Burgeoning botnets!

In part 2, we examine more botnet and malware case histories, analyze data breach causal factors and related statistics, and discuss ways to avoid becoming a victim of these nefarious schemes. 

On June 2, 2014, the FBI, in conjunction with the U.S. Department of Justice (DOJ), reported that a multinational effort successfully led to the disruption of another botnet. (See GameOver Zeus Botnet Disrupted.) The DOJ said that law enforcement agencies from Australia, the Netherlands, Germany, France, Italy, Japan, Canada, the Ukraine, the U.K. and other countries participated in the disruption operation.

This joint initiative was called GameOver Zeus — named for the malware of the same name — a very complex type of malware developed by cybercriminals to steal banking credentials and other personally identifiable information (PII) from infected computers. Once infected with the GameOver Zeus malware, the computers become part of a global network — a system of botnets — cybercriminals use to spread the malware through spam email and phishing messages.

According to the FBI article, cybercriminals' use of the GameOver Zeus malware has resulted in estimated losses of more than $100 million from individuals and businesses throughout the world.

Similar to the SpyEye malware, banking credentials — including network addresses of customer computers and other important PII captured by the GameOver Zeus malware — are redirected to servers controlled by cybercriminals. They then use the stolen information to hack into customer computers, infect them with the GameOver malware and re-direct wire transfers of money into accounts overseas that the cybercriminals have set up.

Originally, the FBI ran into problems busting the botnet. According to the FBI article, "Unlike earlier Zeus variants, GameOver [Zeus malware botnets have] a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin [associated with the SpyEye malware botnets], which means that instructions to the infected computers [in the GameOver botnet] can come from any of the infected computers, making a takedown of botnet more difficult. But not impossible."

To help solve the problem, officials filed civil and criminal court orders in a Pittsburgh federal court that authorized them to develop "measures to sever communications between the infected computers, re-directing these computers away from criminal servers to substitute servers under the government's control," according to the FBI article.

This measure allowed the FBI to identify the IP address of each of the compromised computers in the botnet and, with the use of substitute computers, direct this information to computer-readiness teams around the world and Internet service providers (ISP). Also, ISPs and other private-sector parties helped remove the GameOver Zeus malware from victims' computers. These two measures severely restricted the ability for botnet operators to issue commands to victims' machines, which essentially dismantled the botnet.

Privacy rights clearinghouse

Though the FBI was able to disrupt the GameOver Zeus botnet attack, statistics from the Privacy Rights Clearinghouse (PRCH) show that data breaches that evolve from external hacker activity and other causal factors aren't going to disappear any time soon.

PRCH is "a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers," according to its website. PRCH noted the magnitude of the data-breach problem from Jan. 1, 2005, through Feb. 18, 2015. It compiled and reported 4,488 data breaches and about 818 million compromised records in its "Chronology of Data Breaches" document, which is updated daily when PRCH receives notice of data breaches from its collaborating sources.

Holtfreter/Harrington data breach classification model

In 2011, with the assistance of Adrian Harrington — a former student in my fraud examination class at Central Washington University — I developed a new, expanded classification model that classifies data breaches and related compromised records according to nine internal and external causal factors (or categories), five general industry categories/sectors and 18 related sub-industry sectors.

We developed the methodology based on a factor analysis of PRCH's data from 2005 through 2010. In 2013 we updated our model and related statistics by analyzing 3,546 data breaches and roughly 761 million compromised records reported by the PRCH for an eight-year period from 2005 through 2012. (Beth Givens, PRCH's director, granted us permission to use its data in developing the study.) The results indicated that the types of data breach causal factors remained the same.

As you might have guessed, internal data breaches are those that originate or are caused by factors within an organization, while external data breaches originate or are caused by factors outside the organization. It's important to create a data breach model based on internal and external causal factors because media reports would have the public believe that external hackers are responsible for the majority of the data breaches — our analysis indicates this is far from the truth.

Here are the types of data breach causal factors that lead to compromised records identified in our study:

Internal breaches:

• IIPD: Improper protection or disposal of data.
• ITF: Theft of data by a current or former employee with absolute or high probability of fraudulent intent.
• ITNF: Theft of data by a current or former employee with low or no probability of fraudulent intent.
• IH: Hacking or unauthorized intrusion of a network by a current or former employee.
• IL: Loss of data.

