The Rise of Criminal Hacking For Profit

The history of abuse of computer resources is almost as long as the history of computers. The early hacking incidents seem quaint by today's standards. There was little or no damage involved, and much of it was not illegal at the time. Many of the perpetrators were juveniles, and adults do not take juvenile crime seriously.

That has changed. Today, well-organized gangs of professional criminals operate multinational networks that exist to steal, defraud, and otherwise cheat business and individuals. This white paper attempts to explain the business models that make hacking profitable, and to reinforce the need for good security.

An Explosion of Malware

Malicious code that performs unethical or illegal functions is often termed malware. Today, there are more that 500 flavors of the Phatbot Trojan, and hundreds of variants of SDBot. The number of attacks continues to rise, and the quality of the malware involved continues to improve. Why is this happening?

The answer is simple. Attackers have learned how to make money from malicious code. Any police officer will confirm this: if there is money to be made in a criminal activity, more of it will occur. There are numerous profitable, low-risk business models for unethical hackers and programmers. They may be based in the United States, or overseas, but in either case, we have to deal with their handiwork here.

The Business Models

There are several well understood business models involving malware. The following may not be an exhaustive list, but it is covers an impressive array of mischief. The obvious model of identity theft is not covered in this paper.
Spamming
Phishing
Click fraud
DOS extortion
Botnets for hire
Payment card fraud
Malware for sale
Custom malicious software development

Hostile Web Sites

The discussion of business models starts with hostile web servers. While these servers do not generate a profit directly, they are used in a variety of ways in the other business models. Recent news stories have highlighted just how many servers attack the browsers that connect to them. Security company SiteAdvisor found that 5 percent of all Web traffic was with sites that attempted to upload hostile programs to clients, or acted in some other hostile way. If users can be tricked into visiting the hostile sites, their computers are at risk. These sites exploit browser vulnerabilities to infect computers that view their web pages.

Many of these web sites revolve around content that is in some way suspect, such as gambling, hacking, or pornography. That has proved too small an arena for the hackers, however. One way the attackers can get many more visitors to their sites is to compromise legitimate sites and install attack code on their web servers. In December 2005 and January 2006, numerous websites were distributing keystroke loggers using the Windows Media File exploit. The keylogger software was then used to steal credit card information and online banking information. The infection of commercial sites has been an intermittent problem for years.

Spam As a Cash Crop

Spam is the arch enemy of email users and administrators. In days of yore, spammers were able to use one or a few servers to send millions of messages. Spam is so despised that now it's difficult to do that. Investigators will shut down servers, or ISP will blacklist them. In response, spammers began to use open mail relays. These too were shut down or blacklisted.

Today, spammers often use compromised systems. Spam is sent from networks of thousands of infected computers under the remote control of the spammer (Sage has a whitepaper on worms and bots posted). Make no mistake, this is a criminal activity. The problem is that it is a daunting task to shut down the thousands of computers involved.

Spammers receive checks for leads developed by spam from legitimate and not-so-legitimate marketing companies. It is a profitable enterprise, which is why in continues in the face of so much loathing in the IT community.

Phishing

The Wikipedia defines phishing as as attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.

Phishing encompasses a wide array of tricks and techniques to lure unsuspecting victims into divulging sensitive information (bank account, usernames, and passwords) or to actually transferring money to the phisher. One popular example of phishing is Ebay fraud: millions of emails have been sent to Ebay sellers asking when they will ship the item they have sold to the sender. Included is a link to check on the item.

The link takes the unsuspecting seller to a fake Ebay site, which looks very much like the real thing. The seller is prompted for his user name and password. The fake site captures the seller's logon information, and then forwards them to the real Ebay. The attackers now have control of the Ebay account. They can sell fake items and collect the proceeds, or create other havoc with the account. This trick is also used against Ebay buyers. Unsuspecting buyers have been gulled into purchasing large items such as cars, only to see their money disapper into cybespace.

The same scheme is used with PayPal accounts and bank accounts. If the attackers can discover the username and password to these accounts, they can (and do) immediately clean the accounts out.

Selling Popups

Internet advertising is big business. The Internet Advertising Bureau estimates the market at over 12 billion in 2005. It is no surprise then, that unscrupulous marketers will push the limits of what is acceptable. Browsers can be used to "pop up" new windows that advertise specific products. These pop-ups usually infuriate users, but since the advertisers are paid for ads viewed or clicked on, they are willing to anger millions of users for the revenue generated by the tiny percentage of users that actually click on the ads.

Most browsers now attempt to block pop-up ads, but hackers have several ways to get around this. They can install browser scripts that bypass the pop-up blocker. They can tinker with the browsers internal settings to disable the pop-up blocker.

The offensive approach, and probably the most common now, is to install spyware programs on the victim's computer that pop-up ads whenever a browser is running. The browser doesn't create the pop-ups. Instead, the spyware program on the victim's computer does this. Current spyware is very aggressive, and can be difficult to remove. Several processes run at once, and if one is terminated, the others re-start it. Multiple copies of files are created, and if some are deleted, they are re-installed from backup copies. The last spyware removal this author conducted required booting the computer in safe mode to entirely remove the infection.

