It’s a known fact that hacking makes money. But how much money? And how do hackers carry out their internal dealings with one another so as not to step on each other’s toes?
Much like the fine-tuned systems of mafias and gangs that act almost identically to businesses, hackers have also created their own extremely intricate systems — and the scale of their operations is astounding.
Security researchers have been embedding themselves into these online underbellies to see precisely what’s going on. This way they can get an early look at the malware hackers are cooking up, while also learning just how the system works.
The research firm Trustwave has been doing just this for years. It now has a lot to show for it, including discovering how much money a hacking gang makes and how precisely the cybercrime ecosystem works.
Trustwave’s VP of Security Research Ziv Mador has put together a presentation he gives to customers so they can get a better handle on how to protect themselves. As he put it, it’s just a “glance of what we find.”
But Mador has given Business Insider an exclusive look at the wheeling and dealing of hackers inside this secretive world — check it out below.
Forums are 'The Craigslist of the underground forums,' explained Mador. 'You can see how they advertise malware they would like to sell to each other.'
It's where hackers and hacking gangs hawk their goods including trojans, bots, and other malicious pieces of software.
Mador explained that it's 'very difficult to get in' to these forums. They require a lot of vetting and trust from other criminals.
Exploit kits are the bread and butter for how cybercriminals successfully hack the masses.
They are a malicious toolkit of various ways to deliver malware. Or, as Mador puts it, an 'invisible web application that uses a cocktail of exploits.'
Exploit kits have become preferred by cybercriminals because of their heightened success rate. Before, an average of 10% of users were successfully hacked, but with new and better exploit kits being made the success rate has risen to as much as 40%.
Here is a rundown of all the ingredients inside the exploit kit cocktail. These are the various malware cybercriminals have paid for, which they then distributed further to unsuspecting victims.
Now Mador turned our attention to a real-world example: A Russian hacking gang named RIG.
Here we see how they advertise their exploit kits and what come with them. The advertisement is written in Russian, but Trustwave translated the important parts.
For instance, RIG brags that its exploit has the 'ability to exploit large volumes of traffic.'
The pricing of these exploit kits are based on rental fees. So a hacker can rent the use of this kit for either a day, a week or a month, from anywhere from $US30 to $US500.
$US500 may seem like a lot, but Mador assures us 'it's really not a big expense.'
RIG's business model operates much like retail does, with a warehouse and resellers. So a RIG manager sells the exploits both directly and to other resellers for a variety of prices.
The resellers then also sell to other hackers, likely for a higher price. In total, RIG brings in more than $US90,000 a week from this one manager.
The most common business model is that of RIG, which sells its exploits to other gangs who then sell them down the line. But a new model is emerging that has gangs selling directly to customers.
But with this model, the gang (which in this case is called Magnitude) gives the customer their exploit kit for free. The catch is it has the customer share a certain percentage of their malware traffic. The share of traffic the buyer gives up depends on how much traffic they accrue.
And the gang, when they get the payment traffic, can infect the victim with whatever malware they would like to use.
So if a buyer wants to use an exploit kit, they inject it into a website, but anywhere from 5-20% of that traffic goes back to the original seller, who then can do whatever they want with that victim.
Mador explained that this business model 'makes a lot of sense.' Buyers don't have to put up any money to cooperate and the gangs rake in a lot of cash for any traffic caught.
At the same time, he adds that the rental system is still more prevalent.
The malware Magnitude infected victims with when it got exploit traffic was called 'ransomware.' It follows a simple concept: If a victim is successfully infected, his or her computer files get encrypted, meaning that he or she loses all access to this data.
Obviously, a victim would want to gain control of this data back, but it comes at a price. Magnitude would ask the victims to pay using bitcoin. How much depended on whichever ransomware was used.
But this form of cyberransom is extremely lucrative. Trustwave tracked the flow of bitcoin into one ransomware account, it came to $US60,000 in one week alone.
This is one message a ransomware victim may see if his or her computer gets infected. This one is specific to porn sites.
Hackers were able to inject a porn site with a link to this ransom ware, and then scare victims into thinking they were being extorted for looking at illegal sites. Instead, it was just a wiley way for hackers to convince the victims to pay up.
This ransom message was distributed in the US, said Mador. He deemed this one to be 'cleverly crafted.'
It cites a completely fabricated law referring to 'Neglectful Use of Personal Computer.' It claims that people can go to jail for 9 years if they allowed a malware to be infected on their computer.
Using this crazy and completely incomprehensible jargon, it asks victims to pay up. And pay up they do. Despite the inanity of these messages, 'cybercriminals still get substantial revenue,' said Mador.
Another way hackers gain trust from users when distributing ransomware is proving that they can actually recover their files.
To do this, they provide a sort of 'freemium' service which lets the user get back one of their before-inaccessible files.
