Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet

Menace 2 the Wires

Advances in the Business Models of Cyber Criminals

-Guillaume Lovet

Presentation Objectives

• Recall different Cyber Criminals profiles

• Recognize new cyber criminal schemes and understand where they originate from

• Identify and quantify the business models behind

• Raise public and industry awareness

Agenda

• Quick reminders:– Cyber criminals profiles– Cybercrime Marketplace– Cybercrime Currency

• Mass Injections: from harmless defacements to MPack

• Threats 2.0: from the desktop to online applications

• Auction Fraud: from your account to your door

Introduction

• Cybercrime: criminal activity in which computers or networks are involved

• Cybercrime profits (World): $50 billion to $100 billion per annum

Introduction (II)

• Awareness increase

• How do Cyber criminals sustain their profits?

• Our habits evolve, blurring the online/real life line

• Cybercrime evolves accordingly

Quick Reminders

Cyber criminals:

Profiles, Marketplace, Currencies

Cyber criminals profiles

• Codersthe skilled

• Kidsthe workforce

• Mobthe puppet masters?

• Dropsthe mules

Cybercrime Marketplace

Cybercrime Currency

• e-gold– Anonymity– Irreversibility– Independence

• Wired cash– Irreversible– Crosses borders instantly– Fairly anonymous

E-gold feedback

Hey Doug, Still Baffled?

E-gold indictment charges

Mass Injections

…from harmless defacements to MPack

A bit of history

• Defacing: Replacing the victim’s web server index page

• Mainstream in the early 2000s

• Moderately destructive

• Common Characteristics: Custom, usually dark gfx Patriotism Leet speech Admin taunting Linux preaching / Microsoft bashing

Defaced Page Paradigm

What for ?!

• Mass-defacements highly regarded

• But motivation was not financial gain

• Rarely carries a real political message

• So why?

For that!

• Based on the common characteristics, defacing expresses a need to:assert one’s belonging to a groupassert one’s national identity (wider group)assert one’s competences / capacitiesdo something “forbidden”compete with others

• In a nutshell: Defacers = Teenagers growing

Another, more recent example (2007)

The Mpack case: Taking over Italy

• Mpack is a web-application serving malicious content to visitors

• The malicious content exploits several flaws in various browsers, making it a “drive by install” tool (No user interaction is needed from the victim)

• Mpack is sold by a gang of Russian “coders” for about $700

Mpack Case: What happened in June 2007?

• Thousands of Italian websites compromised

• 90% of those sites were hosted by Aruba.it– Possible flaw exploited in the server hosting all those sites– Still under investigation

• A malicious Iframe was injected in each hacked site

• silently led visitors to a Mpack server, infecting

thousands of them

Mpack Case: a snippet of compromised sites

Mpack Case: Stats Server

Mpack Case: the business model behind

• Costs– Mpack software: $700

– Compromising a host company server hosting thousands of sites: $10,000 (assuming 0day)

– Script inserting IFrames into each page: little skill, or about $50

Mpack Case: the business model behind

• ProfitsUsing each one of the 10,000 infected computers as

a spam relay (“one shot” operation)• Assuming:

• Sending 100K emails before being blacklisted• Advertisers pay 0.03 cents per email:

10,000 x 100K x $0.0003 = $300,000

Using each one of the 10,000 infected computers for Adware planting:

$32,000 (monthly)

Mpack case: the business model behind

• Total Costs: $10,750

• Total Profits (first month): $332,000

• Gain (first month): $321,259

• Productivity index (Profits/Costs): 31

Threats 2.0

…from the desktop to online applications

Web 2.0

• Detailed inputs about the "Web 2.0" concept

-> outside of our scope

• A quote that puts Web 2.0 in a nutshell:

“seemingly every aspect of our data [is] moving toward online apps and away from the traditional desktop model“

(Wired Magazine)

Consequences on the Threat Landscape

• Raise in online identity theft attacks

• Impersonating a user on an online app allows for:– Retrieving the victim’s personal data– Performing actions on the victim’s behalf

• Arsenal:– Phisher Worms– XSS / CSRF– Plain old client-side trojaning

Phisher Worm / Social WormExample

Rogue Login Page

Phisher Worm outlines

• Combines Phishing and Automation

• Malicious code sits on the server, not on the victim’s computer

• Advanced Phisher Worms exist, resorting to tricky user-provided HTML, redirectors and mind-tricks

• Spreads exponentially fast: the average user has about 100 friends

XSS / CSRF Worms

• Cross Site Scripting (XSS) exploits the trust that the client has for the vulnerable website

Typically used to steal cookies and hijack sessions on the vulnerable site

• Cross Site Request Forgery (CSRF) exploits the trust that the vulnerable website has for the user

Typically used to execute actions on behalf of the victim on the vulnerable site (eg: send a message, modify some personal settings, etc…)

XSS / CSRF Worms (continued)

• In 2005: Sammy’s worm (for fun) => over one million friends within 20 hours

• In Dec. 2006: Quickspace worm (for profit):– viewing = getting infected– Being infected = infecting others + having a banner on your profile

• It did happen and it will likely happen again (XSS/CSRF hard to spot)

• Main Question: What is the point ?!

