[BreachExchange] The business of malware

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 29 13:56:39 EDT 2017


http://www.itpro.co.uk/security/innovation-at-work/
29579/the-business-of-malware

If you think malware is the product of a bunch of hackers hoping to cause
some disruption or make a fast buck, think again. These days, malware is a
mature and growing business – a serious criminal enterprise – involving
networks of developers and criminal organisations. Right now, there are
teams working on new malware kits and exploits with the aim of selling them
on to groups and organisations, so that they can use them for their own
criminal or political ends. This is a global industry worth millions or
even billions of dollars, and one that touches more and more of us every
year.

How, then, do the authors and users of malware make their money? Well, on
the one hand you have the various fraudulent or otherwise criminal ways
that cybercriminals extract money, either from ordinary members of the
public or from businesses and public services. On the other hand, you have
a maturing underground service industry that’s providing products and
cyber-capabilities to other criminals, gangs and even nation states.
Between them, they’ve created a powerful malware ecosystem; one built to
exploit every opportunity in an increasingly connected, always-online world.

Making money from Malware

>From ransomware to extortion to advertising rackets and straight-up theft,
there’s no shortage of ways that cybercriminals can put malware to use.

Identity theft and financial crime:While a growing amount of bank account
and credit card theft involves phishing attacks or social engineering,
Trojans, keyloggers and other forms of spyware still played a part in the
£5.4billion lost in the UK through identity theft every year.
Cybercriminals use these malware tools to recover log-in credentials and
either steal money directly from your bank account or order goods and
services for themselves. They may also use your identity to set-up new
loans or credit agreements in your name.

Partner networks and shopping fraud: Here browser hijackers and other forms
of adware continuously direct or redirect you to sites that sell goods or
services. In some cases these are actual stores selling software, services
or actual goods. In other cases, they’re offering  counterfeit goods or
incredible but non-existent bargains in the hope of stealing your payment
card information along the way. Either those behind the stores distribute
the malware, or rely on the services of a third-party distributor who gets
paid for the traffic they bring in.

Click fraud: With click fraud the aim isn’t so much to defraud affected
users as to defraud online media and advertising networks. Malware is used
to create a ‘botnet’ of infected PCs, mobile devices or – increasingly –
simpler connected devices such as routers, IP cameras and Internet of
Things (IoT) devices. The bots then ‘click’ on online adverts, boosting
revenue for the blog or website that hosts them. New variants do the same
thing for Twitch channels, with the botnets watching streams to boost a
channel’s cashflow or chatting in a channel’s chat section.

Fake security: In this variant of the classic shoeshine scam, malware or an
infected website informs end-users they have malware, then charges for a
tool to get rid of it. As you might guess, the tool actually includes more
malware, which may be used to infect other systems on the network or for
identity theft.

Extortion: Now we’re onto big-time criminal activity. In some cases,
criminals may create or rent a botnet to unleash a coordinated Distributed
Denial of Service (DDoS) attack on a company, threatening disruption to
their business unless a fee is paid. In other cases they may use malware to
infiltrate a network and steal corporate or personal data, threatening the
business with exposure unless it pays up.

Ransomware: Arguably the biggest growth area in modern malware. Ransomware
infiltrates a system and then blocks access to the system and/or encrypts
vital data. To get their systems and data back again, the company or user
has to pay a fee, which may be anywhere between $100 to $400 (£75 to £300)
for an individual user to several million for a large corporation. A 2015
study by TrustWave claimed that cybercriminals using ransomware could earn
up to $90,000 (£67,000) a month, while 2017 research from Google suggests
that global profits from ransomware had reached $2.5million (£1.86million)
per month over the last two years. Hit the right target, and the payout
could be even bigger. In June 2017 Nayana, the South Korean webhost, agreed
to pay a $1million (£750,000) ransom to unlock its computers.

Malware as a Service

The criminals that put malware to direct use are supported by a
fast-growing industry of hackers and developers that provide malware
services, either through Darknet forums and marketplaces or through
underground websites that, with surprising polish, offer malware and
associated services in the same way that a legitimate business might sell
webhosting or cloud storage. Some even offer after-sales service, helpdesks
and customer support.

Beyond criminals, there’s even evidence that some nations or their security
services pay for malware or hackers’ services, either for espionage or as a
means of disrupting other nations. For instance, it’s widely believed that
the North Korean and Russian governments have sponsored malware used to
attack businesses or utilities in South Korea and the Ukraine.

These services might include:

Ransomware kits: Want to get started in the ransomware racket, but don’t
have the technical skills to build your own? You can buy an off-the-shelf
kit with an easy-to-use dashboard and start your attacks straight away.
Kits might cost anywhere between $175 and $6,000 (£130 to £4500), but
that’s a small investment if you can achieve a $90,000 (£67,000) monthly
turnover. Alternatively, the Ransomware creator may simply want a
percentage of the ransom, using affiliate schemes like those used by
legitimate Web businesses. It’s estimated that some schemes, like those
based on the Cerber ransomware family, have netted the original developers
an average of $1million (£750,000) p.a.

Malware Kits and Exploitkits: Malware developers make a lot of money
developing toolkits for criminal use. Malware Kits come with the files and
instructions needed to package malware in documents or emails. Exploit Kits
are designed to sit on a compromised site or a webserver, then scan any
systems that connect to that server for any vulnerabilities that can be
used to infect that system with malware. Some kits are available for
purchase, while others may be rented, with upgrades and support thrown in,
for hundreds of dollars per month.

Botnet herding: Here, malware is used to create, manage and control
multiple botnets, which the malware service provider can then sell or lease
to interested parties. Many will be used for targeted DDoS attacks,
brute-force hacking attempts, spam distribution or click fraud and Twitch
fraud. Renting out a botnet could bring in anywhere between $200 (£150) and
$2000 (£1500) a month, depending on the number and capabilities of the
bots. At one point Georg Avanesov, mastermind of the Bredolab botnet, was
earning over 100,000 Euros (at the time £80,000) a month.

Malware is a big business with opportunities for massive profits, so it’s
no wonder that the developers, hackers and criminals involved put so much
effort into targeting businesses and individuals and the applications that
they use. It’s also why it’s so important that organisations protect
themselves with the right network and endpoint security strategy; one that
protects their systems against infection and enables them to recover
quickly from attacks. After all, when malware is a growing industry, you
don’t want your business to fuel its growth.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170929/8061e6d1/attachment.html>


More information about the BreachExchange mailing list