Update 10.30.2007: Another gem from Scott Berinato. This story covers a website called "loads.cc" (NSFW), which sounds like what you'd get if you crossed Amazon Elastic Compute Cloud (EC2) with the Malware industry. Spooky business models from criminal world.
Most of the time us webappsec people are a world’s apart from the traditional A/V and malware industry involved in reverse engineering rootkits, creating signatures, taking down botnets, tracking fraud, etc. We read the headline snippets sure, but don’t really have the time to keep up with what’s happening at ground level. So when Scott Berinato of CIO.com passed along his latest and VERY in depth thee-part article documenting the evolution Malware Industry through infiltrating fraud rings, I was definitely interested. The text is definitely illuminating as it talks about groups such as the Russian Business Network, ShadowCrew, HangUp Team, 76service and others and how they’re turning the industry into “Malware as a Service” (MaaS). Web 2.0 models are for everyone I guess. I even saw that Hoff got into the action, saying something about how we was thirsty. :)
I pulled out some quotes I thought were particularly thought provoking.
“Jackson found a full-fledged e-commerce operation. It was slick and accessible, with comprehensive product offerings and a strong customer focus. Jackson, no one really, had ever seen anything like it. So business-like. So fully conceived. So professional.”
“Gozi represents the shift taking place in Internet crime, from software-based attacks to a service-based economy.”
“Electronic crime has evolved, from an episodic problem, like bank robberies carried out by small gangs, to a chronic one, like drug trafficking run by syndicates.”
“When Jackson logged in, the genius of 76service became immediately clear. 76service customers weren’t weren’t paying for already-stolen credentials. Instead, 76service sold subscriptions or “projects” to Gozi-infected machines.”
“Some of those account holders managed to make several cash transfers up to $49,000. “They’re playing with limits on fraud,” says Jackson. That is, they know the banks won’t flag 5 transfers under 50 grand, but will flag one $250,000 transfer.”
“There are two key tenets underscoring that success: Distributed pain with concentrated gain, and distributed risk.”
“The Internet criminals’ model perfectly mirrors the drug cartel model, which relies on a stratified market that spreads the risk out to pushers, distributors, mules, manufacturers, and all the money flows up, to the cartel.”
“Business is good. Internet criminals operate with de facto immunity. The pool of vulnerable computers to exploit remains massive. The target financial institutions still treat their crime as acceptable loss. Law enforcement is otherwise occupied. And technical defenses are mere market conditions to adapt to.”