External breaches:

• XP: Partner/third party theft or loss of data by improper exposure or disposal.
• XTF: Theft of data by a nonemployee with absolute or high probability of fraudulent intent. 
• XTNF: Theft of data by a nonemployee with low or no probability of fraudulent intent.
• XH: Hacking or unauthorized intrusion of the network by a nonemployee.
• NA: Unable to determine the data breach as internal or external (non-traceable).

Hackers don't discriminate

As we discovered, no entities — public or private — are safe from hackers. Our analysis identified five general industry or sector categories — business, government, education, health care and nonprofit — and 18 related subcategories.

We analyzed the nine categories of internal and external data breaches noted earlier and the corresponding compromised records.

In Figure 1 (below), of the 3,545 data breaches reported by PRCH over an eight-year period, 779, or 21.9 percent, were traced to external hacking.

In Figure 2 (below), of the 764 million compromised records reported by PRCH for the eight-year period, external hacking accounted for some 516 million compromised records (an amazing 67.6 percent). What stands out in this data is that while external hacking accounted for 21.9 percent of the total data breaches, it accounted for a whopping two-thirds of the total compromised records. Also, external hacking averaged 663,261 compromised records per data breach. This indicates that external hackers aren't only much more skilled at intruding organizational networks but are even more skilled at targeting databases that contain the most records once they get inside. In other words, external hackers are getting more bang for their buck.

(The total number of compromised records that the PRCH reported is understated because, in many cases, it doesn't know how many data breaches are recorded as compromised.)

As shown in Figure 3 (below), the business industry is clearly the most attractive target to hackers, accounting for more than half of all data breaches (53.7 percent). This was followed by educational institutions, with about 28.9 percent; government, 11.4 percent; health care, 4.2 percent; and nonprofits, with a mere 1.8 percent.

A glance at Figure 4 (below) makes it clear that the business industry has had the biggest bulls-eye on its back. It accounted for nearly 500 million records compromised by external sources or 96.2 percent of the total. Education, government, health care and nonprofits trailed far behind, each making up 2 percent or less of hackers' targets.

In Figures 3 and 4, the business industry accounts for 53.7 percent of the external hacking data breaches and an overwhelming 96.2 percent of records compromised externally. This is in sharp contrast to the education industry, which accounts for 28.9 percent of external breaches but only 1.5 percent of compromised records. In terms of raw numbers, this amounts to 1,188,584 compromised records per breach for the business industry, compared to just 33,269 records per breach for educators.

There's some good news

All news isn't bad news. The FBI says it has made cybersecurity "a top priority" over the past few years by beginning initiatives or programs. For example, those involved in Operation Clean Slate busted the more egregious scams. Arrests and prosecutions of key individuals followed. The FBI also joined efforts with the DOJ and various international partners to carry out investigations such as the GameOver Zeus bust.

These initiatives have begun to bear fruit. Law enforcement agencies have been successful in busting up three high-profile international identity theft-related activities that have bilked victims throughout the world out of hundreds of millions of dollars. Also, some of the key cybercriminals primarily responsible for originating, distributing and promoting the frauds have been arrested.

The first successful FBI investigation, the SpyEye botnet bust, was explained in part 1 in the March/April 2015 issue of Fraud Magazine. GameOver Zeus, discussed at the beginning of this article, was the second successful investigation. The third bust involved Cryptolocker malware.

According to the FBI, the U.S. and its international counterparts captured command-and-control servers for the Cryptolocker malware, which is a version of ransomware that locks a victim's computer and then demands a fee to unlock it. Computers infected with the GameOver malware also are usually infected with the Cryptolocker malware. (See the FBI report.)

In the scheme, a victim receives a pop-up message on his computer stating that his important files have been encrypted with a special private key that locks his files. If the victim pays a ransom from $300 to $700 or more, the attackers promise to share the key from a remote server that they control, which will allow the victim to decrypt and restore his files.

The pop-up message states that access to the private key will expire shortly to pressure the victim to quickly make a decision. However, even after the victim pays the ransom, the private key remains on the attackers' command-and-control server and, in many cases, the hacker won't use the key to unlock the victim's encrypted files. In this case, the victim might be able to restore his files, but only if he's backed them up. To do so, he must first scrub (erase) the computer's hard drive. This can almost completely restore the computer from damage caused by Spyware and viruses and also erases other unwanted files.

