1. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training.
World Class z Specialists
Cybercrime, Inc.
Rui Miguel Feio – Technical Lead

2. Agenda
• Evolution
• The next-generation criminal organisation
• The Cybercrime Inc. organisation
• Adapt to the new
• Examples
• Technological targets
• Hackers – The bread and butter
• Taking security seriously (or not)
• What can we do?
• Conclusion
• Questions

3. Introduction
– Technical lead at RSM Partners
– Been working with mainframes for the past 17 years
– Started as an MVS Systems Programmer with IBM
– Specialises in mainframe security
– Experience in non-mainframe platforms as well
– Been given presentations all over the world

4. Evolution

5. In the early years… not so long ago…
Picture from the short movie “KUNG FURY”

6. In the early years… not so long ago…
Technology
• Phones
• PC
• Bulletin Board Systems
• Internet
The ‘curious bunch’
– Phreakers
– Crackers
– Hackers

7. Today…

8. In nowadays…
Technology
• Phones
• PC
• Internet
• Smart phones
• Tablets
• Dark Web
• Internet of Things (IoT)
• Advent of Robotics
‘Curious bunch’ turned Pro
– Phreakers
– Crackers
– Hackers
– Carders
– Nation-states
– Intelligence Services
– Hacktivists
– Insiders
– Organised Crime Groups

9. Internet, the new frontier
• Tech evolution + Internet = New Business Opportunities
– Individuals started online businesses
– New major companies have been founded:
• Google, Facebook, Yahoo, etc.
– Existing business sectors turned online to increase their
earnings:
• Retail, financial, insurance, etc.

10. Society has also evolved…
• The internet allowed the creation of new economic markets and
opportunities
• This new economic market has no borders
• A market with hundreds of millions of users
• An economic market worth… Trillions of Dollars, Euros, Pounds…!!
• Many countries and companies are now dependent on this new
economic market

11. Where there is money, there is crime!
• Criminal gangs and organisations moved into the new economic
market:
– Started recruiting Hackers
– Started devising new “business ideas”
– Developed a “business plan”
• Organised crime became professional in the new internet world.

12. Old boys in a new age
• Traditional criminal organisations have ‘started’ cybercrime
divisions:
– Cosa Nostra (Italian Mafia)
– Japanese Yakuza
– Chinese Triads
– Russian Mafia
– Nigerian mobs
– Mexican cartels
– …

13. The next-generation of
criminal organisation:
CYBERCRIME INC.

14. Cybercrime Inc.
• Highly profitable (it’s always about the money)
• Low risk (anonymity and geographical location)
• More efficient due to technology
• Globally dispersed, with special concentration in:
• Ukraine • China • Brazil
• Russia • Indonesia • USA
• Romania • Taiwan • Turkey
• Bulgaria • India • Nigeria

15. Cybercrime Inc.
• 80% of Hackers work with or are part of an organised crime group *
• Highly organised
• Deeply sophisticated:
– Business approach
– Towards the ‘client’
* 2014 study by the Rand Corporation

16. Cybercrime Inc.
Use typical corporate strategies:
– Creative financing
– Global logistics
– Supply chain management
– ‘Workforce’ management
– ‘Client’ needs
– Business and market analysis

17. Cybercrime Inc. - Business model
• Take advantage of ‘anonymous’ services to advertise and sell their
‘normal’ products and services online
• Some of the new ‘business’ opportunities:
• Identity theft
• Intellectual property theft
• Trade secrets
• Industrial espionage
• Sensitive data theft
• Online extortion
• Financial crime
• Data manipulation

18. Cybercrime Inc. - Tactics used
• Some of the tactics and methods used by Cybercrime Inc:
– Phishing and spear phishing
– Man-in-the-middle
– Vulnerabilities
– Trojan horse software
– Spam
– Botnets
– Scareware
– Ransomware
– Malware
– DoS and DDoS

19. The Cybercrime Inc.
organisation

20. A typical business organisation
CEO
CFO
Management
Sales People
CIO
Management
Researchers Developers Engineers QA Testers Tech Support
HR Director CMO
Management
Distributors Affiliates

21. The Cybercrime Inc. organisation
CEO
(Boss)
CFO
(Underboss)
Management
(Lieutenant)
Money Mules
(Soldiers &
Associates)
CIO
(Underboss)
Management
(Lieutenant)
Researchers
(Soldiers)
Developers
(Soldiers)
Engineers
(Soldiers)
QA Testers
(Soldiers)
Tech Support
(Soldiers)
HR Director
(Underboss)
CMO
(Underboss)
Management
(Lieutenant)
Distributors
(Soldiers)
Affiliates
(Associates)