Click fraud

One very successful model for Internet advertising is the pay per click model, popularized by Google, among others. Every time an advertising link is clicked, the click is counted and the advertiser is charged by the number of click they received. Click fraud occurs in when a person (more likely) a program imitates a legitimate user by clicking on an ad, for the purpose of generating an improper charge for the click.

This has the effect of making the targeted advertiser's ads more expensive. This area is the subject of controversy and litigation. While perhaps not as profitable as some of the other models show here, it is also not as obviously illegal.

Search Engine Modification

Another business model for spyware is to monitor the browser when it uses one of the major search engines (Google, Yahoo!, and the rest). When the search engine results are returned to the victim's computer, the local spyware modifies them before sending them to the browser. The spyware can-reorder the results, or insert its own advertisements into them.

One computer game maker who provided 200,000 downloads per year was approached by a spyware company offering them $0.25 for the right to install spyware into their game downloads. The spyware would install a search toolbar into his customer's browsers. The search toolbar would then provide preferential results for the spyware company's advertisers. That this is worth $50,000 for a spyware company shows the amount of money involved.

DOS extortion

Denial of service, or DOS, means the interruption of computer services. The hacker business model is extortion. The victims are usually ecommerce or gambling sites, whose revenue depends on being continuously online. The attackers often cause a brief outage, then contact the company demanding a cash payment. If the payment is not received, a more serious attack will occur.

The actual denial of service is caused by flooding the victim's bandwidth with millions of bogus requests. So many bogus requests are sent that the web server can no longer process the legitimate traffic, and business at the attacked site grinds to a halt. Hackers use distributed networks of many thousands of infected computers (botnets) to bombard their target. For more information on botnets, see the Sage whitepaper on them here.

It is hard to get good numbers for how frequently this occurs, because the affected companies don't want the bad publicity that would result if the attacks were made public. The occasional arrests that do occur, and the companies that thrive helping victims survive DOS attacks suggest that it is a regular occurrence. A fascinating account of fighting back against these attacks can be found here.

Another twist on the denial of service attack is cryptovirology. A virus or bot is introduced to the victim's computer, and it encrypts important files. An extortion email is sent to the user, demanding cash in return for un-encrypting the files.

Botnets for hire

Attackers don't always need to commit the crimes themselves. Once they have networks of thousand of bots available, they can rent them out to other hackers. There is a thriving market for hijacked computers, although the SANS Institute reports that the price is dropping because the supply is outrunning the demand.

These botnets can then be used for the various types of marketing, spamming, phishing, and DOS described above.

Payment card fraud

Credit card fraud has been growing, and 2005 was a particularly bad year for the theft of online credit card information. Credit card information can be stolen one card at a time, or en masse. Individual theft often occurs by phishing, or keyloggers installed on an infected computer. For hackers, the larger target is to steal the information of thousands, or even millions of credit cards at once. It's been reported that unused stolen credit card numbers sell for 50 cents to a dollar. So the theft of a millions cards would represent a small fortune.

The money involved is large enough to attract patient, sophisticated criminals. The hackers can take the time to carefully analyze an intended victim's network, and find any weaknesses in their defenses. Consider a large retailer. Perhaps they have wireless networks in their stores. With a little persistence, it may be possible to get onto the victim's network, and begin reconnaissance. Once on the victim's internal network, finding customer information is a much easier task.

Payment card fraud is a huge and growing problem. Please consider taking steps to protect yourself. Advice from the Federal Trade Commission on how you can protect yourself from payment card fraud can be found here.

Malware for Sale

There are a variety of "standard product" malware variants that can be purchased online. This includes rootkits, keyloggers, bots, and a variety of Trojans and worms. The purchasers of these products are fully aware that they are not legal. Purchasers might include private investigators, spyware vendors, and outright criminals. The cost ranges up to over $1000 per package. Remote control ("backdoor") software is relatively cheap, but packages that hide and evade anti-virus software cost considerably more.

Custom malicious software development

Software developers can make very comfortable (six figure) salaries working for spammers and spyware companies. This may or may not be illegal, but it is certainly difficult to consider it ethical. These companies hire teams to develop code that hijacks browsers, evades pop-up blockers, and circumvents anti-virus and anti-spyware programs. There are financial incentives to develop new exploits that attack common browsers. The trade magazine Computerworld reports in this article that unknown exploits against the Internet Explorer browser are worth $1000 to $5000.

Conclusion

Computer crime has rapidly become more professional and more dangerous. There are a variety of bad things criminals can do with your computers and your personal information. This discussion outlines several of the ways that computers can be used for illegal and unethical gain. In the end, computer security is everyone's responsibility.

We must defend our networks, both at work and at home. If you see phishing attacks, report them to the corporation they are pretending to be, or to www.antiphishing.org. As a consumer, use credit cards, not debit cards, for online purchases. Be aware that computer use has risks. It's a dangerous Internet. Be careful out there.