[BreachExchange] 'Distributed Cybercrime' Is Making Attackers Multi-Millionaires

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 5 19:09:37 EDT 2017


http://www.cxotoday.com/story/distributed-cybercrime-is-
making-attackers-multi-millionaires/

Ransomware and banking Trojans dominate the cybercrime mainstream today,
and their technical operations are heavily analyzed. But little attention
has been given the business model which plays a large role in dictating
their behavior, targets and tactics.

A revolutionary concept in cybercrime is what I call “distributed
cybercrime,” a business model in which cybercriminals attack many victims
in the same campaign. Like many other inventions now common in modern life,
distributed cybercrime may seem trivial today. But this concept emerged
little more than a decade ago and has already dominated the threat
landscape.

Improved ROI and the support of a newly erected “dark industry” has made
distributed cybercrime the hottest trend in cybercrime. Most of the
professional cybercriminal groups today develop malware with a distributed
business model, then use professional platforms, distribution services and
infection experts to attack the world. They don’t know who their victims
are nor do they care. They’re not looking to get points on style. They’re
just businessmen who built the perfect, automated money-making machine.

6 Reasons Why Cybercriminals Love the New Business Model

Beginning in 2006, innovations in malware, banking Trojans and ransomware
created a new type of business model for cybercriminals: rather than
concentrating all their efforts on penetrating high-quality targets, they
can steal small amounts of money from numerous victims.

The business model of distributed cybercrime has made some attackers
multi-millionaires in a short amount of time due to its many business
benefits:

1.       Attacks require less effort as they target “low-hanging fruit”
(i.e., individuals or organizations with sub-par security)

2.       Attack skill level is low compared to techniques such as
spear-phishing – regular ol’ phishing is good enough for weak targets

3.       Highly coveted zero-day vulnerabilities are no longer required for
profitable attacks – mainstream CVE vulnerabilities with known exploits and
existing patches will do, as many victims don’t patch regularly

4.       Any standard endpoint is a potential source of revenue, making
lateral movement toward the crown jewels irrelevant

5.       When you attack the world, the sky is the limit – the amount of
potential revenues is endless

6.       Less effort and more profit means better ROI

Mass Distribution, Victim Profiling and Outsourcing

The new business model presented new challenges for cybercriminals. If you
want to become filthy rich through distributed cybercrime, you can’t just
attack 100 victims – you need to attack hundreds of thousands of victims.
This drove professional cybercriminals to build mass-distribution platforms
to spread their malware and automated-infection systems to exploit victims’
machines and run the malware.

But quantity of traffic is not enough. Victims must fit a desirable
profile. Cybercriminals want to avoid targeting low-income victims with
ransomware as they’re probably less able to pay the ransom, and the
ransomware’s language should match the victims’ language to ensure
instructions on purchasing bitcoin and paying the ransom are understood.
Mass distribution experts and traffic dealers offer their shady customers
this very type of targeted services.

In addition to victim-specific traffic, infection services are also up for
sale (or more commonly, for rent). Rather than coming up with new or unique
exploits, pre-packaged exploit kits are readily available to launch the
attack of your choosing. These kits supply the distribution and traffic
services mentioned above, use the best exploit available to infect victims’
machines and, if successful, run the customer’s malware. The exploit kit
method essentially outsources distribution and infection to reliable,
high-quality service providers at an affordable price.

Where Have All the Targeted Attackers Gone?

You may ask yourself: what happened to targeted attacks? The answer:
absolutely nothing (and thank you for asking). In fact, targeted attacks
today are easier than ever, as demonstrated by cyber attackers who do care
about the identity of their victims (like nation-states). Targeted attacks
did not disappear - they’ve only been eclipsed by the attractiveness of the
ROI of distributed attacks. Only when the profitability of targeted attacks
can compete with the distributed cybercrime business model will we see
their rise to prevalence again.

There are initial signs that cybercriminals are testing targeted attacks
with malware more commonly used for distributed attacks, as evidenced by
recent ransomware attacks on high-quality targets such as hospitals and
hotels. The problem comes back to ROI: while cybercriminals demanded up to
$5M ransom from one victim, the highest ransom paid by a single victim (as
far as we know) was a meager $28K.

The Next Big Thing

What’s next for the innovative cybercriminal? My prediction: a hybrid
business model with tailored ransom pricing. Imagine a mass-distribution
platform doling out ransomware on a global scale that, when executed, will
assess the victim’s environment. If that environment is a consumer’s
machine, the calculated ransom will be relatively low; if it’s an
enterprise network, considerably higher; if it’s critical infrastructure,
astronomical.

Whatever the next big thing is in cybercrime, you can be sure it will be
driven by ROI – nothing dictates the dark industry more than these three
simple letters.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170405/23d168dc/attachment.html>


More information about the BreachExchange mailing list