The DOJ reported on July 11, 2014 ("Department of Justice Provides Update on GameOver Zeus and Cryptolocker Disruption") that it's making progress to disrupt the GameOver Zeus botnet and the Cryptolocker malware.

Because of the DOJ's intervention, most of the computers infected with the GameOver Zeus malware are no longer under cybercriminals' control but are communicating with a substitute server that was established by court order. Information that the FBI gleaned from the substitute server indicated that the number of computers infected with GameOver Zeus malware have been reduced by 31 percent. The Cryptolocker malware is neutralized and can't spread to other computers.

According to the FBI, your computer might be infected with the GameOver Zeus or Cryptolocker malware if:

• Your computer system operates very slowly.
• Your cursor moves erratically with no input from you.
• You notice unauthorized logins to your bank accounts or unauthorized money transfers.
• Text-based chat windows appear on your computer's desktop unexpectedly.
• Your computer files lock up and a ransom demand is made to unlock files.

Those who believe their computers are infected with the GameOver Zeus malware should visit the Department of Homeland Security's dedicated GameOver Zeus webpage.

Help Net Security's website announced on June 8, 2014, that FireEye and Fox-IT provide a new free service called Decrypt CryptoLocker to help CryptoLocker victims unlock their files. Just click on "DecryptCryptolocker" in the article to access the webpage with the necessary instructions. (See Free service helps CryptoLocker victims get their files back.)

These high-profile botnet busts by the FBI, DOJ and their international partners are major accomplishments and important setbacks for cybercriminals. However, history shows that cybercriminals are quick to respond with new versions of malware and will construct new botnets.

A new undetected botnet could already exist that uses the same malware from a previously busted botnet. In fact, the latter recently happened with the GameOver Zeus malware when, less than one month after the first GameOver Zeus botnet was busted, a new version emerged in a campaign that sent out malicious spam messages. (See Breaking: GameOver Zeus Mutates, Launches Attacks, Malcovery Security, July 10, 2014, by Brendan Griffin and Gary Warner.)

Protecting against botnet attacks

Tony Bradley in his article, "How to protect yourself against GameOver Zeus and other botnets," on the PCWorld website, June 2, 2014, recommends that we should heed the advice of Lucas Zaichkowsky, an enterprise defense architect with AccessData, to help avoid becoming a victim:

• "Block email attachments containing executable files or ZIP files with executable files like EXE and SCR.
• "Use vulnerability mitigation software to make up for unpatched software and avoid getting hit by exploit kits. The Microsoft Enhanced Mitigation Experience Toolkit (EMET) has a proven track record of protecting from attacks — including rare zero-days — before software patches are even available. Also, EMET can be managed in corporate environments using Group Policies.
• "Install antivirus software. Although not perfect, antivirus software can still catch a large percentage of malware and reduce noise. Free antivirus software such as Microsoft Security Essentials or AVG Free are just as good as commercial offerings, so don't feel like you have to pay money to get a good product."

Bradley also recommends that organizations with security staff should learn "how to do manual analysis so incidents can be fully investigated to uncover what the existing security tools don't reveal."

In addition the FBI provides the following advice:

• "Make sure you have updated antivirus software on your computer.
• "Enable automated patches for your operating system and web browser.  
• "Have strong passwords, and don't use the same passwords for everything.
• "Use a pop-up blocker.
• "Only download software — especially free software — from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars). 
• "Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an email, even if you think it looks safe. Instead, close out the e-mail and go to the organization's website directly."

You've been forewarned. Be careful!

Hopefully, this article shows that cybercriminals are organized, their activities are profitable, and law enforcement agencies and security companies face many difficulties in curtailing their activities. The rate of occurrence of data breaches in the U.S. has escalated, and many still are unreported.

Unfortunately, the U.S. Congress hasn't provided much help. It hasn't passed a bill on data breach notifications or data protection guidelines for businesses, but some in Congress are trying to address the problem. We can only hope for strong and meaningful legislation, but don't hold your breath.

In the meantime, organizations should educate their employees about cybersecurity problems. Internal threats in large corporations are a serious problem, so they need to make cybersecurity a top priority.

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He's also on the ACFE's Advisory Council and the Editorial Advisory Committee.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.