Beyond selling exploits, some hackers sell services to make exploits more successful. Mador calls these 'outsourcing services.' One example is 'obfuscation services.'
They work by taking a piece of malware and then mutating it to be undetectable by antivirus scanners. Security companies work fervently everyday to know what sort of malware hackers are building, and their repositories are constantly growing.
To stay ahead of the curve, hackers employ obfuscation tactics which hope to mask the malware to make it more effective.
These hackers want to prove that their service is successful. So here we see how they sell it.
First, the ad explains what the obfuscation does, and then it gives a 'before' list of antivirus programs that detected the malware and then and 'after' list of all the services this 'obfuscated' malware now bypasses. (The names of the security companies have been redacted.)
Some hackers offer discounts to bring more customers in. Here's an example of one.
Some hackers provide even more personalised services. For as much as $US3,000, a hacker will give a customer a custom piece of hacking software.
As you can see, there are a lot of facets to the business of hacking. And all of this costs money.
Trustwave tried to estimate how much money it costs a hacker to buy or rent these exploits, add these services to make them more effective, and then also pay to bring in traffic.
The total came to about $US5,900. Seems like a lot, right? Well... let's see how much money they make.
After paying almost $US6,000, a hacker wants to make a lot of money, right? Well, they probably will.
Trustwave used averages to crunch some numbers. About 20,000 people are redirected to this malicious link every day. And, conservatively, about 10% of those people are successfully infected with the exploit kit. If the hacker uses a piece of ransomware, on average about .5% of those victims pay up.
This means that daily the hacker brings in about $US3,000. This brings the hackers monthly income, minus the $US5,900 in expenses, to $US84,100.
Mador put it succinctly: 'Even non-technical criminals can pretty easily set up a malware campaign and make major revenue.'
Another way for a piece of malware to remain undetected is to sell stolen digital certificates. Files transferred online often have certificates, which are a way to know if they are trusted. A signed certificate is a way to know if a file should be trusted. Or at least that's how it should work.
Some hacker services lets a malware get signed, which can drop its detected by as much as 80%.
And there's even another service out there: IP reputation services. This was is a bit trickier to understand.
Mador explained that it basically collects a huge list of IP addresses used by authorities and security vendors. Using this list, the services is able to scan the IP address trying to access the malware, and if it's one of these official addresses, 'it effectively plays dead.'
So an IP reputation service is a way to automate laying low so the authorities don't see you. The makers of these services always spout special ways they gained this intelligence, including an FBI insider. Mador added that this is likely not true; 'These are people who have no problem lying to each other.'
Another type of malware called FakeAV (or RogueAV) uses a devilishly simple concept: Look like a real antivirus product.
This service offers an interface nearly identical to other services on the market, asks users to scan for malware, and then shows a long list of infections. Of course, none of this is true. Instead, victims pay for a service that does nothing but scare the them into thinking they have more malware and should therefore pay more money.
These services are incredibly profitable too. Mador said that three gangs who use the FakeAV model made close to $US100 million in one year.
Yet another hacking tactic is called web shells. These provide a way for hackers to attack a web server.
Because websites are often very poorly maintained, hackers can easily figure out a way to gain entrance into a website's server as a whole. This gives them full access to the site. Thus hackers can do nefarious things like edit files, and even gain access to a website's credit card details.
The hackers selling these web shells have to prove that the servers they have infected are worth paying for. So you see here how they show the Alexa rank and the daily unique visitor count.
A more destructive web shell is one that can attack a site that handles customer credit card data. Here we see a web shell that connects to an e-commerce website.
Given that the hackers now have access to the server, they are able to scrape the credit card data used whenever a customer makes a purchase. We see here how the hackers modified the code that was handling the credit card transactions.
This code captures the entered credit card data and then stores it in some local file for the hackers to access.
According to Mador, he sees 'thousands of compromised sites every month.'
Hackers who have credit card data have many avenues to sell it. Here's one post on a web forum for stolen bank accounts. The price for the accounts increase based on how large the account balance is.
Of course, it doesn't cost that much. An account with as much as $US100,000 only goes for $US10.
Here's another way this financial data is sold: A website dedicated solely to selling it. This was in deemed an 'approved credit card shop.'
Here's a look at what sort of accounts are for sale. Mador said that new batches of cards come in every few days. When he viewed this site there was nearly 800 pages of credit cards listed for purchase.
The interface looks similar to how other e-commerce sites work. Users choose which credit cards they want to buy and then they check out. They can pay for their purchase with bitcoin.
Here was just a glimpse into the services these hackers provide. There are many more out there, as there always a way to dupe people online.
This sort of information is what helps Trustwave learn how to protect its customers. But it's also just interesting unto itself how these criminals operate services, and how much they look like normal businesses.
Business Insider Emails & Alerts
Site highlights each day to your inbox.