ALPS blog

From Bounty to Exploit: Observations About Cybercriminal Contests

Cybercriminals have taken their own initiative to establish an informal way of conducting research and development by holding contests on forums. In this blog post, we go through the key takeaways we learned about these competitions.

These contests are diverse and range from public calls for articles that describe new technologies to hackathons that can improve cybercriminals’ defenses. We elaborate on the details of their operation here.

The following are our key takeaways:

  1. Cybercriminals often use crowdsourcing as their research and development. These public contests on criminal forums work like “American Idol” or “America’s Got Talent” for malicious actors.
  2. Unlike a traditional X-Prize competition, criminal evolutions do not need to be groundbreaking to be successful. Instead, they only need to evolve slightly beyond today’s defenses to have a massive midterm effect.
  3. Over time, something groundbreaking could result from these contests. With more and more of this kind of activity happening, statistically it is only a matter of time until the increasing creativity of contest winners leads to something groundbreaking for the cybercrime industry. This is called the “black swan” effect.

Lacking formal research and development functions in most cases, cybercriminals often use the public for brainstorming purposes to discover new and creative attacks. These contests, which crowdsource the best ideas from the criminal community, also provide financial rewards for the most promising solutions. These contests have also been used in the criminal underground for some time now and involve everything from pure creative activities like graphic design and poetry contests to calls for more practical applications, such as recruiting operations and requests for help in other areas of the criminal business.

Lately, the more concerning contests that have been rising in prominence look for creative ways to craft cyberattacks. These range from looking for slight evolutions of current techniques (enough to bypass defenses in the short term) to searching for entirely new categories of criminal business models. We believe that these contests, when run often, can eventually yield a brand-new attack that can change the status quo. It is also clear that this method of using the public for research is a successful one for cybercriminals and that they are getting a good return on their investment, as we have already seen a steady increase in the amount of financial rewards being offered in exchange for successful submissions.

For example, the organizers of one competition only want offensive techniques that can be used immediately. In this contest, they are interested in the main stages of an intrusion, namely social engineering, vulnerability exploitation, privilege escalation, counteracting defense software, gaining persistence, and generic malware technology. The prize is also quite high at 1 bitcoin (US$ 19,030.80), reiterating that criminals are investing a large sum of money in order to produce new offensive capabilities.

Contest seeking articles on a broad range of topics
Figure 1. Contest seeking articles on a broad range of topics

In another post, organizers are looking to increase knowledge in the cryptocurrency field. Paradoxically, the prize is set in US dollars and not in cryptocurrency, as one might expect.

Forum contest on cryptocurrency exploitation
Figure 2. Forum contest on cryptocurrency exploitation

From a midterm perspective, the potential for these exercises to improve the quality of new attacks is considerable. By using this crowdsourcing model, the whole cybercriminal community effectively becomes a powerful research and development team. There is no call to action yet, but we want to make this kind of cybercriminal crowdsourcing to be known to the cybersecurity industry. Trend Micro continues to closely monitor the contents of associated calls for topics to ensure that our solutions are prepared should certain capabilities be created by today’s top-tier criminal actors.

Knowing the tactics employed and plans placed by cybercriminals is key to ensuring a safer digital world. For more information on the different kinds of contests and the need for cybersecurity defenders to stay ahead, read our article, “From Bounty to Exploit: Cybercriminals Use Crowdsourcing for New Attacks.”

Facebook
Twitter
LinkedIn

Featured News