22. Cybercrime Inc. – ‘Business’ roles (1)
• Chief Executive Officer (CEO) – Boss
– Responsible for decision making and overseeing operations
• Chief Financial Officer (CFO) – Underboss
– Deals with every financial aspect of the cybercrime org.
• Chief Information Officer (CIO) - Underboss
– Responsible for the IT infrastructure of the organization
• Chief Marketing Officer (CMO) - Underboss
– Designs effective advertising methods for products and services

23. Cybercrime Inc. – ‘Business’ roles (2)
• Human Resources (HR) Director - Underboss
– Recruits the criminal workforce for the organization
• Management - Lieutenant
– Responsible for managing the ‘criminal’ workforce
• Researchers - Soldiers
– Look for new exploits and ‘business’ opportunities
• Developers & Engineers - Soldiers
– The techies, aka the brains!

24. Cybercrime Inc. – ‘Business’ roles (3)
• Quality Assurance (QA) Testers - Soldiers
– Test all crimeware to ensure it bypasses any security measures
of potential targets
• Technical Support - Soldiers
– Tech support to clients, affiliates and members of the
organization
• Affiliates - Associates
– Drive potential clients to Cybercrime Inc.

25. Cybercrime Inc. – ‘Business’ roles (4)
• Distributors – Soldiers
– Help distribute malware
• Money ‘Mule’ – Soldiers & Associates
– Helps with the money laundering

26. Adapt to the new

27. Cybercrime Inc. – Adapts to the New
• Constantly looking to innovate
• Overcome obstacles
• Meet market demands
• Explore new ‘business’ opportunities
• Use tools to help measure levels of success (e.g. Web analytics)

28. Hacking as a service

29. Some examples

30. Cybercrime Inc. – Innovative Inc.
• Innovative Marketing Inc. (aka IMI)
– Founded by Sam Jain and Daniel Sundin (HQ in Ukraine)
– Developed scareware rogue security programs:
• WinFixer
• WinAntiVirus
– Offices in 4 continents with hundreds of employees
– Support centres in Ohio, Argentina and India
– Marketed products under more than 1,000 different brands and in 9
languages
– From 2002 to 2008 IMI generated hundreds of millions of dollars in
profit.

31. Cybercrime Inc. – Innovative Inc.
Photograph taken in 2003
BJORN DANIEL SUNDIN
Wire Fraud; Conspiracy to Commit Computer Fraud; Computer Fraud
DESCRIPTION
Alias: David Sundin
Date(s) of Birth Used: August 7, 1978 Place of Birth: Sweden
Hair: Red Eyes: Hazel
Height: 5'10" Weight: 136 pounds
Sex: Male Race: White
Occupation: Internet Entrepreneur Nationality: Swedish
Languages: English, Swedish NCIC: W10511664
REWARD
The FBI is o6ering a reward of up to $20,000 for information leading to the arrest and conviction of Bjorn Daniel Sundin.
REMARKS
Sundin has ties to Sweden and the Ukraine.
CAUTION
Bjorn Daniel Sundin, along with his co-conspirator, Shaileshkumar P. Jain, is wanted for his alleged involvement in an international cybercrime
scheme that caused internet users in more than 60 countries to purchase more than one million bogus software products, resulting in
consumer loss of more than $100 million. It is alleged that from December 2006 to October 2008, through fake advertisements placed on

32. Cybercrime Inc. – RBN
• Russian Business Network (aka RBN)
– Registered as an internet site in 2006
– Based in St. Petersburg, Russia
– Allegedly founded by the newphew of a powerful Russian politician
– Specialises in:
• Personal identity theft for resale
• Provides web hosting and internet access to illegitimate activities
• DoS attacks
• Delivery of exploits via fake anti-spyware and anti-malware
• Botnet

33. Cybercrime Inc. – Carbanak Group
• The Carbanak Group
– Discovered in early 2015 by Kaspersky Lab
– Used an APT-style campaign targeting financial institutions
– Aim to steal money from banks
– Estimated $1 Billion dollars have been stolen in an attack against 100
banks and private customers
– Targeted primarily Russia, United States, Germany, China and Ukraine

34. Cybercrime Inc. – Mexican Cartels
• Mexican cartels:
– Targeted foreign companies investing in or with presence in Mexico
– Used internet to identify high-valued employees
– Checked travel arrangements to Mexico
– Replaced person at airport waiting for ’high-valued target’
– Kidnapped ’high-valued target’
– Demanded ransom

35. Cybercrime Inc. – Mexican Cartels

36. Technological
Targets

37. Targeting - Mobility
• Cybercrime Inc. is focusing on mobile devices:
– Used by individuals on a day-to-day basis:
• Online banking
• Online shopping
• Socialising
• Emails
• Store personal data
• GPS
– Can be easy to compromise and hack (e.g. install “rootkit” to gain
control to all features of the mobile device)

38. Targeting – The Cloud
• Cybercrime Inc. is focusing on The Cloud:
– Network of computing resources
available online
– The Cloud can be used to store, manage
and process information
– Companies are outsourcing primary
business functions using Cloud services
– Critical and confidential data is now
centralised in the Cloud
– Instead of targeting several individual
servers let’s focus on the ones in the
cloud shall we?

39. Targeting - Data
• Cybercrime Inc. is focusing on Data:
– Personal data
– Business data
– Government data
– Military data
– Data manipulation and disinformation:
• Financial markets
• What is displayed in our screens

40. Targeting - Internet of things (IoT)
• Cybercrime Inc. is focusing on IoT
devices:
– 2013 there were 13 billion online devices
– Cisco Systems estimates 50 billion online
devices by 2020
– IoT is estimated to drive an additional
$6.2 trillion to the global economy by
2025 according to McKinsey Global
Institute
– IoT devices are developed without having
security in mind

41. But Cybercrime Inc. can also target…
• SCADA devices
– Supervisory Control And Data Acquisition (SCADA)
– Specialised and often old computer systems
– Being connected to the broader internet
– These systems were not designed with security in mind
– 2014 study revealed that 70% had suffered at least one security
breach
• GPS Systems
• Tracking Systems
• Implanted medical devices (IMDs)
• And so many more!!...

42. Hackers – The bread
and butter

43. Looking for a Hacker
• Hackers are not born hackers, they are trained
• Enormous amount of free educational material in the internet and
in the underworld (dark web)
• PC games:
– Uplink
– Hacker Experience
– Torn City
– Hacknet
– Hackers (for iOS and Android)

44. Who wants to be a Hacker?
• Anyone who feels attracted or enjoys:
– Technology
– Challenge
– The thrill
– Adventure
– Danger
– Money
– Respect
– Fame

45. Taking security
seriously (or not)

46. On a nice Sunday morning…

47. On its TV screen facing the street

48. On a business train trip…

49. On a business train trip…

50. On a site, somewhere in Europe…

51. On a site, somewhere in Europe…

52. What can we do?

53. What can we do?
• Security must be taken seriously by everyone!
– Governments, companies, and individuals need to be security
conscious and security oriented
• Usual security recommendations apply:
– Keep security systems updated and up-to-date
– Question the origin of everything
– Be mindful of:
• The information you share and make ’publicly’ available
• Free Wifi hotspots (free can be become very expensive)

54. What can we do?
• Consider (as in doing!) regular:
– Security audits
– Penetration tests
– Vulnerability analysis
• Seek help for experts in the field to help to improve security
• Keep informed (training, conferences, articles, books, …)
• Don’t facilitate (weak passwords, use of same password, …)

55. What can we do?
• There must be no at home and at the office attitude. Security
awareness must always be present.
• Read before you ‘click’.
• Search, ask.
• Ultimately, if this is too much. Just switch off every electronical
device and go back to pen and paper. But will this be enough?

56. Conclusion

57. Conclusion
• As always the bad guys are ahead of the game:
– They have the money
– They have the resources
– They are well organised
– And above all, they have time!
• The most important thing is for every one of us (the ‘good’ guys) to
be security aware and security focused

58. Conclusion
• Ultimately we need to trust:
– The companies who sell us devices, and software
– The service providers
– Our social network
– The government

59. Conclusion – Most Important!
• Be mindful • Be aware

60. Questions

61. Rui Miguel Feio, RSM Partners
ruif@rsmpartners.com
mobile: +44 (0) 7570 911459
linkedin: www.linkedin.com/in/rfeio
www.rsmpartners.com
Contact