Link: Computer crime is slicker than you think - Security - CRN Australia .
Online crime and malware development has become a full-blown and extremely profitable commercial enterprise that in many ways mirrors the legitimate software market. "We're in a world where these guys might as well just incorporate," says David Parry, Trend Micro's Global Director of Security Education. "There's certainly more money in the cybercrime market than the antivirus market. The internet security industry is a drop in the bucket; we're talking about hundreds of billions of dollars."
"The general dynamics within this market are just like any other business model," says to Thomas Holt of the University of North Carolina at Charlotte's Department of Criminal Justice. "You have to offer a good price, you have to be readily able to communicate with your customers, you have to give them reliable products, because nobody's going to buy something if it doesn't quite work like you say it can."
"According to Shane Coursen, Senior Technical Consultant at Kaspersky Labs, malware development is easily profitable enough to attract professional talent. "The financial model is absolutely huge. The amount of money that a developer could make at least matches what they can make at a software company. You could even set it up as a legitimate business, reporting earnings and everything."
Go To Market
"Holt leads a team of researchers that tracks the online marketplaces where malware developers, brokers, and criminal "service providers" sell their wares. Starting with nothing more than Google searches, they have identified a network of approximately 30 publicly accessible sites of surprising sophistication, with features that rival eBay and Amazon.
The particular marketplaces Holt's team tracks are generally incorporated into hacker community forum sites hosted in Russia, Eastern Europe, and other regions where criminal prosecution and extradition are difficult or impossible.
Prospective sellers post detailed descriptions of their products and services. Those selling malware will often including screenshots, claims about resistance to antivirus or other countermeasures, and penetration capabilities. Those selling stolen account data will often specify the nationality of the account, the bank, the type of account (Visa v. Mastercard, gold v. platinum), and the total value of each account.
In many cases, they will also have complex pricing models, including purchase minimums and volume discounts. At the same time, the purchaser sends a sample their product to a forum moderator – a copy of the malware code or a sample of the stolen data – who will then review and test it.
If the moderator finds that the product does not work as advertised or that the data is invalid, they will block the seller from posting; otherwise, they will post a detailed review alongside the seller's product description.
"Moderators may also block products or services they consider too risky. VPN services, for example, have been widely turned away by various site moderators after law enforcement tracked down a particularly well-known online gang through their VPN connections.
Next: A Buyers' Market
Prospective buyers are then free to ask detailed questions about the product, and actual buyers will post their own feedback and reviews.
"Thank you for a FreeJoiner, is the best program in its class I have ever seen," wrote a satisfied customer wrote on one of these sites. "Purchased a freejoiner 2 and left very happy," wrote another.
Over time, moderators use their own reviews and customer feedback to track each seller's reputation, and maintain rankings ranging from "Verified Seller" (good) to "Ripper" (bad).
"Sites will often develop "blacklists" and "whitelists" to block out or provide quicker access to specific sellers, and a number of "ripper databases" are distributed throughout these communities. (((Imagine being a scumbag so low you're at the top of the ripper database.)))
"These "open forum" sites represent only one subset of the cybercrime market; other models may look very different, but can be just as sophisticated. Some malware developers, for example, maintain what amounts to their own channel programs.
"There are programmers who are working for brokers, and the brokers are selling the malware to other criminals, who are then reselling the malware to other criminals," says Trend Micro's Parry. "When they capture a bunch of systems, they resell those systems to another criminal, and another criminal. The actual hacker types don't want to get their hands dirty with something that would actually send them to prison."
Other groups build affiliate networks that tap into legitimate and semi-legitimate businesses. In a presentation at the Defcon hacking conference this year, Peter Gutmann of the University of Auckland's Department of Computer Science described networks in which businesses would pay affiliates up to 30 cents for each machine they infect with spyware or adware...."
