{"id":4837,"date":"2015-11-23T17:53:48","date_gmt":"2015-11-23T17:53:48","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4837"},"modified":"2019-11-15T07:00:34","modified_gmt":"2019-11-15T12:00:34","slug":"russian-cybercrime-underground-doing-business-in-plain-sight","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/russian-cybercrime-underground-doing-business-in-plain-sight\/4837\/","title":{"rendered":"Russian cybercrime underground: doing “business” in plain sight"},"content":{"rendered":"

The Russian Mafia is a long-standing media staple in the West, portrayed with many\u00a0myths, but reality is possibly surpassing all of them. Russian cybercrime appears to be a formidable adversary for the cybersecurity industry, and a huge problem for businesses and individuals worldwide. Meet Securelist\u2019s new fundamental research: Russian financial cybercrime: how it works<\/a>.<\/p>\n

A matter of communication<\/strong><\/p>\n

It\u2019s important to note that\u00a0\u201cRussian\u201d means \u201cRussian-speaking\u201d, not specifically \u201coriginating from Russian Federation\u201d: Russian language is actively used throughout many post-Soviet republics, but the Russian-language cybercrime market predominantly consists of citizens of Russia, Ukraine, and the Baltic states.<\/p>\n

Securelist says this cybercrime market is well known throughout the world. First, because of frequent media coverage. The second reason Securelist describes as \u201cthe open accessibility of online platforms used by the cybercriminal community for communications, promoting a variety of \u201cservices\u201d and \u201cproducts\u201d and discussing their quality and methods of application, if not for making actual deals.\u201d<\/p>\n

In other words, a large number of cybercriminals do their illicit business in the plain sight, then go on to commit financial attacks of various scales and sophistication.<\/p>\n

Damage estimates<\/strong><\/p>\n

Between 2012 and 2015, law enforcement agencies from a number of different countries, including the United States, Russia, Belarus, Ukraine, and the EU arrested over 160 Russian-speaking cybercriminals, members of various criminal groups. All of those arrested were suspected of being engaged in stealing money using malware; the total estimated damage resulting from their worldwide activity exceeded $790 million. $509 million had been stolen outside the borders of the former Soviet Union. And these are only confirmed losses, the details of which, Securelist says, were obtained by law enforcement authorities during the investigation. In fact, the damage might have been much larger.<\/p>\n

Despite this formidable number of arrests the \u201cmarket\u201d is still crowded and very much active.<\/p>\n

According to Kaspersky Lab experts, over the last three years Russian-language cybercrime has recruited up to a thousand people. These include people involved in the creation of infrastructure, and writing and distributing malware code to steal money, as well as those who either stole or cashed the stolen money.<\/p>\n

According to Kaspersky Lab\u2019s Computer Incidents Investigation Department, there are at least five major cybercriminal groups specializing in financial crimes which have been monitored over the last few years. All of them include 10 to 40 people. At the same time, there are about 20 \u201ccore professionals\u201d who play leading roles in criminal activities that involve the online theft of money and information across the entire cybercriminal underground. So much damage from so few people.<\/p>\n

Business activities<\/strong><\/p>\n

All in all, cybercrime IS a business, operating by the same patterns \u2013 by offering \u201cproducts\u201d and \u201cservices\u201d, for instance; following the same logic \u2013 maximizing ROI, etc. \u00a0It is totally illicit and very damaging, but it is built on the same principles. Cybercrime groups\u00a0almost openly hire codewriters and system administrators, just like normal businesses. Programmers create and modify malware, while admins perform tasks almost identical to their legit counterpart: implementing the IT infrastructure and maintaining it in working condition.<\/p>\n

\u201cCybercriminal system administrators configure management servers, buy abuse-resistant hostings for servers, ensure the availability of tools for anonymous connection to the servers (VPN) and resolve other technical challenges, including the interaction with remote system administrators hired to perform small tasks\u201d, Securelist wrote.<\/p>\n

Cybercriminals also\u00a0offer a number of the following \u201cproducts\u201d and \u201cservices\u201d to each other and third parties. Here are primary offerings, highlighted by the Kaspersky Lab researchers:<\/p>\n

Products:<\/strong><\/p>\n