1. COMP.SEC.100
  2. 8. Adversarial Behaviour
  3. 8.3 Elements of harmful activity (advanced)

Elements of harmful activity (advanced)

Criminals seek to operate as cost‑effectively as possible and to generate the greatest possible profit. Police, other authorities, security companies and users of information systems continuously attempt to prevent criminal activity, and therefore criminals must develop their operations to withstand countermeasures. In recent years, the development and specialisation of the cybercriminal ecosystem has been observed, in which actors specialise in different roles and trade these services with one another on underground markets.

Affiliate programmes
An affiliate programme is a system in which a core organisation provides the “brand” and all the necessary means for, for example, subscriptions, deliveries and payments. Affiliates can join the programme, direct traffic to the platform’s address and receive a share of sales. Such systems also exist for legitimate businesses (for example, Amazon has an affiliate programme), but they have been particularly successful among cybercriminals. The main difference between legitimate and criminal programmes is that criminals trade products that are considered illegal (counterfeit medicines or designer goods, gambling services etc.) and typically support illegal techniques like malware. Affiliate programmes are popular in the cybercriminal world because criminals do not have to start from scratch; instead, they can focus, for example, on building botnets for spam campaigns and purchase other necessities (such as product distribution) as a service. Affiliate programmes also provide cybercriminals with a collaboration channel that facilitates making contacts and trading services.

Attack vectors (advanced)

Cybercriminal activity is often based on the distribution of malware, and their attack vectors are therefore the methods by which they get malware installed on a victim’s computer:

  • Malicious attachments: The oldest and best‑known method is to lure the victim into opening an attachment that contains or itself is malware. Various techniques are used to make attachments appealing, including methods also employed in phishing. Techniques related to manipulating users are also used for this purpose.
  • Black hat search engine optimisation: Search engine optimisation is a practice in which website operators adjust their content so that it is indexed more effectively and appears higher in search engine results. Criminals do the same, but in such a way that a fake site rises higher in the results and misleads users to it. For example, in Finland in autumn 2021, warnings were issued about a phishing campaign related to the Kanta services, in which a phishing site resembling the Kanta service appeared above the legitimate site in some search engines and stole the online banking credentials of users who were misled to the site. Black hat search engine optimisation is often connected to a topic that is widely discussed or topical in society which results in many searches on the topic (for example, major sporting events, elections, or even vaccination certificates during the Covid‑19 period).
  • Drive‑by download attacks: The victim is lured (for example, through black hat search engine optimisation) to a website created or hijacked by criminals, where a malicious script attempts to automatically download malware onto the victim’s device by exploiting vulnerabilities in the browser or one of its plug‑ins (see also later). Another method is malvertisement, in which a criminal embeds their script into advertising space purchased on a website.
  • Compromise of internet‑connected devices: Criminals scan networks and search for, for example, vulnerable IoT devices. These are conscripted into botnets that can be used for spam campaigns or denial‑of‑service attacks.

Infrastructure (advanced)

Criminals require hosting servers for their websites. Authorities and operators shut down criminal servers if they are discovered. To counter this, criminals use, for example, bulletproof hosting service providers, which do not shut down in response to demands from authorities. This is achieved, for instance, by locating servers in countries that lack strong cyber legislation or where local authorities can be bribed. As a result, such services often host a large amount of criminal activity, and criminals are willing to pay for them. Even if authorities cannot directly shut down the services, operators can block their traffic if the server location is known. Criminal botnets, in turn, require command infrastructure to direct infected machines towards malicious operations. It is problematic for criminals if botnet control is centralised in a single location, so distribution is preferred, for example, peer‑to‑peer structures.

Specialised services, human‑based services and payment services (advanced)

Cybercriminals use multiple services to support their operations. An exploit kit is a vulnerability package that a cybercriminal can purchase and deploy on a website. The package contains a collection of exploits and malware. When a victim visits the site, the kit examines the victim’s device and exploits an appropriate vulnerability. The cybercriminal saves time and effort by not having to research vulnerabilities themselves. A pay‑per‑install service sells the installation of malware onto victims’ computers; the criminal using the service pays for each successful installation. Again, the criminal saves time and effort by outsourcing the work. CAPTCHA‑solving services facilitate the mass creation of accounts: the criminal redirects CAPTCHAs to a service where humans solve them, allowing the criminal to focus on creating accounts. Some criminals also trade directly in fake accounts, buying or selling ready‑made accounts on underground markets. Even accounts with an already established reputation may be available. Various content services are also offered on underground markets, for example for fake website purposes. From underground markets, criminals can also purchase money laundering as a service from specialised money “mules”. For handling funds and payments, cybercriminals use, for example, bank cards, PayPal, Western Union or cryptocurrencies. From the criminal’s perspective, cryptocurrency is the safest option in terms of being caught, as it is more anonymous and harder to trace than other methods.

Posting submission...