Cybercrime business includes a complete range of deliverables, from attack tools and methods, consulting, services, advertising, and a myriad of programs that serve as the `product’. The more features or the more complex the service offered, the higher the price. A worrying new phrase has entered the lexicon of cybercrime – Crime-as-a-Service (CaaS). While the term is self-explanatory it more than adequately describes how cybercrime in the 21st Century has become commoditised. Truly, cybercrime is now big business.
CaaS has become a well-oiled machine, built on a wide network of players that fulfill specific functions. Just as with any other business, there are products and services available to be sold to customers. These include; Consulting services such as botnet setup ($350-$400); Infection/spreading services (~$100 per 1K installs); Botnets and Rentals – Distributed Denial of Service or DDoS ($535 for 5 hours per day for one week), email spam ($40 / 20K emails) and Web spam ($2/30 posts); Crimeware Upgrade Modules. SpyEye Modules as an example, range anywhere from $500 upwards to $10K. SpyEye is a prolific banking botnet that emerged in 2010 and can be upgraded to enable advanced features for money laundering.
The wide range of available services also includes highly specialised ‘Cloud Cracking’, which offers high performance password cracking at a low cost and significantly reduces time it takes to uncover strong passwords. Altogether, 300 million att empts which take about 20 minutes cost around $17. Cloud Cracking has been around for several years but Fortinet is seeing a significant increase in speed offered by these services and a reduced cost. This service is enabled by the distributed computing model, with networks of processors basically providing more horsepower, similar to the SETI project.
Cybercriminals also reap profits by renting or leasing hacking tools to third parties, often for a set price but subject to negotiation, with tools offering more elaborate and evasive features commanding the highest price. Tools for rent can include:
- Botnets: Features include broadcast command and control, keylogging, download and spam. Examples include Zeus/SpyEye ($700 for old version, $3,000 for the new) and Butterfly ($900)
- Simplified botnets: Features include downloading and executing malicious code. Used primarily for rentals/Crime-as-a-Service. Once grown, operators will charge about $100 to load malicious software on 1,000 machines. The cost of simplified botnet code starts as low as ($50)
- Remote Access Trojans (RATs): Features include targeted attacks, with screen shot and webcam feed capabilities. Examples include Gh0st Rat, Poison Ivy and Turkojan ($250)
- Exploit Kits: Enables exploiters to attack users via Websites. Examples include Black Hole, GPack, MPack, IcePack and Eleonor ($1K-$2K)
- Crypters, Packers and Binders: Allows an attacker to obfuscate binary code, piggyback code and generally avoid detection ($10-$100)
- Source code: This is generally free and available to anyone through well-known kits posted on underground forums. It can be leaked from private/controlled versions of code in a case where hackers attack hackers. Source code is the root of all malicious code that exists today and a big reason why new threats keep coming up. It can be copied, modified and molded into a new threat with relative ease. One example is Zeus, which has had manifold modifications since its release (and new variants continue to appear) due to the ease of access to the source code and the amount of documentation that exists describing how to modify it.
In order to manage such a complex and comprehensive offer to their marketplace, cybercrime syndicates have organised themselves, defining hierarchical structures with roles up and down the command chain:
The executive suite
The organisation’s ‘executives’ make decisions, oversee operations, and ensure that everything runs smoothly. Just as with legitimate enterprises, these executives set up the original business model and infrastructure. Once they get the operation off the ground, they then move to a business
development role and hand off the ‘dirty work’ to the infantry and are no longer involved with launching attacks.
The recruiters are crucial to the organisation. Larger organisations will actually actively recruit and manage others (the infantry) to infect machines for them.
Large-scale operations have recruiters that typically set up recruitment programs (these are known as affiliate programs), which are funded by the cyber criminal network executives.
At the bottom of the chain of command are the infantry. These are the ground-level forces that initiate the actual infection on a user’s machine. There are a number of ways infantry can infect a person’s computer including, but not limited to, email links, Search Engine Optimisation attacks, poisoned PDFs, and compromised websites. Cyber criminals also leverage social networking links, malicious websites, and poisoned media such as Flash and QuickTime.
Crimeware syndicates, in order to survive, must possess a comprehensive business model and monetisation strategy because even an illegal company needs to ‘pay the bills’ in order to function on a day-to-day basis. One such example is the ‘pay-per-click’ model, where a payout is given to a member of the infantry for traffic generation to an advertisement site. This is generally done through malware installed on a system, which receives commands on the sites to go to, and the advertisements to click on.
Revenue for those advertisements is given back to the malware author. There’s also a ‘pay-per-install’ model in which payout is given to infantry when machines are infected with software, usually by batches of one thousand.
Another model, known as ‘pay-per-purchase’ rewards members of the infantry when infected users purchase fake software, fake antivirus or fake products such as counterfeit pharmaceuticals. Fake antivirus works by scaring the victim into thinking their machine is infected and needs to be cleaned by a product offered by criminals. The victim will typically pay between $50 and $100 for the privilege of removing the scareware. The affiliate gets paid a handsome commission on this purchase, typically 40% or higher. Ransomware, which actually encrypts data on an infected user’s machine, is a new trend. This type of malware uses the pay-per-purchase business model and charges victims a fee to get their data back (typically $100 USD).
How to combat cybercrime
In order to efficiently fight cybercrime, it would be necessary to eradicate the affiliate programs that pay out to the thousands of ‘infantry’ who do the dirty work. Without the money, less ‘infantry’ would be available
and thus the incidence of cybercrime would significantly be reduced. Global participation is also important. We need an international body that can mediate and share information about cybercrime trends and which would
involve public and private organisations. A good example is FIRST (Forum of Incident Response and Security Teams) which brings together a variety of computer security incident response teams from government, commercial, and educational organisations to foster cooperation and promote information sharing. Unfortunately, many attacks are handled outside this forum. In the meantime, organisations need to proactively defend themselves by adopting a multi-layered security strategy and regularly conducting audits of their digital assets and assessment of
potential security flaws.
(Read more about cybercrime evolution and organiza-
tion in the Fortinet 2013 Cybercrime Report.)