The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day.

The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires, Argentina.

In China these days, e-commerce has become an important part of daily life, especially among young people. According to a report from CNNIC (China Internet Network Information Center), the number of Chinese e-commerce users reached 242 million at the end of the December 2012. This is nearly half of all Chinese internet users.

Because of this, many Chinese cyber-criminals changed their business from stealing QQ numbers or virtual assets in online games to stealing money during the online trading. In October, People-s Daily, the official newspaper of the Communist Party of China, reported that a group of cybercriminals were arrested in connection with a Trojan targeting the e-commerce users. The Trojan, detected by Kaspersky Lab as trojan-Banker.Win32.Bancyn.a, was named -Floating Cloud-, and was used to steal several millions of dollars from e-commerce users.

The name -Floating Cloud-, -浮云- in Chinese, comes from a very popular saying among Chinese internet users -神马都是浮云-. The direct translation is -God horses are always floating clouds-, which means everything flows away in haste like floating clouds. But here, the floating cloud is not a God horse but a Trojan horse. And the -Floating Cloud- was written in EAZY programming language in which programs can be written totally in Chinese.

To distribute the Trojan, cyber-criminals often masquerade as sellers. When the customer/target asks for information about the merchandise, they send a zip archive with the names like -detail information- which purports to contain a few pictures depicting the merchandise. But among these pictures, there is an executable file with the icon of image files. If the customer wants to take a look at this -picture- file and double clicks it, the Trojan will run.

In information security, talk about botnets equals talk about malicious actions that materialize through criminal action. In essence, we think there is always a hostile attitude on the part of those who administer them. Please correct me colleagues, refute this if I'm wrong, but I think conceptually you agree with me.

BoteAR (developed in Argentina) adopts the concept of "social networks" although it seems, as yet, not fully materialized. It offers a conventional and manageable botnet via HTTP but uses the model of crimeware-as-a-service. Moreover, the author seems to adopt (maybe unknowingly) the business model of affiliate systems originating in Eastern Europe which are used to spread malware i.e. infect and get revenue for each node you infect.

So far nothing unusual, unfortunately we witness this kind of tactic every day. The striking thing about BoteAR though is that it tries to shield itself under a wrapper of security in an attempt to "fraternize" with its community.

On 20th and 21st of August we had our 2nd Latin American Security Analyst Summit here in Quito, Ecuador.

It was not a closed-door event; we had guests from 13 countries of the region including our panelists from law enforcement agencies who work every day in the fight against cybercrime:

Emerson Wendt from the civil police of Brazil @EmersonWendt
Segundo Mansilla from the Police of investigations of Chile @s_mansilla
Fausto Estrella from Cyber police of Jalisco, Mexico
Santiago Acurio from Catholic University of Ecuador / Lawyer and Doctor of cybercrime Jurisprudence.

    Carolina Dieckmann, a famous Brazilian actress, recently became the victim of cyber attacks that allowed cybercriminals to steal personal property - nude pictures of her- from her computer. Many pictures or maybe all of them got leaked to the Internet. This incident has served as a good incentive for the Brazilian government to have new cybercrime laws in the country (the current law to fight cybercrime in Brazil was approved back in the 40’s of XX century). As a result of this incident, a new cybercrime law that carries a punishment of up to 2 years in prison for such crimes has finally been proposed for consideration. This is a good and right move! A press article in Portuguese can be

On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story.

Evidently, those arrested were just one of the criminal gangs using the Trojan. At the same time, those who actually developed Carberp are still at large, openly selling the Trojan on cybercriminal forums.

Here is a recent offer for the ‘multifunctional bankbot’, which appeared on 21 March:

    How much do you earn per day? If we look at how much a cybercriminal from Brazil earns every day, we’ll understand why Brazil is one of the main sources of malware in the world.

Brazilian cybercriminals really like to use short URLs to track infections and have their own stats. Here is the profile of one criminal using Bitly as a URL shortening service.

Life looks good for Brazilian hackers: the absence of a specific law against cybercrime leaves them feeling so invulnerable that the bad guys are shameless about publicizing their thefts and showing off the profits of a life of crime. We showed some of this in a presentation at the latest Virus Bulletin Conference, and it’s commonplace to find YouTube clips of Brazilian bankers and carders reveling in their ill-gotten gains and rubbing their easy money in the faces of hard-up victims (there’s one example here, and several more out there). It’s also common to find bad guys’ profiles on social networks such as Twitter, Tumblr, etc. Everything is done out in the open, without fear of being caught.

To help new “entrepreneurs” or beginners interested in a life of cybercrime, some Brazilian bad guys started to offer paid courses. Others went even further, creating a Cybercrime school to sell the necessary skills to anyone who fancies a life of computer crime but lacks the technical know-how. On a website dedicated to selling these courses and promoting the “school”, a careful search turns up courses like “How to be a Banker”, “Kit Spammer” or “How to be a Defacer”.

Dark Market was one of the most famous underground forums ever, for several reasons. The most important one was that one of the administrators was an infiltrated FBI agent running a covert operation that ultimately lead to the arrest of 60 people worldwide. The forum was shut down in 2008, when Dark Market was probably the most important carding forum in the world.

In the beginning there were only malware and machines to be infected, with no money in the middle - only a will to get “fame” by coding. A few years ago this situation changed drastically and today the cybercrime ecosystem is much more complicated, including as much as 7 key elements. This starts with the coders, who only develop the malware, then sell it to other criminals while offering service support. The criminals who buy it distribute it among other cybercriminals and money mules.

What’s the problem here? In general the AV industry still fights the same way as 15 or more years ago. We detect more amounts of advanced malware yet more appears every day. It’s like cutting a weed but leaving the root - it just grows up again and again...