Saturday, August 29, 2009

Trend Micro Whitepaper - A Cybercrime Hub

Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website, the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in 2007.

In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. Its employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers from its office in Tartu. The criminal outfit uses a lot of daughter companies thatoperate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. This does not cause much harm to the operation as a whole, however, as the same cybercriminal just continues its business under a new name. In fact, constantly changing names is part of the company’s business model with a few constants, one of which is the mother company in Tartu.

Although explicit evidence exists that the Estonian company is heavily involved in cybercrime, the company could also be just another fa├žade of a bigger cybercriminal gang whose investors reside in another country like Russia or the United States. In fact, it is not at all unlikely that foreign criminal investors put their money into the Estonian company so they do not have to do the dirty work themselves. This paper provides detailed data on some of the cybercrimes that this Estonian company has been involved with. It also provides advertising fraud statistics committed on legitimate websites. Furthermore, it explains the backend structure of fraud with Google search queries and shows that around 100,000 unique Internet users per day get a bogus message saying, “You are infected with a virus, please download this piece of free antivirus software,” whenever they attempt to access high-traffic pornography websites. Finally, it also briefly discusses the internal network of the Estonian company, which shows how all of its activities relate to one another.

No comments:

Post a Comment