By Microsoft
Produced by ST Content Studio
Global cybercrime fighters operating in our backyard
At 5 p.m. Jan. 16, 2020, a prominent cybersecurity social media account tweeted they suspected an executive at a law enforcement agency in the United Kingdom had been the victim of a phishing attack. The victim had received a fraudulent email directing them to a spoofed account login page where criminals tried to steal the individual’s email and password to gain access.
The email didn’t take long to raise suspicions and an investigation was launched.
In fact, the investigation unearthed a significant cybercrime syndicate responsible for over 500 victims globally and losses exceeding $51 million. Sixty-five linked individuals were arrested across the United States, Nigeria, South Africa, Canada and Cambodia.
Getting from email to arrest takes time. It requires collaboration across sectors — public and private. One team that provided the information that aided law enforcement in bringing these criminals to justice sits right here in Redmond.
Microsoft’s Digital Crimes Unit is a specialized team of investigators, analysts, engineers, attorneys and business experts across the globe that has been fighting cybercrime since 2008. A few of their team members provide insight into the current cybercrime landscape, why they do this work and how they spend their days keeping up with — and getting ahead of — the world’s biggest cybercriminals.
What is cybercrime and how worried should I be?
Cybercrime is a booming business. According to Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025.
Attackers are becoming more sophisticated as they continue to develop their tactics. In fact, cybercriminal networks are mimicking corporate enterprises. Criminals take on different roles — extortionists, ransomware developers, phish kit makers — and sell their services and products via marketplaces on the dark web. Known as “cybercrime-as-a-service,” this system is designed to maximize profit and harm. The era of "hacking" for fun or for "street cred" has long passed. Today, it is all about organized crime, or nation state-sponsored activities.
As the sophistication of cybercriminals increases, so has their reach internationally. Although the United States records the highest number of victims, no country is untouched.
1.27 million unique phishing sites were detected worldwide in Q3 2022. (Statista)
DCU works across time zones to hunt down and disrupt the infrastructure used by cybercriminals. The team investigates the technical methods favored by cybercriminals — such as homoglyph domains, which mimic legitimate website names — and takes legal action against illicit activity. The insights from DCU’s investigations inform criminal referrals to law enforcement and help strengthen the security of cloud services.
If cybercrime is booming, how do we fight it?
Multifactor authentication (requiring a generated code in addition to a password) is a must; keep software up to date.
malware families, nation state actors and malicious tools disrupted since DCU’s inception.
27
blocked site registrations in 2022 alone, which bad actors intended to use for global cybercrime and potential harm to customers.
2,750,000
domains used by cybercriminals, including over 600 employed by nation-state threat actors, removed to date.
100,000+
DCU by the numbers
Senior Investigator
Sean Ensz
Ensz’s career began with law enforcement in Oklahoma doing computer forensics to combat online child exploitation and then on to higher education and corporate organizations to manage incident response and forensic teams.
That eventually led to working for the DCU. In his office in Redmond, he spends his days developing threat intelligence on business email compromise actors — a financially devastating crime that uses social engineering to intercept and redirect payments via wire transfers sent by businesses and individuals. He sees firsthand how criminals consider cybercrime to be a profession, just the same way businesses work every day.
These criminals seek out technical training and degrees and they bring this knowledge back to improve their criminal operations.
“Criminal gangs have become very good with social engineering because they are highly organized and well trained, each gaining their own level of expertise,” Ensz says.
At his computer, Ensz can see criminals setting up fraudulent domain names and email addresses to impersonate legitimate people and businesses with the sole purpose of deceiving victims. In his role, he gathers what he finds and shares this information with security and law enforcement partners to aid them in their investigations and to other teams across Microsoft to strengthen security against these threats.
The work is complex, but Ensz says it can be learned through relevant work experiences.
“When I started, there was barely anything practical to be learned in a computer science degree, so I have a nontechnical degree.”
For those starting out and want to be successful, he says “passion, learning and being self-directed” are key.
“My experience is that cybersecurity is just more about that passion and to always be willing to evolve and learn beyond what formal degrees and training offer to advance your career.”
The notion 20-30 years ago that the cybercriminal was a lone guy in a basement is no longer valid.
I get into the mindset of trying to predict what they’re going to do next, where they’re going to pivot and who could be their next target.
Attorney
A few doors down from Sean Ensz sits Mia Scavella-Little, an attorney who looks at how the law can be applied to taking down criminal online infrastructure.
“For example, if they are using Microsoft branding in fake phishing emails to deceive victims, that becomes a trademark issue,” she says. “We also go to court to get a restraining order against malicious websites and domains. That allows us to redirect the traffic away from the bad guys.”
Scavella-Little works closely with investigators and engineers to translate complex technical work into a legal argument that can be understood by a judge and the broader public. This was critical in a recent legal action targeting the criminal use of cracked Cobalt Strike to underscore the urgent threat to victims. It enabled DCU, in partnership with cybersecurity company Fortra, to quickly secure a court order to start taking offline the malicious infrastructure.
