The economic downturn is affecting everyone; there’s just not a lot money going around these days. So spare a thought for the criminal – with less money to steal, he has to work harder for his living.
And that is certainly the conclusion to be drawn from Panda Security’s latest report: The Cyber-Crime Black Market: Uncovered. We have already seen in a previous post that complex viruses are being developed and used, probably to run interference for the trojans. By tying up the AV industry’s top engineers in locating, unravelling and disarming these viruses, the online criminals hope to keep the work of their data-stealing trojans operational over a longer period. But just consider the organizational skills that this requires: it’s an underground black market industry that mirrors the organisation of legitimate industry. Whatever you want, you can have: at the market price.
The report comes out of Panda’s decision to have a closer look at the internet’s black market, “to see what kind of services they are selling today,” explained technical director Luis Corrons. “We found that basically it is the same as what’s been going on for years – only now the service is more specialised, and the availability more widespread. In the past they sold things like infection kits, spam services, stolen credit cards; and yes that is still available. But now the criminals are offering far more services. In the past you could buy a number of credit cards; and depending on the amount you buy, the price goes up or down.” This is still available said Corrons, “but now the criminals have started offering guarantees. OK, you can pay, say, $2 for a credit card; but if you want access to a bank account with a certain amount of money guaranteed, you pay more – and you can have that. You can even request bank accounts with more than $80,000 – but to get such credentials you’d have to pay $700.”
Apart from the guarantees, the whole process has become more integrated. “You can buy the credit card details which you can use,” he continued, “and then you can hire additional services so they will take care of and make all the money transfers for an additional fee. Or, let’s say you buy some luxury items with these stolen credit card details – such as a big LCD TV. Well you can’t have it sent straight to your house because obviously the police can track it. No problem. There are people offering to do this for you. You want to buy this – we’ll do it for you, and take care of sending it to your house.”
|From the comfort of an office or bedroom, with a single computer and spurred on by the lack of international legislation or cooperation between countries to facilitate investigations and arrests, cyber-criminals have been making a lucrative living from these activities.|
Corrons even described a site in Russia that offers to provide you with anything you want for just 20% of the usual cost. How? Well FAQs on the site explain that they will use stolen credit cards to buy primarily from US online stores, and let you have the goods for 20% of the cost – which they take from you for their fee. This Russian site only supplies Russian residents, but is indicative of how the black market is evolving.
|Credit card details||From $2-$90|
|Physical credit cards||From $190 + cost of details|
|Card cloners||From $200-$1000|
|Fake ATMs||Up to $35,000|
|Bank credentials||From $80 to 700$ (with guaranteed
|Bank transfers and cashing
|From 10 to 40% of the total $10
for simple account without guaranteed balance
|Online stores and pay
|From $80-$1500 with guaranteed
|Design and publishing of fake
|According to the project (not
|Purchase and forwarding of
|From $30-$300 (depending on the
|Spam rental||From $15|
|SMTP rental||From $20 to $40 for three
|VPN rental||$20 for three months|
Clearly, there is so much money to be made from these activities, even in difficult times, that what Panda is describing is the beginning of a new industry: cloud-based Fraud as a Service.
“In the last two years, we have seen a growing number of new viruses…” Panda’s Luis Corrons explains
Differentiating between one type of malware and another is neither easy nor, ultimately, particularly useful. Nevertheless, there is a temptation to say that the purpose of a virus is to attack and probably harm the target, while the purpose of a Trojan is to steal from the target. In other words, a virus is a weapon and a Trojan is a tool.
The very nature of cybercrime is changing: it is evolving from the indiscriminate carnage wreaked by earlier viruses, into an organised criminal business. It is little wonder then, that by 2005, the number of new viruses (weapons) was being dwarfed by the number of new Trojans (business tools). Figures from Panda’s new report, The Cyber-Crime Black Market: Uncovered (of which more in a later post) show that the generation of new viruses was so small that it had to be included in the ‘other malware’ category. Trojans, however, accounted for nearly half (49%) of all new malware.
Luis Corrons, PandaLabs’ technical director, told me that the latest figures show an even greater dominance of new Trojans, so that by 2010 Trojans account for just about 56% of all new malware. Again, this is not surprising. Trojans are the tool by which cybercriminals extort, steal and fraudulently obtain their income. The surprise, however, is that the virus is showing signs of a recovery: no longer lost within the 10% of other malware, during 2010 it accounted for more than 22% of all new malware.
Why? Why should an uneconomic attack weapon resurface when logic would suggest it continue to decline. I asked Luis Corrons to explain.
“We used to get a lot of viruses in the past; and then everything became Trojans and worms, and there were only a few new viruses,” he said. “But in the last 2 years we have seen a growing number of new viruses appearing; not necessarily many different ones, but many new variants of the same ones.”
The cause remains a mystery. “We often ask ourselves, why should this happen?” His answer is a bit surprising. “The virus is, for us, a really painful process; even though as an industry it’s where we come from. A virus is far more complex to detect than any other threat, such as a Trojan or a worm. In the final analysis,” he continued, “with a Trojan or a worm, the whole file is malicious.”
Viruses are different. “The virus embeds itself into good files, making detection considerably more tricky. But the bottom line for us isn’t just detection; it’s disinfection. And we have to remove every trace of the virus from the file, returning it to a clean state similar to its condition before the infection. This takes a lot of time and is something that we cannot completely automate. So it involves high level engineers spending a lot of time on the problem.”
In short, Corrons is explaining that a disproportionate amount of time and expertise has to be spent on anti-virus rather than anti-Trojan activities. But here’s the anomaly. “Some of the new viruses we are seeing these days are really, really complex and could only be written be very skilled people. But most of these viruses don’t have any Trojan content, so financial gain is not a motivation.”
So, what is the motivation?
“Our guess,” he suggests, “although we don’t have any hard proof of this, is that the trojan criminals are also engaged in the creation of these high level computer viruses so that it takes a lot of our time and resources to prevent us focusing on their real business: Trojans and financial theft. We’ve tried to find a better explanation, but we really cannot.”
And that’s a bit worrying. It suggests that the criminal gangs are more organised, better resourced, and more determined than I for one had realised.