IT organizations can take some comfort in the recent arrest of the alleged masterminds behind the one of the largest know cybercriminal networks. But given the nature of cybercrime, it’s only a matter of time before some other organizations emerge to fill the void left by a network that consisted of more than 4,000 bots.
The multi-year international “Operation Ghost Click” effort that resulted in the arrest of a gang of cybercriminals operating out of Estonia had been under way since 2008 with assistance from Trend Micro and others. Dave Sancho, senior threat researcher at Trend Micro, notes the activities of the cybercriminals in Estonia were discovered by tracking which DNS servers end users who had clicked on malware-compromised ads were being sent to. The gang was using the malware to redirect Web traffic to sites that offered everything from fake antivirus software to offers of various pharmaceuticals. The sheer size of the network helped make it relatively easy to discover, but Sancho says it took years to first discover how large it was and then get the appropriate law enforcement officials involved.
To protect your organization from such threats, Sancho says it's critical for IT organizations to stay on top of DNS server settings to make sure that traffic isn’t being diverted to some rogue site. Those that discover such activity should take the additional step of reporting that activity to authorities. After all, chances are those compromised servers are only one link in a chain of botnets that could span the entire globe. It’s only when authorities are able to correlate hundreds of reports that the true extent of the networks becomes apparent.
In short, there’s no substitute for vigilance when it comes to fighting cybercrime. And while checking DNS settings may not seem like much, think of it as the digital equivalent of participating in your local neighborhood watch or keeping any eye out for unattended parcels or luggage. In other words, if you see something, tell somebody.