The buzz in cyber security over the past few months has been around some high-profile take-downs of cyber-criminals and the stamping out of high net worth bot nets. This is an exciting and welcome development in the ongoing efforts of international law enforcement to coordinate the removal of the notorious mob bosses of the modern cyber era.
In June 2015, Ercan Findikoglu, also known as “Segate” and “Predator,” was extradited to the US as one of the masterminds behind three worldwide cyber attacks between 2011 and 2013 that inflicted more than $55 million in losses on the global financial system. He was arrested during a trip to Frankfurt by German authorities in December 2013 after eluding US capture for five years.
However, the real excitement came in September 2015 with the sentencing of Dimitry Belorossov, after he had been arrested by Spanish police. Also known as “Rainerfox”, of St. Petersburg, Russia, Belorossov was handed four years, six months in prison, to be followed by three years of supervised release, and ordered to pay restitution in the amount of $322,409.09.
Belorossov is an interesting case and his sentencing is a little strange. He was responsible for the Citadel bot net that infected over 11 million computers worldwide, and used a variety of infection methods. According to industry estimates, Citadel, and other botnets like it, are responsible for over $500 million in losses.
A great deal of threat intelligence about how cyber criminals build and facilitate cyber crime using bot nets and malware, as well as how they evade detection, is contained in the criminal indictments of these cyber criminal gangs. So, it’s interesting that in the case of Belorossov, details of his specific activities remain tightly locked away under court seal.
Given the vast scope of damages and the magnitude of infection in this case, I find the relatively light sentence curious. I suspect that once he has completed his time (reduced for what will be “extraordinarily good behaviour” and possible “assistance to law enforcement”) the first company (or government agency) to come up with a $322,409.09 signing bonus will gain some top talent for anti-bot net security work.
Meanwhile, in August 2015, the Cypriot police were busy arresting Andrey Ghinkul, also known as “Andrei Ghincul” and “Smilex” of Moldova. He is charged with criminal conspiracy, unauthorised computer access with intent to defraud, damaging a computer, wire fraud, and bank fraud.
The Bugat/Dridex malware, created by Ghinkul infected hundreds of thousands of computers and led to financial losses of more than $100 million worldwide. The recent neutralisation of the command and control infrastructure by law enforcement in the United Kingdom (with help from GCHQ, according to the Guardian) provided the opportunity for the FBI to seize control of the Bugat/Dridex bot net and prevent further damage.
When you look at Citadel, Dridex, Dyre, and a host of other modern bot nets, they all have some commonalities. In general, this malware is delivered by exploit kits that are readily available in the criminal underground. These exploit kits generate phishing emails with .zip or .doc attachments that utilise Microsoft Excel or Word macros to download the malware onto machines. Exploit kits can also host and send web links to lure people into exposing their computers using vulnerabilities in Adobe Flash and other unpatched software. The goal of these bot nets is to steal valuable banking credentials to commit fraud.
While the long arm of the US Justice Department, in partnership with international law enforcement, is successfully targeting and bringing cyber criminals to justice, there are immediate steps IT providers and MSPs can take to prevent bot net infections. The key things to deliver are:
- End-user security awareness training to provide the best ROI on security dollars
- Aggressive patching and updating of OS and third-party software to prevent exploits from working
- Mail filtering and attachment blocking to prevent exploits from being delivered
- Robust managed antivirus to detect exploits and malware
- Web protection to prevent compromised website visits
- Removal of administrative rights to prevent rogue software from being installed
These are all valuable tools in keeping malware off computer systems and keeping them safe from bot nets - especially the systems that do banking for your business and at your customers.
However, the important thing for IT professionals to remember is that it’s not about a reliance on one form of defense, only by having a layered approach to cyber protection can we make our clients and our companies hard to hack.
Ian Trump is security lead at LOGICnow
Image source: Shutterstock/igor.stevanovic