Attacking cybercrime through infrastructure, not individuals
- 1 June 2015
- From the section Technology
If someone has been mugged, there's a mugger to catch. If a car is stolen, there'll be a thief to find. If a bank is robbed, there will be a robber to track down.
Not so much. With online crime it is much harder for the police to pursue a single perp. This has provoked a change in the way hi-tech crimes are tackled.
Now it is about infrastructure, not individuals.
"It's all part of a realisation among info-security workers and law enforcement that traditional ways of doing investigations have not been working," said Steve Santorelli from Team Cymru, a non-profit group that monitors the net seeking botnets and other criminal resources.
"The more traditional 'identify the bad guys, arrest them and lock them up' has been falling short," he said.
Bureaucracy is part of the reason for this, said veteran computer security expert Chester Wisniewski from Sophos. Cross-continental co-operation between police forces has improved in recent years, he said, but the procedures required to mount international operations remain formidable.
Typically, he said, official requests for help between forces are done via a diplomatic agreement known as a Mutual Legal Assistance Treaty.
"The MLAT process can take a year among friendly nations," he said. "So between nations that do not have the best relationship it might never happen."
MLATs are also not designed to handle the volumes of cases revealed by work to combat cross-border cybercrime. Instead, he said, it is meant for a few high profile cases.
Police forces have found other ways to collaborate internationally and this has prompted a change in tactics. Now, instead of going after the criminals they go after the servers and compromised computers used to carry out the crimes.
"You need to increase the cost of them doing business," said Mr Santorelli. Taking away servers, cutting off access to the armies of compromised PCs all makes it more troubling, and costly, for criminals to operate.
One large-scale effort to get at the criminal infrastructure is Europe's Advanced Cyber Defence Centre (ACDC).
Funded by the European Commission, this has led to the creation of call centres in nine European nations. These get information about infected machines from ISPs who tell customers to contact the call centre to get help to clean up their compromised machines.
Removing machines from botnets is essential for a couple of reasons, said Peter Meyer, co-ordinator of the Centre.
"If you just catch one guy and do not shut down the infrastructure then the next day there will be someone that takes it over," he said. "It's really important to shut down the command and control systems."
In addition, he said, removing that infrastructure forces criminals to recruit more machines thus soaking up their time and resources.
It's a big job, he said, because up to 5% of the computers on domestic ISPs are believed to be part of a criminal botnet.
As well as cleaning up machines, the initiative is also trying to help police forces.
"Law enforcement is really interested in getting a better picture because they are often not well-funded and we have data," he said. "The fight against cybercrime is not something one individual can win."
The change in tactics has led to a flurry of raids. In early April, the FBI, Europol and the UK's National Crime Agency took action against the Beebone botnet. The forces seized web domains used by the botnet's owners to control the distributed system of infected machines. Knocking these out meant control of the botnet was taken away from its operators. It was one of a rash of raids carried out in 2014 and early 2015.
In mid-2014 a huge operation was mounted against the botnet GameOver Zeus that, by itself, was responsible for infecting millions of computers every year. It was also one of the main routes by which the notorious cryptolocker bug was spread. This malicious program encrypted data and demanded a ransom of 400 US dollars or euros within a short time limit or the scrambled data would be deleted.
The gang behind cryptolocker is believed to have made about $3m (£2m) via the ransomware. Seizing its infrastructure helped security experts decode cryptolocker and get at the keys it used to lock data away.
The operations against Beebone and Gameover Zeus took lots of time, planning and international co-operation. At other times, security firms have moved more quickly simply because the scale of the criminal activity demands it.
A case in point was the action that Cisco's Talos security team and Level 3 took against a cybercrime group known as SSH Psychos.
"The attacks they were carrying out were just so blatant and aggressive," said Craig Williams, technical head of the Talos team.
The Psychos were scanning the entire internet looking for Linux servers running the secure SSH protocol. Used properly it lets a server's owner log in securely to that machine even though they may be a long way away from it.
At its peak, the SSH Psycho scanning consumed more than one-third of all net traffic intended for servers capable of handling it.
On every server, the attack tried 300,000 common passwords in succession to see if any worked.
Some did and very quickly the Psychos had compromised about 1,000 machines.
Usually such attacks are much more stealthy, said Mr Williams, adding: "These guys didn't care they were being noticed."
In response, Level 3 and Cisco changed the way data from the attack was handled by net hardware they controlled. They essentially poured it into a virtual dustbin. This ended the scanning and stopped the password attacks. It got more even effective when some other large ISPs joined in.
How a sinkhole cuts off cyber crime
With a sinkhole, law enforcement attempts to cut the link between cyber-criminals and the computers they compromise.
Instead of hijacked PCs reporting in to the hi-tech criminals the data is diverted so it never reaches them. Instead it is analysed to help security firms tackle infections and make the business of cybercrime more expensive.
The Psychos responded and mounted an attack from elsewhere on the net. This too was poured into the trash can.
The tactic seems to have worked as the Psychos have not come back.
"I suspect they will move again," said Mr Williams. "And we can block them again."
Dale Drew from Level 3 said he hoped this action was the start of a broader effort by the security community to take on cyber-thieves.
"The security community spends a significant amount of time just observing when really we need to take action," he said. "We've got a real opportunity here to be more fluid and responsive than the bad guys."