[Владимир Петровић]

Rusko sajber podzemlje, onakvo kakvo je danas u pogledu organizacije, postoji od 2004. godine. Forumi koji okupljaju kriminalce danas su mesta na kojima se trguje i na kojima se razmenjuju informacije. Neki od poznatijih ruskih hakerskih foruma su zloy.org, DaMaGeLab i XaKePoK.NeT. U početku su ovi forumi korišćeni za razmenu informacija, ali su vremenom počeli da se koriste kao mesta na kojima se trguje i danas je ta njihova uloga mnogo istaknutija od njihove prvobitne namene.

Kompanija Trend Micro je objavila svoje novo istraživanje o ruskom sajber podzemlju, koje je deo ranije započetog istraživanja kompanije o ekonomiji sajber podzemlja.

Izveštaj otkriva zanimljive detalje o ruskom sajber podzemlju, i proizvodima i servisima koje ono nudi, kao i o aktuelnim cenama.

Rusko podzemlje nudi široku paletu proizvoda i servisa. Primetno je da su se prodavci specijalizovali za određene proizvode i servise. Tako oni koji žele da zarade od sajber kriminala više ne moraju da razvijaju sopstvene alate, već je dovoljno da se povežu sa pravim ljudima od kojih mogu nabaviti ono što im je potrebno. Primera radi, pojedine grupe ruskih sajber kriminalaca bave se samo enkripcijom fajlova ili DDoS napadima ili preusmeravanjem saobraćaja ili nude PPI (plaćanje po instalaciji) servise.

Kao i na svakom drugom tržištu, i ovde vlada zakon ponude i potražnje. Cene proizvoda i servisa koje se nude su u padu. Razlog tome je povećana ponuda, pa je tako na primer došlo do pada vrednosti ukradenih američkih kreditnih kartica koje su 2011. i 2012. vredele 3 dolara a sada se mogu nabavititi po ceni od jednog dolara.

Isto važi i za ukradene naloge email servisa i društvenih mreža: vrednost ukradenih Facebook naloga je prepolovljena sa 200 dolara u 2011. na 100 dolara u 2013. Ipak, pojedine vrste naloga nisu izgubile vrednost, što je slučaj sa Gmail ili Hotmail nalozima.

Sa padom cena došlo je i do pada u kvalitetu ponude pa proizvodi i servisi koji se nude na crnom tržištu nisu kvalitetni kao što se reklamiraju. Zbog toga se sve više i prodavci i kupci oslanjaju na posrednike kako bi obe strane bile sigurne da neće biti prevarene. Posrednici dobijaju 2-15% prodajne cene a zauzvrat oni garantuju da će i prodavac i kupac biti zadovoljni na kraju.

Hakerski forumi koji pripadaju sajber podzemlju imaju na desetine hiljada članova koji koriste različite metode (Tor, VPN) da bi sačuvali anonimnost. Na forumima oni koriste svoje nadimke i ICQ brojeve.

“Iako su cene većine proizvoda i servisa koji se prodaju na ruskom crnom tržištu u padu, to ne znači da taj posao nije dobar za sajber kriminalce. To čak može da znači da tržište raste, a kao što vidimo kako vreme prolazi sve više i više proizvoda i servisa se nudi”, kažu stručnjaci kompanije Trend Micro.

Sajber kriminalci, kao i poslovni ljudi koji se bave legalnim biznisom, takođe nastoje da automatizuju poslovanje, što rezultira nižim cenama proizvoda i usluga. Ipak, opstaje i “trgovina na malo”, pa proizvodi i servisi koji se tako prodaju ostaju skupi jer njihov razvoj zahteva posebna znanja i veštine koje samo pojedinci imaju.

Извор портал Информација.рс

Сајбер криминал је постао глобална претња на интернету...

[Владимир Петровић]

Група руских хакера украла је, како се процењује, 1,2 милијарде интернет лозинки, од којих неке припадају значајним америчким компанијама, али и другим светским фирмама, пише "Њујорк тајмс".

Поверљива имена корисника и лозинке су, према подацима компаније "Холд сикјурити", украдени са око 420.000 вебсајтова, чиме је групи хакера постало доступно 500 милиона имејл налога, преноси Танјуг.

