It was widely reported last month that hackers based in Eastern Europe had used a new version of the renowned Zeus trojan to siphon £675,000 from a major UK bank.
Malware such as Zeus is available for cyber criminals to buy on the internet, but there is more to it than typing “trojan purchase” into Google. Various forums exist for hackers to share ideas and sell their products and services. But membership of these forums is by invitation only – first the would-be cyber criminal must become trusted, and prove they are not involved in law enforcement.
“Cyber criminals put a high price on the level of trust they have with the people they do business with,” said Nicholas Percoco, senior vice president at Spiderlabs. “In the business world, we don’t care who buys our software, the more the merrier. But criminals from the underground world won’t do business with just anybody.”
Once trusted, cyber criminals have access to an array of sophisticated services in a format similar to any professional e-commerce site.
“Hackers have very sophisticated shopping centres, much like any other e-commerce web site,” said Avivah Litan, security analyst at Gartner. “They are very well structured. Products include the Trojan itself, the kit, control servers, drop points, time-sharing services; it’s very well organised. It’s a thriving market and you need the right credentials to get in.”
The ultimate business model?
Cyber criminal groups have become increasingly sophisticated and well funded in recent years. In some ways, they operate business models that legitimate businesses could do well to emulate, as Litan explains.
“They’re much better organised than the companies they are attacking. The hackers aren’t hamstrung by large bureaucracies, lots of rules, paperwork and red tape. They don’t have long buying decision cycles, they don’t have to go through procurement committees,” she said.
When a bank decides to purchase a security product, many departments will get involved. This could be various groups within IT, legal and procurement.
“The buying cycle in a bank for IT could be a year to 18 months. It takes them a lot longer to defend themselves than it takes the crooks to attack them,” said Litan. Often, cyber criminals will commission malware for an attack on a specific system, and they can find the skilled resource they need from these secure forums.
“There are development teams that are paid by the criminals to create the software. It’s another business world,” said Percoco. “You have software developers who are given the product development requirements from the criminals, they then code it and deliver the completed product.”
Percoco gave an example of a criminal organisation deciding to target a particular make and model of ATM machine.
“They may reach out to find developers who have previously worked for an ATM manufacturer. They’ll commission them, then define what they want the malware to do. Sometimes it’s more than a one-time transaction. The malware often evolves over time. We’ve seen as many as a dozen iterations of a piece of software, where each new version has additional features and functionality,” he said.
Percoco explained that the development model for cyber criminals was no different than that for enterprises.
“Developers will be actively improving the software. They’re fixing bugs and adding feature requested by the criminals they’re working for. It’s the same model as developers writing legitimate applications,” he said.
Once criminals have taken delivery of the malicious code, they need a platform from which to launch their attack. Rather than invest in infrastructure themselves, cyber criminals again purchase these services from black e-market sites.
“You can buy time-sharing on botnets,” Litan explained. “You’ve bought the attack, now you want to launch it. You rent time on a botnet where you put your attack, so now you have a ready infrastructure, meaning you don’t need to set up your own computers to launch it, it’s all set up for you. It’s basically a cloud service.”
The final step in the chain is to rent drop-off points, where data is dropped once credentials have been stolen. “The data goes to servers on a botnet, and you get the rights to whatever comes in that week,” said Litan.
Litan claimed a typical cyber criminal organisation will pay about £9,500 for the malware and other services, and can expect a typical return on investment of something like £650,000. “I wish my stocks did so well!” she added.