The Digital Godfather: Evolution of Cybercrime and How Businesses Can Safeguard Themselves
by Renée Burton, Vice-President of Threat Intelligence, Infoblox
Imagine the intricate networks of crime syndicates and mafias often depicted in movies, where a single organisation, operating from the shadows, exerts its influence over the sprawling urban landscape of a city.
We see the same with cybercriminals forming their syndicates to rule the cyber domain from the shadows. Mimicking legitimate business operations, one of those groups is especially effective in redirecting unsuspecting users to compromised websites for malicious purposes. Its name: VexTrio.
Understanding the New Landscape of Cybercrime
New research has recently unveiled critical insights into the cybercriminal entity VexTrio, exposing its complex network of malicious connections with other cybercriminal enterprises. Orchestrating a vast network of over 60 partner entities, the VexTrio affiliate program operates with striking similarities to legitimate traffic distribution systems (TDSs) – originally designed for the marketing sector to direct online traffic.
How the ruse works: VexTrio affiliates re-route traffic from their own compromised sources, such as websites, directing it towards VexTrio-controlled servers. Once the internet user traffic is captured, it is then funnelled to a variety of fraudulent activities, including scams, fake websites, and other malicious exploit mechanisms managed by VexTrio’s network of cybercriminal partners. In some instances, VexTrio acts as a threat actor themselves.
VexTrio was able to evade detection for a long time by maintaining independent sources of web traffic by compromising vulnerable websites, obtaining traffic from traffic from other cybercriminals, and growing its affiliate network. This enabled them to continue spreading their malicious activities while effectively avoiding detection by security systems.
These TDS servers, by swiftly routing users to the most lucrative sites, have become instrumental in the evolution of cybercrime, transforming it into an intricate economy where cybercriminals steer unsuspecting victims towards scams, benefiting financially from the traffic they generate. This shift is pivotal, signalling how cybercrime has matured into a robust, self-reinforcing marketplace.
The Rise of Malware-as-a-Service
The VexTrio affiliate program has not only unveiled the complexities of cybercriminal alliances but also the sophistication and structure of the dark economy behind them.
Cybercriminals, once viewed primarily as independent hackers or isolated geniuses, are now often key players in a vast criminal network, engaging in the exchange of illicit services and products. This underground marketplace thrives on the concept of Malware-as-a-Service (MaaS), which has drastically lowered the entry barrier for committing cybercrimes. MaaS provides a suite of ready-to-use hacking tools and services, making it easier for individuals with varying levels of technical expertise to launch attacks.
These developments point to a maturing cybercriminal industry, where the services offered are as diverse and specialised as those in a legitimate economy, and where these services are used in coordination to maximise the impact and profitability of attacks. With such a framework in place, cybercrime is no longer a disorganised assortment of individual actors but a structured, collaborative endeavour that poses a significant challenge to cybersecurity defences.
Prevention and Mitigation
As the cyber threat landscape evolves, organisations face the complex challenge of detecting malicious activities on shared hosting services, where cybercriminals blend in with legitimate traffic. This complexity stretches beyond the capabilities of traditional blacklisting and static defence strategies, requiring a more dynamic approach to cybersecurity.
To effectively disrupt the cyberattack chain, organisations must intercept these threats at the crucial point where user traffic is manipulated. A solution lies in leveraging advanced analytics to monitor DNS queries in real time. This enables security teams to swiftly identify suspicious patterns and anomalies that signal a security threat.
Seeing and stopping these critical threats earlier can be done by implementing real-time streaming analytics on live DNS queries, enabling security teams to immediately detect patterns, anomalies and security threats. Developing tailored DNS signatures and statistical-based algorithms can also help to identify intermediary TDS servers and potential cybercriminal domains, allowing security experts to have unparalleled visibility into the networks and maintain control of a constantly changing environment.
VexTrio serves as a stark reminder of the ever-evolving landscape of cybercrime. The difficulty in precise classification and attribution of internet activity to their cybercriminal syndicates underscores the urgency for an overhaul. Like the mafia we are familiar with on the big screens, they live in broad daylight yet operate in shadowed secrecy.
By prioritising proactive disruption, and harnessing real-time defence, we are building a more resilient digital infrastructure for a world that never stops.