Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:08 PM

Dark-Side Services Continue To Grow And Prosper

Criminals have expanded use of the cloud-service model to make their illegal enterprises more efficient and accessible

In 2005, police in Morocco and Turkey arrested two men connected with the Zotob worm -- the 18-year-old creator of the worm and the 21-year-old man who paid him to develop the code.

The transaction is one of the earliest cases of for-hire criminals services. Since then, such services have proliferated, and cybercrime has become a much larger issue. One measure of the problem: The number of malware variants has skyrocketed, more than quadrupling from 2006 to 2007, and growing to 403 million variants in 2011, according to data from Symantec, which no longer publishes the number.

Such growth is powered by the evolution of specialized services in the cybercriminal marketplace, according to Grayson Milbourne, security intelligence director at software security firm Webroot.

"The mature cybercrime-as-a-service market has empowered novice criminals with all the tools necessary to launch their own campaigns," he says. "As the prices for services are very inexpensive, cost is not a disincentive."

In many ways, the evolution of online criminal services has mirrored, and even predated, such services in the legitimate business world. Companies adopt cloud offerings for a variety of different reasons: The services remove many of the up-front costs of deploying an application, offer better support than in-house IT groups, and are better able to deal with complex deployments than a firm's IT staff. Often such services are just faster, more user-friendly, and allow the provider to sell off excess capacity.

Cybercrime services are adopted for similar reasons. A leased botnet can replace a criminal's technical nightmare of deploying and maintaining a large network of compromised PCs. Financial and identity information, which is so voluminous that data thieves typically cannot use a fraction of their take, can be sold rather than sitting on a server collecting virtual dust. And denial-of-service attacks can be delivered within minutes of being bought.

"It is just a matter of finding new ways to monetize the access that they already have or they will potentially get in the future," says Joe Stewart, director of malware research for Dell SecureWorks' Counter Threat. "The driver for these groups is monetization and trying to extract every bit of money they can out of these systems."

The variety of services offered is dizzying. Some underground providers focus on malware-as-a-service, while others have branched out into mobile malware. Similarly, some groups sell denial-of-service attacks, while others focus on flooding phones with SMS messages to circumvent some financial institution's two-factor authentication mechanisms. Some services lease botnets; others pay a bounty for every computer compromised. Personal information, credit-card details, and lists of millions of e-mail addresses are all up for sale.

[DDoS attacks of more than 10 Gbps now happen several times a day across the globe, study says. See Report: DDoS Attacks Getting Bigger, Faster Than Ever.]

The groups behind the Cutwail botnet, also known as Pushdo, for example, may have occasionally paid as much as $15,000 to maintain the botnet's low-six-figure size, but likely made $1.7 million to $4.3 million over nearly two years, according to a 2011 paper (PDF) written by a group of academic security researchers.

In a whitepaper published in September, security firm McAfee found that prices for credit-card information ranged from about $15 for a U.S.-based victim without the PIN to $250 for a premier credit-card with the PIN and a hefty balance.

Gaining access to such services is no longer as onerous as it once was, says Raj Samani, McAfee's chief technology officer for Europe, Middle East, and Africa, and co-author of the McAfee paper. In the past, criminals groups required customers to have a reputation in the underground. Today, however, anyone with a credit ard or WebMoney account can buy services, Samani says.

"What really shocked me -- more than how the services have evolved -- is that in the past, you had to know someone to get access," he says.

In another sign of the maturing marketplace, the underground providers are also taking the service side seriously, offering support, updating malware, and, in some cases, giving refunds.

"Some of these information brokers give refunds when they cannot find the information you've asked for," says Alex Holden, chief information security officer of Hold Security, a security consultancy.

In the end, the evolution of the cybercriminals' business model makes attacks more efficient, gives greater access to less technically inclined criminals, and allows anyone to gain the advantage of more tech-savvy developers, says Webroot's Milbourne.

"It is leading to a less secure world," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.