The Business Logic BehindExample

The Business Logic BehindExample

The Business Logic Behind: Model (Costs)

Costs

• Assuming: – Target: Posting an ad every week (so that it is always

on the front page) for a month to 60,000 individual profiles

– Price to pay for each posted ad: Equals 10 times the average price to pay a bot herder for sending out one spam email (~ $0.003)

• Renting the services of a social networking site phisher:

60,000 x $0.003 x 4 = $720 per month

The Business Logic Behind: Model(Profits)

Profits• Assuming:

– Each ad is viewed on average 30 times per day (equals the average daily page views per profile on MySpace)

– Posted ads click-through rate: 5% – Pay per click rate: $0.05

• Pay per click affiliate program monthly revenue:

= $135,000 per month

x $0.05 x 5% x 30 days x 30 daily views60,000 ads

The Business Logic Behind: Model(Summary)

• Summary– Total Costs: $720– Total Profits: $135,000– Gain: $134,280 – Productivity index (Profits/Costs): 187

• Bottom line?– more or less masqueraded spam is flourishing on

social networking sites– may seem innocuous at first sight– But very organized and yields outstanding

profitability figures

Auction Fraud

…from your account to your door

“eBaying”

• The term “eBaying” has two meanings…

• eBaying guides sold on IRC

• As old as eBay itself

• Evolution over the past two years:– Automation– Risk taking

Plain Bogus Item

• One of the easiest and quickest way to make money on the internet:

1. Choose an item with high buzz factor, or a real bargain

2. Create an account and set up a bogus auction

3. Use low-ball to obtain payment via WU / MG

4. Cash in (possibly via a drop) and vanish

5. GOTO 1

• Gives raise to amusing situations

Plain Bogus Item: The Magic Pen

Bogus Item with User Feedback

• Used to work well, but with user awareness increase: difficult selling from accounts with no feedback

• To sustain productivity: Need to find a way to get a hold of an account with good feedback at will

• There are really only two solutions:– Steal It– Craft it

Steal It: Costs

• Costs (covering the actual Phishing operation)

Phishing Kit: Scam letter + scam page: $5

Fresh spam list: $8

php-mailers to spam out 100K emails for 6 hours: $30

Hacked site for hosting scam page for a couple of days: $10

Valid cc to register domain name: $10

Steal It: Profits

• Profits

Assuming:A phishing success rate of 0.0001

Half of the hooked accounts suitable for bogus auctionAn average price of $4,000 for the items sold

10 x 0.5 x $4,000 = $20,000

Steal It: Summary

• Summary– Total costs: $63 – Total profits: $20,000 – Productivity Index (Profits/Costs): 317

• Notes:– Raw profits not impressive, but P.I. is outstanding– Selling more valued items may boost P.I. but

increase risks and decrease robustness

Craft It: Broker Bots

• Many "buy it now" items at the price of 1 cent with no delivery cost (usually eBooks, pictures, wallpapers, etc.)

Spot The Seven Differences

Craft It: Recollection

1. Someone is massively creating randomly named, ”spider” user accounts

2. Spiders seek & buy 1-cent "buy it now" items

3. The seller script is emailing the spider with the item, and posts its standard feedback on his profile

4. The spider automatically responds with a standard feedback comment on the seller’s profile

In a nutshell: two bots are talking – and doing business

Craft It: Model

• Costs: – Building 100 accounts with 15 positive feedback

messages each: $0.1 x 100 x 15 = $15

• Profits:

Assuming• A moderate scam success rate of ¼• Moderately priced bogus items (about $100)

100 x 1/4 x $100 = $2,500

Craft It: Summary

• Total costs: $15

• Total profits: $2,500

• Gain: $2,475

• Productivity Index (Profits/Costs): 166

The pay-on-delivery scam

• Pay on delivery (aka Cash on Delivery, or “COD”) earns buyers confidence

=> Easier to sell bogus items

• But then, how can cyber criminals make money with that?

The pay-on-delivery scam (cont)

• On IRC, a “lead” = someone willing to buy something somewhere, with payment on delivery

• Leads can be sold on IRC (via e-gold, WU, MG…)

• Lead buyer:– dress as TNT guy– show up at the victim’s door– deliver a box full of turds– cash the payment– Leave

• Is it Cybercrime, plain crime, or a mix of both?

• Cyber criminals are willing to take more risks to get richer, faster

Conclusion

• New cyber criminal schemes still:– Highly profitable– Relatively easy to implement– Involve abnormally low risks, given the odds

Thus tremendously tempting

• Issues• The Internet is borderless• The police in emerging countries focuses on

criminal activity that produces corpses

Bonus Track: The 10 most profitable Cyber criminal Business Models

Questions?

(No, I still do not drive a Mercedes 600SL)