Risk
11/4/2013
10:08 PM
50%
50%

Dark-Side Services Continue To Grow And Prosper

Criminals have expanded use of the cloud-service model to make their illegal enterprises more efficient and accessible

In 2005, police in Morocco and Turkey arrested two men connected with the Zotob worm -- the 18-year-old creator of the worm and the 21-year-old man who paid him to develop the code.

The transaction is one of the earliest cases of for-hire criminals services. Since then, such services have proliferated, and cybercrime has become a much larger issue. One measure of the problem: The number of malware variants has skyrocketed, more than quadrupling from 2006 to 2007, and growing to 403 million variants in 2011, according to data from Symantec, which no longer publishes the number.

Such growth is powered by the evolution of specialized services in the cybercriminal marketplace, according to Grayson Milbourne, security intelligence director at software security firm Webroot.

"The mature cybercrime-as-a-service market has empowered novice criminals with all the tools necessary to launch their own campaigns," he says. "As the prices for services are very inexpensive, cost is not a disincentive."

In many ways, the evolution of online criminal services has mirrored, and even predated, such services in the legitimate business world. Companies adopt cloud offerings for a variety of different reasons: The services remove many of the up-front costs of deploying an application, offer better support than in-house IT groups, and are better able to deal with complex deployments than a firm's IT staff. Often such services are just faster, more user-friendly, and allow the provider to sell off excess capacity.

Cybercrime services are adopted for similar reasons. A leased botnet can replace a criminal's technical nightmare of deploying and maintaining a large network of compromised PCs. Financial and identity information, which is so voluminous that data thieves typically cannot use a fraction of their take, can be sold rather than sitting on a server collecting virtual dust. And denial-of-service attacks can be delivered within minutes of being bought.

"It is just a matter of finding new ways to monetize the access that they already have or they will potentially get in the future," says Joe Stewart, director of malware research for Dell SecureWorks' Counter Threat. "The driver for these groups is monetization and trying to extract every bit of money they can out of these systems."

The variety of services offered is dizzying. Some underground providers focus on malware-as-a-service, while others have branched out into mobile malware. Similarly, some groups sell denial-of-service attacks, while others focus on flooding phones with SMS messages to circumvent some financial institution's two-factor authentication mechanisms. Some services lease botnets; others pay a bounty for every computer compromised. Personal information, credit-card details, and lists of millions of e-mail addresses are all up for sale.

[DDoS attacks of more than 10 Gbps now happen several times a day across the globe, study says. See Report: DDoS Attacks Getting Bigger, Faster Than Ever.]

The groups behind the Cutwail botnet, also known as Pushdo, for example, may have occasionally paid as much as $15,000 to maintain the botnet's low-six-figure size, but likely made $1.7 million to $4.3 million over nearly two years, according to a 2011 paper (PDF) written by a group of academic security researchers.

In a whitepaper published in September, security firm McAfee found that prices for credit-card information ranged from about $15 for a U.S.-based victim without the PIN to $250 for a premier credit-card with the PIN and a hefty balance.

Gaining access to such services is no longer as onerous as it once was, says Raj Samani, McAfee's chief technology officer for Europe, Middle East, and Africa, and co-author of the McAfee paper. In the past, criminals groups required customers to have a reputation in the underground. Today, however, anyone with a credit ard or WebMoney account can buy services, Samani says.

"What really shocked me -- more than how the services have evolved -- is that in the past, you had to know someone to get access," he says.

In another sign of the maturing marketplace, the underground providers are also taking the service side seriously, offering support, updating malware, and, in some cases, giving refunds.

"Some of these information brokers give refunds when they cannot find the information you've asked for," says Alex Holden, chief information security officer of Hold Security, a security consultancy.

In the end, the evolution of the cybercriminals' business model makes attacks more efficient, gives greater access to less technically inclined criminals, and allows anyone to gain the advantage of more tech-savvy developers, says Webroot's Milbourne.

"It is leading to a less secure world," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.