Botnets Running Rampant

Cybercriminals have created a global business with a supply chain every bit as organized and sophisticated as that of any legitimate business. The difference is that cybercrime takes advantage of unsuspecting consumers and insecure businesses to steal untold amounts of money.

According to security experts and spam fighters speaking at a panel discussion last week at the RSA Conference, the modern, online criminal ecosystem starts with botnets, which are consumer or college PCs that have been taken over by hackers. A cybercriminal can easily go online and buy a bot-herd. In fact, Joe St. Sauver, manager of security programs at the Internet2 networking consortium and the University of Oregon, said there are 5 million to 5.5 million botnets in active rotation at any time.

Of course, cybercriminals need only a few hundred spambots to send out millions of spam e-mails. Today, a cybercriminal can hire programmers to come up with the latest and greatest types of spam, such as image spam or spam put into PDF attachments. Spammers send test runs through ISPs to see what types of spam get through the easiest, said Larry (who refused to disclose his last name) from the spam-fighting SpamHaus Project.

The types of spam include the traditional "ump and dump" stock-manipulation spam, plus spam for a variety of products. Cybercriminals have become so good at it that they use phishing to fool customers into going to a fake pharmaceutical site and actually fulfill orders for drugs so they can get repeat business. Patrick Peterson of Cisco's IronPort division said this means the cybercriminals have a back-end ecosystem that takes orders, boxes up pills (which may or may not be the pills that the customer ordered) and sends a physical order to the customer.

Larry added that it's easy to get a list of e-mail addresses online. It's easy to get a "spam template"  that helps the cybercriminal create the spam message. And there's a program called darkmailer that combines the list of addresses, the spam message and a list of hacked machines. All the cybercriminal has to do is "hit a button," and the program does the rest. "It makes anybody a spammer," he said, adding that he's been fighting spam since he got his first spam message in 1994.

Larry pointed out that cybercriminals are hiring Web designers to create "spamertized" sites, which are the sites that one is redirected to if one clicks on a phishing spam. It's virtually impossible to track those phishing sites because they're usually hosted on a zombie site and the owner is an innocent consumer.

These days, spamertized sites are taken down quickly and are moved constantly, using what Larry called a "fast flux" proxy system. In other words, if the DNS address changes every five minutes, there's no way law enforcement can track down the owner of the phony site.

Larry Baldwin, chief forensics officer at myNetWatchman, said cybercriminals are moving away from targeting individual consumers and are going after larger data stores, using keyloggers to gain information about credit card numbers.

Baldwin said the big banks and credit card companies are well protected, so hackers are going after retailers, small credit unions and banks. He said he's aware of 30 such data breaches in the last two months, most of which have not been reported publicly.

The criminals are able to buy and sell credit card numbers and remanufacture the physical cards. The next step is to lure people into becoming "money mules."

Baldwin pointed out that the cybercriminals know that initiating a bunch of credit card transactions from Eastern Europe would raise a red flag. So, they send spam to somebody in Denver, for example, telling them they can make money working at home. That person uses the phony credit card to make a bogus transaction at a Denver bank, then sends the money to the cybercriminal, still not aware that anything illegal is going on.

"It's a business model as good or better than any corporate business model you'll see," the Internet2's St. Sauver said. And the risk of getting caught is extremely low.

The security experts pointed out that current laws, include the United States' CAN-SPAM Act, are woefully inadequate. And it will only get worse, they said, because millions of unsuspecting victims are just coming online now in such places as Turkey and Morocco, providing more fodder for bot-herding, phishing and other cybercriminal activities.

How much money is being stolen by cybercriminals? No one knows, and no one even knows how to go about coming up with that number, IronPort's Peterson said.

Subscribe to the Security Watch Newsletter

Comments