The Russian underground economy has democratized cybercrime:
If you want to buy a botnet, it’ll cost you somewhere in the region of $700. If you just want to hire someone else’s for an hour, though, it can cost as little as $2—that’s long enough to take down, say, a call center, if that’s what you were in the mood for. Maybe you’d like to spy on an ex—for $350 you can purchase a trojan that lets you see all their incoming and outgoing texts. Or maybe you’re just in the market for some good, old-fashioned spamming—it’ll only cost you $10 for a million e-mails. That’s the hourly minimum wage in the UK. This is the current state of Russia’s underground market in cybercrime—a vibrant community of ne’er-do-wells offering every conceivable kind of method for compromising computer security. It’s been profiled in security firm Trend Micro‘s report, Russian Underground 101, and its findings are as fascinating as they are alarming. It’s an insight into the workings of an entirely hidden economy, but also one that’s pretty scary. Some of these things are really, really cheap. Rik Ferguson, Trend Micro’s director of security research and communications, explains to Wired.co.uk that Russia’s cybercrime market is “very much a well-established market.” He says: “It’s very mature. It’s been in place for quite some time. There are people offering niche services, and every niche is catered for.” Russia is one of the major centers of cybercrime, alongside other nations like China and Brazil (“the spiritual home of banking malware”). Russian Underground 101 details the range of products on offer in this established market—Ferguson says that they can be for targeting anyone “from consumers to small businesses.” He points to ZeuS, a hugely popular trojan that’s been around for at least six years. It creates botnets that remotely store personal information gleaned from users’ machines, and has been discovered within the networks of large organizations like Bank of America, NASA, and Amazon. In 2011, the source code for ZeuS was released into the wild—now, Ferguson says, “it’s become a criminal open source project.” Versions of ZeuS sell for between $200 and $500. Cybercriminal techniques go in and out of fashion like everything else—in that sense, ZeuS is a bit unusual in its longevity. That’s in large part because viruses and trojans can be adapted to take advantage of things in the news to make their fake error messages or spam e-mails seem more legitimate. For example, fake sites, and fake ads for antivirus software, aren’t as popular as they once were because people are just more computer literate these days. Exploits which take advantage of gaps in browser security to install code hidden in the background of a webpage have also become less common as those holes are patched up—but programs which embed within Web browsers still pose a threat, as the recent hullabaloo over a weakness in Java demonstrates. Ferguson points to so-called “ransomware” as an example of a more recent trend, where the computer is locked down and the hard drive encrypted. All the user sees on the screen is that tells them that their local law enforcement authority (so, in the UK, often the Metropolitan Police) has detected something like child pornography or pirated software on their PC, and if they want to unlock it they’ll have to send money to a certain bank account. No payment, no getting your hard drive back. Amazingly, if you pay that “fine,” then you will actually get your information back, says Ferguson. “But you’ve labeled yourself as an easy mark, and there’s no telling if they haven’t left behind a backdoor which will let them come back and try again,” he says. Child pornography and pirated software have been in the news a lot over the past few years, for obvious reasons, and that kind of thing directly influences the thinking of hackers and programmers. Taking the time to adapt these tools to recent trends can be very lucrative. DNSChanger, a popular trojan from 2007 to 2011, would infect a machine and change its DNS settings. When the user went to a webpage with ads on it, that traffic would give affiliate revenue to the scammers. One prominent DNSChanger ring (Rove Digital) was busted in Estonia in 2011—the FBI had been tracking them for six years, and during that time it was estimated that they’d earned around $14 million from this little trick. It also meant that the FBI was left with some critical Web infrastructure on its hands—those infected machines (which included machines at major organizations) could only access the Web through those Rove Digital servers. Months were spent trying to get people to check their computers for infection and ensuring that when those Estonian servers were shut off, it didn’t take down, say, a bank. The most recent trends in cybercrime, though, are very much focused on mobile—particularly Android, Ferguson explains: “We’ve seen so far 175,000 malicious threats for Android, and we expect that to be a quarter of a million by next year. Those threats come from malicious apps—if you want to stay safe, stick to official channels like Google Play, don’t just download from any site. Similarly, there aren’t any malicious iOS apps in the wild, on the App Store, but that only applies to iPhones aren’t jailbroken—downloading from other places puts your phone at risk.” These threats aren’t going away, either. In fact, according to Ferguson, “prices are going down” across the Russian underground: “Let’s not pretend that these people aren’t taking advantage of technology just like normal businesses—improvements in technology are getting faster, and there are things like cloud services which they also use. The bad guys are using technologies to drive down costs in the same way businesses are.” Ferguson cites the recent case of someone claiming to have bought the personal information of 1.1 million Facebook users for only $5 (£3.19) as further evidence of the growing problem of online information leaking into the hands of these cybercrime communities. Hackers and other cybercriminals make it their job to analyze security measures and find ways around them, because that information is where the value lies. While hackers and other cyber criminals can save by buying in bulk, the cost to the individual (or the business) that falls victim to one of these techniques is potentially much higher.