Cybercriminals still enjoy bragging about their escapades

April 13th, 2011

Details about whether the initial hacks of permission e-mail marketers Epsilon and Silverpop were achieved via a successful spear phishing attack, followed by a classic persistent intrusion caper, may take a while to figure out. But even if investigators do solve those puzzles, it’s unlikely details will be publicly disclosed.

Breached enterprises generally do not discuss the results of forensic investigations. But there is another way to stay informed about cybercriminals’ tricks of the trade.

In this LastWatchdod guest post, Amichai Shulman, Co-Founder and CTO of Imperva, describes what Imperva has recently learned by listening in.

Shulman

By Amichai Shulman

Can you imagine an army showing up on a battlefield with insufficient knowledge of the opponents’ weapons or tactics? General Custer tried it—once. The importance of proper intelligence cannot be underestimated.

Hackers have high incentives to continue evolving techniques and attack vectors, such as automating tools, the same way security vendors do. Hackers pride themselves on new innovations, so platforms grow at a pace that is very difficult to monitor without dedicated effort.

However, hackers actually make it easy for savvy security research. Largely, hackers are egotistical and narcissistic and joining certain hacker forums is relatively easy. They discuss tools, techniques and technologies of their trade. Feeding off attention, hackers often boast about their exploits.

For example, in December 2009, a hacker boasted about breaching Rockyou.com and exfiltrating 32 million. But few other hackers believed it. To remove any doubts, the hacker posted all 32 million passwords for a few hours. We downloaded the list and analyzed it, revealing that “123456” was the most commonly used password and providing consumers worldwide insight into how to improve their password security practice.

Hackers also post information about the tricks of their trade. They post, for instance, kits for developing hacking campaigns or source code for hacking software. We’ve analyzed these efforts from a technical perspective to understand how hacking activity changes. The most amusing incident was the case of a phishing kit where a hacker, as “a community service,” contributed his cloud-based phishing kit. The irony, however, was that the contributing hacker actually built a backdoor in the product that sent all stolen credentials to him so he wouldn’t have to do any work.

Our company, Imperva, conducts a Hacker Intelligence Initiative (HII) through our research arm, the Application Defense Center (ADC). The HII is focused on improving risk management by tracking technical trends and targets in the online underground, hacker forums and chat rooms. Most of the members of the ADC have military experience and have earned Masters degrees in Computer Sciences. And “reformed hackers” are never even considered.

Aside from hacker forums, the ADC also has “honeypots” in cyberspace. Like weather balloons that report on climate conditions, our honeypots report on various attacks hackers perform. For instance, our honeypot helped us find out that DDOS attacks were coming from infected servers (vs infected PCs) to leverage their stronger fire power.

There are also specific incidents we find as well. For example, we recently learned of a hacker who was selling information and access to several high profile US and European .gov, .mil and .edu websites and databases. He used the forum to promote his site to attract buyers and also to recruit other hackers.

By browsing the forum, we observed the list of hacked sites and discovered the methods used by the hacker to obtain data: automatic scanning to exploit applications vulnerable to SQL injection. (This information, ironically, was revealed by the hacker’s disgruntled former business partner showing that insider threats are problem in the hacker community). Many of the victim sites shut down for days to remediate.

Our work isn’t always limited to applications and databases. For example, we monitored Operation Payback, the initiative was promulgated by the hacker group Anonymous seeking revenge on companies for denying funds to WikiLeaks. This was a powerful distributed denial of service (DDoS) effort where communication channels to synchronize all the attacking parties was mandatory for success. We tapped into these channels – mostly Twitter accounts and internet relay chats (IRC). We were able to obtain first hand real time information about the attack including:

  • The current and future targets.
  • The attack tools which were mostly several versions of a downloadable DDOS tool called LOIC (low orbit ion cannon). Over time, we were the first to notice that some of the attack organizers hoped to boost the attack by integrating with botnet operators.

We conveyed this information to targeted companies privately as well as through major news media to help them fine-tune cyber defenses.

Security teams must have a disciplined process for risk management and our HII helps these teams maintain effective security in a limited budget environment by helping them keep an eye on their opponents rather than the theory of threat. To paraphrase “The Art of War,” if you know yourself, but not your enemy, you may win or you may lose. However, if you know your enemy, you can win 1,000 wars. Everyday, our research seeks to know the enemy.

About the author: Amichai Shulman, Co-Founder and CTO of Imperva, heads up the Application Defense Center (ADC), Imperva’s internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.