Cracking open the cybercrime economy

• Tags:
• Malware,
• Credit Card,
• Wider,
• Phishing

Tom Espiner ZDNet.co.uk

Published: 14 Dec 2007 15:53 GMT

• 
• 
• 
• 
• 

...economic crimes such as fraud, many of the crimes are seemingly small, not warranting police attention.

"The majority of cybercriminals are small players for small dollars and short bursts of traffic," says Telafici. "On the flip side you see the amount of effort and money spent protecting spam relays [as in Storm]. If [security researchers] aren't careful they get Ddossed [distributed denial of service attack] by a chunk of the spam network. That the guys are protecting their turf indicates that in aggregate the amount of money that is changing hands is significant."

Game theory, a branch of applied mathematics that models how adversaries maximise their gains through adapting to each other's strategies, features heavily in security assessments of the black economy. As one player becomes stronger, the other increases its efforts to gain the upper hand.

"I view it as we're locked in a Darwinian power struggle," says Telafici. "As we up the ante, the black economy adjusts to that, and it in turn ups the ante."

Anatomy of the 2007 black economy
Peter Gutmann, a security researcher at the University of Auckland, says that malware via the affiliate model — where you pay others to infect users with spyware and Trojans — has become more prevalent in 2007.

The affiliate model was pioneered by the iframedollars.biz site in 2005, which paid webmasters six cents per infected site. Since then this has been extended to a "vast number of adware affiliates", says Gutmann. For example, one adware supplier pays 30 cents for each install in the US, 20 cents in Canada, 10 cents in the UK, and one or two cents elsewhere.

Hackers also piggyback malware on legitimate software. According to the researcher, versions of coolwebsearch co-install a mail zombie and a keystroke logger, while some peer-to-peer and file-sharing applications come with bundled adware and spyware.

While standard commercial software vendors sell software as a service, malware vendors sell malware as a service, which is advertised and distributed like standard software. Communicating via internet relay chat (IRC) and forums, hackers advertise Iframe exploits, pop-unders, click fraud, posting and spam. "If you don't have it, you can rent it here," boasts one post, which also offers online video tutorials. Prices for services vary by as much as 100-200 percent across sites, while prices for non-Russian sites are often higher: "If you want the discount rate, buy via Russian sites," says Gutmann.

In March the price quoted on malware sites for the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, was between $1,000 (£500) and $2,000 for the basic version. Buyers could purchase add-on services at varying prices starting at $20.

In the 2007 black economy, everything can be outsourced, according to Gutmann. A scammer can buy hosts for a phishing site, buy spam services to lure victims, buy drops to send the money to, and pay a cashier to cash out the accounts. "You wonder why anyone still bothers burgling houses when this is so much easier," says Gutmann.

Anti-detection vendors sell services to malware and botnet vendors, who sell stolen credit-card data to middlemen. Those middlemen then sell that information to fraudsters who deal in stolen credit-card data and pay a premium for verifiably active accounts. "The money seems to be in the middlemen," says Gutmann.

One example of this is the Gozi Trojan. According to reports, the malware was available this summer as a service from iFrameBiz and stat482.com, who bought the Trojan from the HangUp team, a group of Russian hackers. The Trojan server was managed by 76service.com, and hosted by the Russian Business Network, which security vendors allege offered "bullet-proof" hosting for phishing sites and other illicit operations.

According to the University of Auckland, there are many independent malware developers selling their wares online. Private releases can be tailored to individual clients, while vendors offer support services, often bundling anti-detection. For example, the private edition of Hav-rat version 1.2, a Trojan written by hacker Havalito, is advertised as being completely undetectable by antivirus companies. If it does get detected then it will be replaced with a new copy that again is supposedly undetectable.

Hackers can buy denial of service attacks for $100 (£50) per day, while spammers can buy CDs with harvested email addresses. Spammers can also send mail via spam brokers, handled via online forums such as...

• 
• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit