Crimeware Enterprises Mirror Legitimate Businesses

Not too long ago, it would have been extremely far-fetched to imagine buying crime services a la carte. But that’s the dynamic that emerged in 2012 to plague cybercrime victims on both the consumer and corporate end of the spectrum. The black-market infrastructure that supports cybercriminals is increasingly backboned by packaged malware, exploit kits, as well as hacks and fraud as a service. Expect that to continue and evolve in 2013, experts say.

Not too long ago, it would have been extremely far-fetched to imagine buying crime services a la carte. But that’s the dynamic that emerged in 2012 to plague cybercrime victims on both the consumer and corporate end of the spectrum. The black-market infrastructure that supports cybercriminals is increasingly backboned by packaged malware, exploit kits, as well as hacks and fraud as a service. Expect that to continue and evolve in 2013, experts say.

While banking services tumble offline at the whim of hacktivists, or online bank accounts are wiped out by malicious webpages, infected applications or phishing scams carried out over email or SMS, law enforcement investigators and computer security experts inevitably land on a criminal using a pre-packaged concoction of malware bought and managed online by the equivalent of a crimeware service provider.

Security company Fortinet recently released its 2013 Cybercrime Report and in it contained a representative menu of crime services criminals can pick and choose from. The list is varied and scary if you’re a potential victim: Botnet rentals for a cut rate of $535 for five hours a day for one week; Botnet setup services for up to $400; Fast Flux hosting at $3 per month; black hat search engine optimization at $80 for 20,000 spammed links; and infection spreading services going for $100 per 1,000 infections.

“What used to take years, can now be done in hours,” the Fortinet report said.

While some coordinated efforts on the part of technology companies such as Microsoft working in tandem with the U.S. Department of Justice have successfully taken down some high-profile cybercrime gangs—botnets in particular—the resources and organized nature of these cybercrime gangs mean they won’t stay down for long; there’s just too much money to be made.

“Today, as any commercial enterprise, cybercrime has evolved into a complex, highly organized hierarchy involving leaders, engineers, infantry, and hired money mules,” Fortinet said. “Looking from the outside in, there’s little to distinguish cybercrime organizations from any other business.”

Gangs are often structured as legitimate businesses would be. Executives develop a business plan, pay for the infrastructure and remain in business development once operations are under way. Affiliate programs that are charged with recruiting partners whose expertise will build botnets and write malware are the equivalent of middle management. One level down are the criminals who carry out attacks. There are also marketing and promotional efforts, Fortinet said. Most organized gangs build Web portals that market available services or act as recruitment vehicles. R&D divisions work the backend of criminal gangs, putting malware through quality assurance processes before it’s pushed out to buyers.

While most of these gangs operate in Eastern Europe, Russia and China, their success hinges on hosting providers worldwide, including the U.S., that don’t vet what’s being stored or served from their infrastructure. Criminals also need cooperative domain registrars who are equally indifferent as to what’s happening on their machines.

“Closing illegally operating hosts is a difficult task, because oftentimes, the traced malware is tracked to legitimate servers that have unknowingly been compromised. When discovered, threat researchers typically attempt to notify an ISP in question that they’re hosting illegal operations, but, more times than not, those calls for investigation are ignored,” Fortinet said. “Unless it is a very large operation, government resources are often constrained and not available to take down the rest.”

Several successful business models are in play as well. The models include pay-per-click where attackers are paid for traffic generation, or pay-per-install where they’re paid for 1,000 infections. Pay-per-purchase schemes have also been discovered, in particular with fake antivirus or ransomware campaigns.

Criminals usually rent or lease services, rarely giving up source code so as to protect their investments and reduce the chances of being caught by law enforcement. Fortinet said it has seen some botnets such as Zeus go for $3,000, RATs such as Gh0st or Poison Ivy sell for $250, exploit kits for up to $2,000 and packers that hide malware from investigators selling for as little as $10.

Experts generally don’t see this type of organized criminal diminishing in 2013. New malware writers pop up all the time, and they’re continually refining their skills and services offered. Governments, meanwhile, can do little to intervene, largely because of difficulties in extraditing criminals from rogue nations.

“The challenge to stopping the growth of crimeware today is the inability to prevent its manufacturing. Trying to stop the product development process constitutes a never-ending game of cat and mouse,” Fortinet said. “Once made available to the public, malicious software code is incredibly difficult to pull down.”

Suggested articles

Cyberattackers Put the Pedal to the Medal: Podcast

Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.