BlackShades Arrests: A Watershed Event?Experts Size Up the Impact of International Crackdown
The cooperation among international law enforcement agencies that led to the arrests of more than 90 individuals in 16 nations for their alleged involvement in the use of BlackShades malware is a sign of significant progress in the global fight against cybercrime, some security experts say (see: Malware Takedown Leads to 90 Arrests). But others question whether even a sizable crackdown can have much of a long-term impact on the proliferation of malware.
See Also: 2016 State of Threat Intelligence Study
"The key isn't the size, but the degree to which multiple countries cooperated and coordinated their efforts to carry out a global law enforcement action as a single, integrated event," says Alan Brill, senior managing director at security advisory firm Kroll Solutions.
"For too many years, cybercriminals have depended on the lack of cross-border law enforcement cooperation and coordination to provide themselves with what they considered to be safe havens for their activities," he says. "The kind of cooperation and joint activity we saw in this operation should shake that belief."
Brill is hopeful that the connections made in planning and executing this international operation will provide the beginnings of a structure for better coordinating crackdowns against those who use, distribute and develop malware.
Payments fraud expert John Buzzard, who oversees FICO's Card Alert Service, notes: "Cybercrime doesn't have a boundary, and therefore our law enforcement efforts have to involve coordinate efforts like this over multiple countries and agencies. This is an excellent example of what cooperation can lead to."
And Brill suggests that this week's law enforcement activity "should be a warning to criminals, or those who think that they can get away with cybercrime, that wherever they are, the chances of being caught and prosecuted have just gone up."
How Big an Impact?
But Ed Ferrara, vice president and principal analyst at Forrester Research, points out that even a massive arrest can only have a relatively minimal impact on the worldwide proliferation of malware. "The number of arrests in this case is impressive, as well as the demonstrated cooperation between law enforcement from different countries; but this is one victory in a large-scale conflict," he says.
Ferrara also says the arrests apparently targeted "soldiers" and not "generals." He adds: "This is similar to the war against drugs. Low-level dealers get busted but the kingpins and cartel 'market makers' remain free."
Anton Chuvakin, a research vice president at the consultancy Gartner, predicts the international takedown will have a minimal impact on the use of malware for fraud.
"The criminal ranks have swollen enough so that one group being arrested would barely be a drop in the bucket," he says. "The odds still favor the criminals quite a bit: Make money now for sure and maybe get arrested later - but most likely not."
But the arrests may have a deterrent effect on low-level hackers, Buzzard acknowledges. "Arrest activity always slows the proliferation of high-profile crimeware. It doesn't stop it completely, but it definitely gives would-be users some reason to pause and contemplate their next move."
BlackShades malware has been sold to thousands of individuals throughout the world, according to Europol, the European Union's law enforcement agency that took part in the crackdown.
One of the versions of the malware, BlackShades RAT (Remote Access Trojan), enables users to remotely and covertly gain complete control over a victim's computer, Europol says. Once installed on a victim's computer, a user of the RAT can access and view documents, photographs and other files, record all of the keystrokes entered and even activate the webcam on the victim's computer, all of which is done without the victim's knowledge, Europol says.
In a recent case in the Netherlands, an 18-year-old used the BlackShades malware to infect at least 2,000 computers, Europol says.
Symantec refers to the malware as "creepware" because it gives attackers the ability to take complete control of an infected machine. "A simple point-and-click interface allows [attackers] to steal data, browse the file system, take screenshots, record video and interact with instant messaging applications and social networks," the security company says in a May 19 blog.
The BlackShades malware was sold for $40 to $50 on a dedicated website, bshades.eu, which has been taken down, Symantec says. As a result of the arrests and the site takedown, Symantec expects a significant decrease in BlackShades activity. "Although ... the source code for BlackShades remain online on various forums, we expect cybercriminals will begin to adopt other Trojans," according to the company's blog.
Users of the malware range from entry-level hackers to organized cybercriminal groups, Symantec says. And some of those groups waged well-organized attacks that transferred large sums of money using BlackShades-infected computers.
For example, the BlackShades malware was used as part of a sophisticated social engineering scheme known as Francophone that targeted French companies in financially motivated attacks, Symantec says.
Analyzing the Risk
The level of worldwide law enforcement cooperation on the recent arrests is an indicator of the perceived risk involved with the BlackShades malware, says FICO's Buzzard. "The mere fact that this malware can operate on a user's computer without their knowledge is testament to how powerful and dangerous it could be if left ignored," he says.
Curt Wilson, senior research analyst at Arbor Networks, says BlackShades has been popular among cybercriminals since 2010. Plus, the malware has been used by certain nation-states to spy on activists, he says.
Wilson says that while BlackShades has a reputation for being useful to unskilled hackers, law enforcement and security professionals cannot overlook the malware's capability for serious spying and cybercrime. "Any type of remote access Trojan compromise can allow any manner of attacker the capability to penetrate deeper into an organization," he says.
Andrey Komarov, CEO of Intelcrawler, a cyberthreat intelligence company, says BlackShades can serve as an important tool for a cybercriminal's arsenal because it acts as a remote access Trojan as well as ransomware.
While the malware has the potential to be used in sophisticated cyber-attacks, the majority of victims are individual Internet users in the U.S. and E.U., according to Komarov. He notes, however, that sources tell Intelcrawler that some government PCs were infected in several developing countries "absolutely randomly."
Don Jackson, director of threat intelligence at PhishLabs, an online security firm that tracks cyber-attacks, says the BlackShades malware is not typically used for account takeover attacks in the financial services sector. "Compared to banking Trojans like Zeus, it lacks many of the features cybercriminals need to hijack sessions and takeover accounts at scale," he says. "It has DDoS capabilities, but they are limited. It would be difficult for a cybercriminal to launch a major DDoS attack using BlackShades."