[Захумље]

Yesterday, The New York Times dropped an exclusive account of what reporter Nicole Perlroth called "the biggest hack ever." By the numbers it certainly held up: 1.2 billion accounts, covering 500 million unique email addresses over 420,000 websites. The data had been captured by a Russian hacker group called CyberVor, and revealed by Hold Security. But as the smoke clears, the hack seems to be less of a criminal masterwork than the article might have you believe.

HOLD SECURITY IS ALREADY CAPITALIZING ON THE PANIC

The biggest problem, as Forbes's Kashmir Hill and The Wall Street Journal's Danny Yadron have noted, is that Hold Security is already capitalizing on the panic, charging a $120-per-year subscription to anyone who wants to check if their name and password are on the list. Hold says it's just trying to recoup expenses, but there's something unseemly about stoking fears of cybercrime and then asking concerned citizens to pay up. It also gives Hold a clear incentive to lie to reporters about how large and significant the finding is.

Of course, facts are still facts, but even the hard data here is a little strange. If the idea of hacking 1.2 billion usernames sounds incredible, it should. There are just a handful of services with over a billion users — Facebook, Google Search, and Microsoft Office lead the pack — and if any of those were involved, Hold wouldn't be shy about saying so. Instead, this data comes from hundreds of thousands of compromises over the course of months. Comparing it to breaches like Adobe or Target, as Perlroth does repeatedly, simply doesn't make sense.

COMPARING IT TO BREACHES LIKE ADOBE OR TARGET SIMPLY DOESN'T MAKE SENSE

It would still be impressive if CyberVor had managed to hack that data across all 420,000 sites, but even that is unclear. Here's Hold Security's description of the attack:

Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks... [which] used victims’ systems to identify SQL vulnerabilities on the sites they visited.... eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.
Notice anything odd? Both Perlroth's article and Hold Security's description stop short of saying the group actually stole all 1.2 billion passwords. They just "eventually ended up" with them. We already know the gang started out by buying data from earlier hacks, but it's remarkably unclear where the bought data ends and the stolen data begins. Many of the passwords could have been old data from someone else's hack.

SQL INJECTION IS A POWERFUL TECHNIQUE, BUT A COMMON ONE

But what about the high-rolling corporate security involved? Hold Security says the companies affected range "from Fortune 500 companies to very small websites," but their technique is much better suited to small sites than major corporations. SQL injection is a powerful technique, but it's also a common one. Hackers have been using the attack for more than a decade, and any security professional would know to protect against it. It's always possible that a Fortune 500 company left themselves exposed (you should never underestimate incompetence), but it seems like a long shot. Most comparable hacks (Target, Adobe) involved extensive research and multistage hacks that were tailored specifically to that company, much more sophisticated attacks than the one Hold describes.

If CyberVor were shopping for the Fortune 500 data instead of cracking systems, on the other hand, the group would have had plenty of options. The data could have come from Target, LinkedIn, or an upstream breach like the Global Payments hack in 2012. All that data is still kicking around the darker corners of the web, available to anyone willing to pay for it. The usernames get cheaper as they get older, so in the case of a two-year-old hack like Global Payments, counting to a billion wouldn't even be that expensive.

THE DATA MAY BE MORE ABOUT QUANTITY THAN QUALITY

The biggest red flag of all, though, is that CyberVor isn't trying to sell the data or use it to steal actual money. They're using it for Twitter spam, the dark web equivalent of boiling the bones for stock. If there were anything else they could do with these passwords, it would be more lucrative and more sustainable than spamming. The fact that the crew is reduced to jacking Twitter accounts suggests the data is more about quantity than quality.

What you're left with is something of a mess. Clearly CyberVor has been busy, and they seem to have done real damage. Spammers are bad, and cracking small sites is just as bad as cracking big ones. But the most impressive aspects of the hack (the 1.2 billion accounts, the 420,000 sites) all have more to do with how the hack was framed than how it was carried out, and it's easy to see why. No one was going to pay $120 a year just to find out if their Twitter might get hacked.