The Russian hacking industry brought in $2.5 billion between mid 2013 and mid 2014, thanks in large part to the Target breach, according to a report released today by Group-IB.
Other bad news: ATM hacks are on the rise. Spamming still pays well. New criminal groups are hitting the scene, specializing in mobile threats. And POS attacks will only get worse, because they can deliver data that's 10 times more profitable than your average plaintext credit card number.
Also, while financial fraud is still a big earner -- accounting for $426 million -- it's being surpassed by the simple buying and selling of credit card data. The carding business brought in $680 million.
All of this is evidence of the growing sophistication of the Russian cybercrime industry. (Group-IB defines this as "the market of computer crimes committed by Russian citizens, by citizens of the [countries in the Commonwealth of the Independent States, created when the Soviet Union was dissolved] and the Baltic states, as well as by citizens of other countries from the former Soviet Union.") As the report describes it:
The market for stolen credit card data in the last 10 years has finally been structured and now features mass automated distribution channels in the form of electronic trading platforms.
[Want more about the Russian hacking industry? Read how the cyber espionage group, Sandworm, hit Ukrainian and American targets with a Windows zero-day attack.]
Last year, the Target breach was the "main source of stolen credit card details," but soon attacks on point-of-sale may be the new well where the carding marketplace goes. As the report explains:
The market value of a credit card dump is on average 10 times higher than the cost of credit card text details. This is because dumps offer greater opportunities for fraudulent transactions. So, with the dump of a credit card, an attacker can make a physical duplicate of that card and conduct operations in off-line points of sale, buying expensive electronics, luxury goods, medicines and other goods to be subsequently sold in a secondary market. Credit card dumps are stolen with the use of skimming hardware, or by infecting POS terminals with special Trojans (Dexter, BlackPOS, JackPOS, BrutPOS, Alina, etc.).
PoS attacks were all the rage this summer, and their popularity is likely to grow.
"POS attacks have a good potential to get worse," says Group-IB CEO Ilya Sachkov. "There is a vast number of vulnerable devices, random infections, target attacks, and reluctance of operators to provide the necessary level of protection. The result is big leaks. [Another] important factor is that no one has been prosecuted so far. There is no precedent, therefore there is no reason for a decline, only growth."
These breaches, in particular, are a boon to card traders. The size and growth of the booming carding market was what most surprised Sachkov about the findings.
There are now professional wholesalers who deal in stolen card data. The main supplier of user data stolen from compromised credit cards has been "Rescator" -- a.k.a. Helkern, a.k.a. ikaikki, and suspected to be Ukrainian resident Andrey Hodirevski. The wholesalers buying Rescator's wares do quite well for themselves, too. Rescator made roughly $1 million by selling over 150,000 cards to SWIPED, one of the largest online trading platforms; SWIPED itself made $6 million in one year.
Group-IB also notes that Bitcoin has become the currency of choice in the criminal marketplace. "Almost all shops selling credit card data, as well as shops in the shadow Internet selling weapons, drugs and more have switched over to Bitcoin as their method of accepting payments," the report states.
There has also been a "sharp increase" in Russian criminals' attacks on ATM machines. From the report:
Attackers now use not only malicious programs capable of stealing credit card details, but also more advanced types of fraud, where the criminals manipulate the amount issued from ATMs or are able to control the dispenser for the ultimate aim of emptying the ATM machines of their cash during maximum load.
Earlier this year, ATMs were plagued by the Ploutus malware and just last week Kaspersky Labs released details about attackers compromising ATMs by using the Tyupkin malware.
"ATM attacks have increased due to [the] emergence of new software and [a] new criminal group that does targeted attacks," says Sachkov. "In addition, ATMs historically were considered very secure, except skimming, therefore banks were not heavily involved in development of protection from such attacks."
The Russian hacking industry also has tidy little businesses in DDoS attacks ($113 million) and the sale of nefarious goods and services like traffic, exploit code, and anonymization ($288 million). Yet what brings in the most bucks is perhaps the least glamorous: spam, which brought in a whopping $841 million. Sachkov says that that spamming was always a lucrative business, and that the evolution of spam for Skype, SMS, and voice media is getting new players into the market.
"The worst news is the increase in number of criminal groups due to the emergence of new ways of theft from individuals by use of mobile devices," says Sachkov. This year also saw the emergence of five new crime groups specialized in mobile bank theft, and all of them used their own unique Trojan horse. "In addition, the bad news is that hackers use politics and geography to avoid prosecution."
Yet, it's not all gloom and doom.
"The best news," says Sachkov, "is that we've seen a reduction of theft from legal entities in [the] Russian sector. This essentially means that investigations that were undertaken have proved to be effective.
"The best news for [the] foreign sector is the arrest of Paunch," says Sachkov. "Paunch," the 27-year-old creator of the BlackHole and Cool exploit kits, was arrested last October. Before his arrest, his criminal endeavors were making him over $50,000 per month. "[Paunch's] exploit-kit pack malware was widely used in attacks, including bank theft from customers of banks overseas."