconnect with one another and with various infrastructures (such as data silos, payment systems or even the web itself) to produce a composite whole. This system is dynamic and evolving and one of its key driving factors is revenue generation and ultimately profit, since this constitutes one of the primary motivations for engaging in cybercrime – or, indeed, crime in general. Understanding revenue generation and its flows not only offers a different way in which our knowledge of cybercrime can be enhanced, but by better understanding revenue