Risk
11/4/2013
10:08 PM
50%
50%

Dark-Side Services Continue To Grow And Prosper

Criminals have expanded use of the cloud-service model to make their illegal enterprises more efficient and accessible

In 2005, police in Morocco and Turkey arrested two men connected with the Zotob worm -- the 18-year-old creator of the worm and the 21-year-old man who paid him to develop the code.

The transaction is one of the earliest cases of for-hire criminals services. Since then, such services have proliferated, and cybercrime has become a much larger issue. One measure of the problem: The number of malware variants has skyrocketed, more than quadrupling from 2006 to 2007, and growing to 403 million variants in 2011, according to data from Symantec, which no longer publishes the number.

Such growth is powered by the evolution of specialized services in the cybercriminal marketplace, according to Grayson Milbourne, security intelligence director at software security firm Webroot.

"The mature cybercrime-as-a-service market has empowered novice criminals with all the tools necessary to launch their own campaigns," he says. "As the prices for services are very inexpensive, cost is not a disincentive."

In many ways, the evolution of online criminal services has mirrored, and even predated, such services in the legitimate business world. Companies adopt cloud offerings for a variety of different reasons: The services remove many of the up-front costs of deploying an application, offer better support than in-house IT groups, and are better able to deal with complex deployments than a firm's IT staff. Often such services are just faster, more user-friendly, and allow the provider to sell off excess capacity.

Cybercrime services are adopted for similar reasons. A leased botnet can replace a criminal's technical nightmare of deploying and maintaining a large network of compromised PCs. Financial and identity information, which is so voluminous that data thieves typically cannot use a fraction of their take, can be sold rather than sitting on a server collecting virtual dust. And denial-of-service attacks can be delivered within minutes of being bought.

"It is just a matter of finding new ways to monetize the access that they already have or they will potentially get in the future," says Joe Stewart, director of malware research for Dell SecureWorks' Counter Threat. "The driver for these groups is monetization and trying to extract every bit of money they can out of these systems."

The variety of services offered is dizzying. Some underground providers focus on malware-as-a-service, while others have branched out into mobile malware. Similarly, some groups sell denial-of-service attacks, while others focus on flooding phones with SMS messages to circumvent some financial institution's two-factor authentication mechanisms. Some services lease botnets; others pay a bounty for every computer compromised. Personal information, credit-card details, and lists of millions of e-mail addresses are all up for sale.

[DDoS attacks of more than 10 Gbps now happen several times a day across the globe, study says. See Report: DDoS Attacks Getting Bigger, Faster Than Ever.]

The groups behind the Cutwail botnet, also known as Pushdo, for example, may have occasionally paid as much as $15,000 to maintain the botnet's low-six-figure size, but likely made $1.7 million to $4.3 million over nearly two years, according to a 2011 paper (PDF) written by a group of academic security researchers.

In a whitepaper published in September, security firm McAfee found that prices for credit-card information ranged from about $15 for a U.S.-based victim without the PIN to $250 for a premier credit-card with the PIN and a hefty balance.

Gaining access to such services is no longer as onerous as it once was, says Raj Samani, McAfee's chief technology officer for Europe, Middle East, and Africa, and co-author of the McAfee paper. In the past, criminals groups required customers to have a reputation in the underground. Today, however, anyone with a credit ard or WebMoney account can buy services, Samani says.

"What really shocked me -- more than how the services have evolved -- is that in the past, you had to know someone to get access," he says.

In another sign of the maturing marketplace, the underground providers are also taking the service side seriously, offering support, updating malware, and, in some cases, giving refunds.

"Some of these information brokers give refunds when they cannot find the information you've asked for," says Alex Holden, chief information security officer of Hold Security, a security consultancy.

In the end, the evolution of the cybercriminals' business model makes attacks more efficient, gives greater access to less technically inclined criminals, and allows anyone to gain the advantage of more tech-savvy developers, says Webroot's Milbourne.

"It is leading to a less secure world," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5312
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

CVE-2012-6662
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

CVE-2014-1424
Published: 2014-11-24
apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."

CVE-2014-7817
Published: 2014-11-24
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

CVE-2014-7821
Published: 2014-11-24
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?