• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

How the Global Cybercrime Economy Hides in Plain Sight

Author avatar of Stephen LynchStephen Lynch
Updated — March 4, 2020 • 4 minute read
View blog >

Last month, the crime rate for England and Wales nearly doubled thanks to the inclusion of a new crime category in government statistics: cybercrime. The new data, released by the U.K.’s Office for National Statistics (ONS), includes an estimated 5.1 million online fraud incidents and 2.5 million instances that meet the country’s legal definition of computer crime. These new categories dramatically increase the country’s crime rate to over 11.6 million total offenses.
Given the media attention devoted to nation state attacks and high-profile data breaches, it’s easy to think that the prevalence of online crime is due to the rise of a new breed of elite hackers. But contrary to common perception in the media, this increase electronic attacks is actually being driven by the commoditization of both the tools and infrastructure used to launch online attacks, according to statements from U.S. officials at both the state and federal level.
Exploit Kits: The New Normal
As previously reported on the OpenDNS Security Labs blog, one of the biggest driving forces behind the recent rise in financially-motivated cybercrime has been the increased use of exploit kits. In a statement to CRN last year, FBI Assistant Director George Venizelos said that crimeware kits enable anyone with “$40 and a computer” to potentially become a cybercriminal.
Available for purchase online, these popular crimeware toolkits — also known as exploit kits — work by attacking a known vulnerability in a computer’s software or operating system to deliver an initial, malicious payload. The infected machine can then be added to a botnet, used to steal online banking information or be held hostage by ransomware (like Cryptowall and CryptoLocker). While these exploit kits and malware are available for purchase online, criminals still need a stage from which to launch their attacks.
Sneaky Servers
Historically, exploit kits and other malware have either been hosted on hacked websites or on servers run by “bulletproof” hosting providers that cater to shady online activities. Dhia Mahjoub, senior security researcher at OpenDNS, outlined some of the operating processes of these hosting providers during a recent talk at the Hack.lu cybersecurity conference in Luxemborg.
“One of the biggest advantages that these hosting providers have is they can choose to operate in countries that spend less time and effort on preventing cybercrime,” Mahjoub said. Hosting providers often locate their data centers in countries where there cybercrime laws are lenient or even accepting of activities like distributing malware. Often, the hosting providers’ businesses themselves are also registered in foreign countries, relying on national borders to shield them from law enforcement activity.
Mahjoub said that some providers are bound by law to tell their customers when they receive an abuse report from security researchers or law enforcement. He said that often these reports result in criminals just copying their servers and setting them up in another dark corner of the Internet. In many cases, hosting providers deal with so many customers and servers that malicious behavior simply goes unnoticed.
He also noted that detecting and blocking these attacks is no trivial matter, and that attackers have found many ingenious ways of hiding from both law enforcement and security researchers. One technique he uncovered is called “domain shadowing,” or using a compromised subdomain on for a legtimate website (like “malware.opendns.com” instead of “opendns.com”) to launch exploit kit attacks. He also found that attackers could “inject” server addresses into a legitimate hosting provider’s networks by manipulating the routes between networks, further obscuring a server’s true location. In another example, a recent Angler exploit kit group taken down by Cisco’s Talos team used a network of proxy servers to hide an attacker’s infrastructure from the prying eyes of security researchers. This combination of automated attacks and evasion techniques is a hallmark modern exploit kit infrastructure.
Last month, OpenDNS Security Labs introduced two new security models, SPRank and Predictive IP Space Monitoring, that can automatically detect these kinds of attacks.
Detecting Criminal Infrastructure
Using Big Data to Avoid Detection
Aggressive activity from security teams can sometimes backfire. Back in 2012, Mahjoub said that it became apparent that traditional, “active” security research methods like actively scanning attacker infrastructure, could alert black hats that security researchers were looking for them. After realizing that they are under scrutiny from the security community, bad guys would then shut down servers and start over in another dark corner of the Internet. He mentions that in one instance, bad actors updated their infrastructure and changed their methods within hours of researchers disclosing information about how they operate.
That’s why, he says, the OpenDNS Research Labs team has focused is on studying the aspects of criminal activity that are impossible to hide from outside analysis. He notes that while it’s possible for a criminal to change hosting providers or domain names, there are some things that still need to happen before an infection can occur. For instance, a criminal needs to register a domain before it becomes public and users have to be redirect to a specific website before an exploit kit can infect them.
“To detect these people, you have to separate their inherent and assigned features,” he said. “Think of it this way: a criminal could have 10 passports that [he uses] to travel all over the world, changing [his] hair color or whatever. That’s analogous to what bad guys do to hide online. They will change the domain names they use, the countries they host their servers in — all to avoid detection. But if you focus on inherent features — like the exploit kit traffic patterns — it’s like their genetic code. Some things you just can’t change.”

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella