Dark-Side Services Continue To Grow And Prosper

Criminals have expanded use of the cloud-service model to make their illegal enterprises more efficient and accessible

4 Min Read

In 2005, police in Morocco and Turkey arrested two men connected with the Zotob worm -- the 18-year-old creator of the worm and the 21-year-old man who paid him to develop the code.

The transaction is one of the earliest cases of for-hire criminals services. Since then, such services have proliferated, and cybercrime has become a much larger issue. One measure of the problem: The number of malware variants has skyrocketed, more than quadrupling from 2006 to 2007, and growing to 403 million variants in 2011, according to data from Symantec, which no longer publishes the number.

Such growth is powered by the evolution of specialized services in the cybercriminal marketplace, according to Grayson Milbourne, security intelligence director at software security firm Webroot.

"The mature cybercrime-as-a-service market has empowered novice criminals with all the tools necessary to launch their own campaigns," he says. "As the prices for services are very inexpensive, cost is not a disincentive."

In many ways, the evolution of online criminal services has mirrored, and even predated, such services in the legitimate business world. Companies adopt cloud offerings for a variety of different reasons: The services remove many of the up-front costs of deploying an application, offer better support than in-house IT groups, and are better able to deal with complex deployments than a firm's IT staff. Often such services are just faster, more user-friendly, and allow the provider to sell off excess capacity.

Cybercrime services are adopted for similar reasons. A leased botnet can replace a criminal's technical nightmare of deploying and maintaining a large network of compromised PCs. Financial and identity information, which is so voluminous that data thieves typically cannot use a fraction of their take, can be sold rather than sitting on a server collecting virtual dust. And denial-of-service attacks can be delivered within minutes of being bought.

"It is just a matter of finding new ways to monetize the access that they already have or they will potentially get in the future," says Joe Stewart, director of malware research for Dell SecureWorks' Counter Threat. "The driver for these groups is monetization and trying to extract every bit of money they can out of these systems."

The variety of services offered is dizzying. Some underground providers focus on malware-as-a-service, while others have branched out into mobile malware. Similarly, some groups sell denial-of-service attacks, while others focus on flooding phones with SMS messages to circumvent some financial institution's two-factor authentication mechanisms. Some services lease botnets; others pay a bounty for every computer compromised. Personal information, credit-card details, and lists of millions of e-mail addresses are all up for sale.

[DDoS attacks of more than 10 Gbps now happen several times a day across the globe, study says. See Report: DDoS Attacks Getting Bigger, Faster Than Ever.]

The groups behind the Cutwail botnet, also known as Pushdo, for example, may have occasionally paid as much as $15,000 to maintain the botnet's low-six-figure size, but likely made $1.7 million to $4.3 million over nearly two years, according to a 2011 paper (PDF) written by a group of academic security researchers.

In a whitepaper published in September, security firm McAfee found that prices for credit-card information ranged from about $15 for a U.S.-based victim without the PIN to $250 for a premier credit-card with the PIN and a hefty balance.

Gaining access to such services is no longer as onerous as it once was, says Raj Samani, McAfee's chief technology officer for Europe, Middle East, and Africa, and co-author of the McAfee paper. In the past, criminals groups required customers to have a reputation in the underground. Today, however, anyone with a credit ard or WebMoney account can buy services, Samani says.

"What really shocked me -- more than how the services have evolved -- is that in the past, you had to know someone to get access," he says.

In another sign of the maturing marketplace, the underground providers are also taking the service side seriously, offering support, updating malware, and, in some cases, giving refunds.

"Some of these information brokers give refunds when they cannot find the information you've asked for," says Alex Holden, chief information security officer of Hold Security, a security consultancy.

In the end, the evolution of the cybercriminals' business model makes attacks more efficient, gives greater access to less technically inclined criminals, and allows anyone to gain the advantage of more tech-savvy developers, says Webroot's Milbourne.

"It is leading to a less secure world," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights