A lone hacker is earning between$US60,000 to $US100,000 per month by using an automated attack took to send around one million spam emails a day, according to researchers from security firm Trustwave.
The emails contain links to bogus products and services, which some receivers respond to and send money. The money is directed back to the hacker.
The hacker is using an RIG exploit kit to infect computers, Trustwave researchers said.
Exploit kits are attack tools commonly traded on underground online black markets that let criminals, who may not have strong computer skills, mount cyber attacks.
Trustwave researchers reported detecting a growth in the number of RIG exploit kit infections in a threat advisory, noting that the attack tool is being used to infect over 27,000 computers per day.
The rise in infections happened after the creator of RIG released an upgrade for the attack tool. Trustwave said the majority of the attacks are spreading malware.
“Generally speaking, RIG 3.0 customers deliver various payloads through RIG, each depending on a specific customer, but the distinct top payload delivered here is the Tofsee spambot,” read the threat advisory.
A spambot is a form of malware that enslaves victim computers and forces them to send spam messages. Trustwave reported the majority of the infections stem from one RIG exploit kit user codenamed “Customer X.”
“Customer X manages to infect about 500,000 machines per month with the Tofsee payload. The going rate for spam campaigns is approximately $US0.50 USD per 1,000 successfully sent emails,” read the advisory.
“This particular payload of Tofsee was observed in our labs attempting to send approximately one million emails per day from a single bot, of which about 2,000 emails were successfully sent.”
Trustwave estimates the attacks are earning Customer X between $US60,000 to $US100,000 per month.
Combating exploit kits is an ongoing goal of the US Federal Bureau of Investigation (FBI) and UK National Crime Agency.
The FBI led an international takedown operation against a hacking forum known to be distributing exploit kits, known online as Darkode, in July.
A new, more secure, version of Darkode appeared less than two weeks after the operation. It is believed to be run by one of the old site’s administrators.