Last month, the crime rate for England and Wales nearly doubled thanks to the inclusion of a new crime category in government statistics: cybercrime. The new data, released by the U.K.’s Office for National Statistics (ONS), includes an estimated 5.1 million online fraud incidents and 2.5 million instances that meet the country’s legal definition of computer crime. These new categories dramatically increase the country’s crime rate to over 11.6 million total offenses.

Given the media attention devoted to nation state attacks and high-profile data breaches, it’s easy to think that the prevalence of online crime is due to the rise of a new breed of elite hackers. But contrary to common perception in the media, this increase electronic attacks is actually being driven by the commoditization of both the tools and infrastructure used to launch online attacks, according to statements from U.S. officials at both the state and federal level.

Exploit Kits: The New Normal

As previously reported on the OpenDNS Security Labs blog, one of the biggest driving forces behind the recent rise in financially-motivated cybercrime has been the increased use of exploit kits. In a statement to CRN last year, FBI Assistant Director George Venizelos said that crimeware kits enable anyone with “$40 and a computer” to potentially become a cybercriminal.

Available for purchase online, these popular crimeware toolkits — also known as exploit kits — work by attacking a known vulnerability in a computer’s software or operating system to deliver an initial, malicious payload. The infected machine can then be added to a botnet, used to steal online banking information or be held hostage by ransomware (like Cryptowall and CryptoLocker). While these exploit kits and malware are available for purchase online, criminals still need a stage from which to launch their attacks.

Sneaky Servers

Historically, exploit kits and other malware have either been hosted on hacked websites or on servers run by “bulletproof” hosting providers that cater to shady online activities. Dhia Mahjoub, senior security researcher at OpenDNS, outlined some of the operating processes of these hosting providers during a recent talk at the Hack.lu cybersecurity conference in Luxemborg.

“One of the biggest advantages that these hosting providers have is they can choose to operate in countries that spend less time and effort on preventing cybercrime,” Mahjoub said. Hosting providers often locate their data centers in countries where there cybercrime laws are lenient or even accepting of activities like distributing malware. Often, the hosting providers’ businesses themselves are also registered in foreign countries, relying on national borders to shield them from law enforcement activity.

Mahjoub said that some providers are bound by law to tell their customers when they receive an abuse report from security researchers or law enforcement. He said that often these reports result in criminals just copying their servers and setting them up in another dark corner of the Internet. In many cases, hosting providers deal with so many customers and servers that malicious behavior simply goes unnoticed.

He also noted that detecting and blocking these attacks is no trivial matter, and that attackers have found many ingenious ways of hiding from both law enforcement and security researchers. One technique he uncovered is called “domain shadowing,” or using a compromised subdomain on for a legtimate website (like “malware.opendns.com” instead of “opendns.com”) to launch exploit kit attacks. He also found that attackers could “inject” server addresses into a legitimate hosting provider’s networks by manipulating the routes between networks, further obscuring a server’s true location. In another example, a recent Angler exploit kit group taken down by Cisco’s Talos team used a network of proxy servers to hide an attacker’s infrastructure from the prying eyes of security researchers. This combination of automated attacks and evasion techniques is a hallmark modern exploit kit infrastructure.

Last month, OpenDNS Security Labs introduced two new security models, SPRank and Predictive IP Space Monitoring, that can automatically detect these kinds of attacks.

Detecting Criminal Infrastructure

Using Big Data to Avoid Detection

Aggressive activity from security teams can sometimes backfire. Back in 2012, Mahjoub said that it became apparent that traditional, “active” security research methods like actively scanning attacker infrastructure, could alert black hats that security researchers were looking for them. After realizing that they are under scrutiny from the security community, bad guys would then shut down servers and start over in another dark corner of the Internet. He mentions that in one instance, bad actors updated their infrastructure and changed their methods within hours of researchers disclosing information about how they operate.

That’s why, he says, the OpenDNS Research Labs team has focused is on studying the aspects of criminal activity that are impossible to hide from outside analysis. He notes that while it’s possible for a criminal to change hosting providers or domain names, there are some things that still need to happen before an infection can occur. For instance, a criminal needs to register a domain before it becomes public and users have to be redirect to a specific website before an exploit kit can infect them.

“To detect these people, you have to separate their inherent and assigned features,” he said. “Think of it this way: a criminal could have 10 passports that [he uses] to travel all over the world, changing [his] hair color or whatever. That’s analogous to what bad guys do to hide online. They will change the domain names they use, the countries they host their servers in — all to avoid detection. But if you focus on inherent features — like the exploit kit traffic patterns — it’s like their genetic code. Some things you just can’t change.”

This post is categorized in: