Oh, Canada! Fake IDs and stolen logins? Is that all you’re doing?
Canadians might just be too polite for more violent forms of cybercrime. We’re involved in online crime to a certain extent, buying and selling stolen data and documents, but that’s where it tends to end for us. That’s the view of Christopher Budd, global threat communications manager at Trend Micro.“It’s not as big because in Canada compared to the US you have a more polite and civil society,” he said. “You don’t have quite the glorification of criminals that you do down south here. There’s more respect for law and order, and I think that comes through.”
Budd was discussing the latest in a series of Trend Micro reports. In January, it published the North American supplement to its Cybercrime Underground Economy Series, exploring the characteristics of the criminal underground on that continent.
The report yielded several insights, under an overarching theme: Canadian criminals restrict themselves largely to trading stolen credentials, but don’t provide the means to harvest them in the first place.
“What we take from these facts is that because Canada is next to such a big neighbour, people are just not bothering to see up their own Canadian versions of attack tools,” said Budd. “It’s just easier to go ahead and use the North American marketplace.”
Bullet-proof hoster or victim?
Canadians also steer away from providing malicious hosting services. When Trend Micro maps the path of an exploit that targeted a Canadian victim, it usually finds that the server responsible is located somewhere in the US.
“In a nutshell, the US is Canada’s largest exporter of malicious activity,” he added.
In the rare cases where a malicious online destination is hosted in Canada, it’s pretty rudimentary. The ratio of malicious addresses and domains is 1:1, which according to Trend proves that bad domains stay on the same IP and don’t move around, as they do in other regions. That means no peer-to-peer or fast flux DNS action.
Indeed, the bad online destinations in Canada may well be legitimate web sites that have been hacked by bad actors. In that sense, they’re victims, rather than perps.
Frapstar, a Canadian cybercriminal identified last year by Trend Micro, is a good example of what cybercrime looks like north of the border. The lone wolf is a carder, buying and selling dumps of credit card numbers and other PII on forums across the world.
Frapstar is a ‘script kiddie’, said Trend in its analysis of his activities, who knows just enough to actually run the tools. He’s also an amateur, using the same handle both on and offline, posting photographs of his BMW on the Internet, and sharing his Gmail address in public.
Breaking Bad, it ain’t
Carding isn’t nice at all, and causes its victims a lot of grief, but it seems to be about as unpleasant as we get. Trend found no weapons or hitman services for sale in the great polite North, although we do a brisk trade in fake IDs and drugs, both prescription and otherwise.
All this puts Canada in stark contrast to other regions. In the US, for example, the cybercriminal community is even more nakedly capitalist than in other countries, according to Budd.
“Most undergrounds try to keep the information privileged. To get into the underground the buyer or seller has to know someone, like a speakeasy,” he said. “In the US, you have this ‘Walmartification’ of the cybercrime underground. You have people who are looking to sell, who are going to great lengths to make it easy for non-technical people to get on and buy things.”
Over in China, things are even more advanced than in Canada, partly because it has been established for longer, Budd added.
“It’s very organized, and it follows a very hierarchical structure. You don’t have lone wolf threat actors in China.” No Frapstars in Fuzhou, then?
“You have people that essentially sign up to be an apprentice and they work with someone that acts as a mentor and they have specific duties and it’s very structured. That’s very much in contrast with what we see in Canada,” he continued.
How accurate are these studies of regional cybercrime? It’s worth pointing out that just two years ago, Websense (now Forcepoint, following its joint venture with Raytheon) labelled Canada a growing hotbed of cybercrime.
Hosted malware in Canada was up 25%, and there was an 83% increase in C&C hosting, it said. That put it tenth and eighth in the world, respectively, for each type of malicious hosting activity, and Public Safety Canada was said to be fretting about Canada’s increasing role as a source of cybercrime.
Either the amount of malicious hosting has plunged, the measurement techniques differ, or the companies are simply looking at different things. One thing’s for certain: we’re not seeing the same kingpin figures emerging in Canada as we see in the US.
Florida-born Albert Gonzalez stole over 100 million credit cards from firms including TJX and credit card processor Heartland, for example. Canada hasn’t yet produced anyone as nefarious, although there’s always a first time.
Will the state of Canadian cybercrime change? Let’s hope not. No one likes to think of themselves as a cesspool of ne’erdowells. If our most notorious cybercriminal continues to be Mafiaboy, then right on, we’re good with that, eh?