But Scavella-Little doesn’t just deal with financially motivated cybercrime; her remit covers how Microsoft can take legal action to disrupt the operations of nation-state actors.
“I focus on legal cases where a country is behind the malicious activity,” citing Russia and Iran as two examples. These cases can be particularly challenging because they aren’t clear cut. Nonstate threat actors may act independently or be affiliated and supported by governments. Cybercriminals also operate in jurisdictions that are hard to reach through legal methods.
Scavella-Little credits her success to her first career as an intelligence analyst focused on counter terrorism work. She likes working in cybersecurity and equates it to putting together a puzzle.
Mia Scavella-Little
I'm trying to find the parts that are important for the cybercriminal to cause harm. Once I find them, I then use those parts against them.
Reverse Engineer
At the Cybercrime Center a few days a month is reverse engineer, Rodel Finones. He spends his days identifying the infrastructure threat actors use and coming up with a way to disrupt it.
“I think of it as dissecting a system, dismantling its parts with the goal to understand how it works,” says Finones.
Finones sees the roots of his reverse engineering skills in his childhood. He grew up in the Philippines and couldn’t always afford to buy new toys. So, he got creative. He took broken ones, dismantled them and tried to guess how they worked. He replaced some of the parts and was able to play with the toys again.
His work at the DCU involves seeking to understand the bad guys themselves — what motivates them, what potential weaknesses they are looking to exploit and how they exploit them. When combating the use of cracked Cobalt Strike, Finones constructed a “crawler” that allowed him to see how operators use the tool to spy on a network, move laterally and encrypt files. As part of this, he was able to see how Microsoft software was also being abused.
Like Sienicki, Finones is excited about how AI will accelerate his work. He is currently exploring how he can use AI to fight cybercriminals by accelerating how he can track malicious infrastructure.
No day for Finones is the same. “Cybercriminals have improved and evolved and continue to do so,” says Finones. “We do the same. It is the nature and challenge of the work that is incredibly rewarding.”
Rodel Finones
“Unfortunately, cybercriminals are always looking for new opportunities to victimize people.
In the DCU’s “Forensics Lab” — a restricted space for team members to collaborate on cases and actions — sits analyst Jacklynne Sienicki.
As an analyst, Sienicki works with engineering teams to identify and document trends and common methods bad actors use to target victims. When she identifies Microsoft customers impacted, she refers these findings to customer outreach teams who use this information to help victims.
Sienicki was directly involved in the case that led to 65 arrests.
“My role was providing the evidence of account compromise and attribution to identify the individuals behind these attacks. I also helped identify victims that were referred to customer support for victim outreach and remediation.”
As cybercrime evolves, she must evolve her techniques, too.
She is particularly excited about the advances in artificial intelligence and adds that there’s a real benefit it can provide to helping cybersecurity professionals “identify abnormal and malicious patterns of behavior more quickly and at scale.”
“There’s always a new challenge ahead,” says Sienicki. “I’m continuously learning to pivot my skills and it has been my experience that there are limitless opportunities to build these skills at any point in your career in cybersecurity.”
Analyst
Jacklynne Sienicki
Common targets
1. Finance
The industries most targeted by cybercriminals are, in order:
2. Information
3. Professional
4. Health Care
At Microsoft, we believe in a future where every person has the skills, knowledge and opportunities to achieve more. We’re committed to empowering people, communities and organizations around the globe in our effort to ensure an inclusive economic recovery.
Helpful tips
How you can protect yourself
Practice good cyber hygiene
Configure your email systems to flag messages sent from external parties and be wary of auto-forwarding rules.
Protect your inbox
Carefully read all emails and text messages for the telltale phishing signs – a mismatch in the email addresses, urgency or a suspicious-looking URL.
Be cautious
Publicly available Wi-Fi means other people can see what’s happening on your system. Cybercriminals take advantage of that. Be sure to use a VPN to make sure your connection is secure.
Only connect to trusted Wi-Fi
For Individuals
For Organizations
Require multifactor authentication
Apply zero-trust principles
Use modern anti-malware
Keep software up to date
Global cybercrime fighters operating in our backyard
Meet some of the cybercrime fighters here in Redmond
Critical to DCU’s success fighting cybercrime are the deep relationships the team has built with industry, law enforcement and government. Collaboration enables greater information sharing at scale, which helps speed up the process of identifying bad actors and their methods. While industry can investigate the technical architecture used by criminals and refer cases, it can’t bring criminals to justice. Law enforcement and government can — a necessary step in the fight against cybercrime.
“We are dealing with professional, highly intelligent and well-trained individuals," says Ensz. “We need to be doing a better job of collaborating on the response and protection side because the criminals are already doing it.”
As cybercrime becomes more complex, DCU explains that we all have a role to play in collectively strengthening our defenses to cyber threats.
How collaboration drives greater impact
This adds a second layer of security to business accounts.
Explicitly verify end users and devices before allowing access. Only grant those who need access to data and constantly monitor the environment for a possible attack.
Implement software to detect and automatically block attacks and provide insights to cybersecurity teams.
Ensure all firmware, the company’s operating system and applications are running the latest versions.
