On July 15, the US Department of Justice announced the FBI had taken down Darkode, one of the roughly 800 criminal Internet forums worldwide. According to the charging documents,
“Darkode was an online, password-protected forum in which hackers and other cyber-criminals convened to buy, sell, trade and share information, ideas, and tools to facilitate unlawful intrusions on others’ computers and electronic devices. Before becoming a member of Darkode, prospective members were allegedly vetted through a process in which an existing member invited a prospective member to the forum for the purpose of presenting the skills or products that he or she could bring to the group. Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware and, thereby gain access to, and control over, those devices.”
With 250-300 active members from around the world, Darkode is just one example of a global cybercrime marketplace. Law enforcement managed to take it down, but where there’s will, malicious skills and a head for business, a new marketplace is potentially forming. And when these skills and their outcomes become widely available, they open the door for more opportunistic online crimes. Which allows for cybercrime constant evolution and growth.
In the first article of this Malware as a service (MaaS) series, we showed how anyone can create and use variants of existing malware, without having the necessary skills. All they need is the will to do it, because the “tools” are becoming widely available, precisely due to the MaaS model. We looked at cybercriminal roles and responsibilities, communication and transaction channels, to get an idea of how organized these marketplaces can get. Now let’s look at the tools of the trade.
The commodities offered on these dark marketplaces are numerous and varied, and fall under four major categories:
- "Initial access tools" such as exploit kits and zero-day vulnerabilities
- Malicious code or parts of it, such as ransomware, viruses and other malware, and even do-it-yourself malware kits
- Hacked/stolen information, such as personally identifiable/protected health information, account credentials (social media, banking, etc.), credit cards – #1 commodity on the black market! – and more
- A wide range of services, from enablement services such as search engine optimization, spam services, pay-per-install, fake website design, development and phishing, to support and operational services like ensuring product quality, infrastructure setup, to full service packages, like hacking or conducting DDoS attacks on customer’s behalf, to money laundering/cashout, such as cashout services for ransomware scammers.
Services like enablement or customer support show that these marketplaces actually operate the same way legit ones do. MaaS sellers are in competition with each other for customers’ attention, and as such, they want to make sure their products and services are top-notch. So they come up “try before you buy” offers and money-back guarantees. For example, as Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender notes,
“Email addresses and credit card details are broken down in different packages based on how fresh they are and whether or not they have been previously leaked on the internet. Some vendors even guarantee that should you buy a batch of email addresses that are invalid, or a batch of credit cards that have been suspended, you are going to get a new batch at no extra charge – [this is] to keep the trust relationship between the potential buyer and the vendor.”
Talking about the competitive nature of the MaaS business, he also points out that it
“might be illegal all over the world, but it is an extremely competitive sector that does not play by any written rules. With more than 22 exploit packs and a variety of do-it-yourself banking Trojan kits, for instance, potential buyers can mix and match services from multiple vendors.”
They can also rate sellers and their services, leave comments on dark forums, and report those vendors whose products are not as advertised. Noteworthy is that strong competition leads to innovation – and this is the case with these underground marketplaces as well. For example, with ransomware proving very lucrative, there has been a great demand for it lately. And in order to make their ransomware offerings appealing, vendors are adding new capabilities, like options to extend the period of a victim’s computer being locked. Another example of innovation is banking botnets becoming increasingly resilient and anonymous, or private – typically offered as “premium services,” private botnets are written for a specific group.
MaaS: costs and pricing
How much does a ransomware-as-a-service kit cost?
How about ‘nothing at all’?
Tox is one example of ransomware-as-a-service that enables anyone to set up their own ransomware for free. But even if it’s free to use, its creatos have found a way to monetize it.
Recently, a hacker released a ransomware-as-a-service kit called Tox, for anyone to download and set up their own ransomware for free. This just goes to show how competitive underground marketplaces can get, and how vendors are coming up with clever differentiators for their products to make them more appealing to customers. And, rest assured, the developers of the Tox kit thought of a way to monetize their offering: they allegedly claim 20% of any successful ransomware campaigns run by Tox users. But this is just one monetization example.
In general, prices for these commodities are influenced by traditional market mechanisms. For instance, prices for credit card information are falling because the underground market is flooded with such items. According to an analysis by industry expert Brian Krebs, they also differ depending on how “fresh” they are: from $20-$45 for freshly acquired credit cards, to $2-$7 for stale pieces.
Zero-day threat prices also differ depending on the corresponding software:
- Windows: $60,000 - $120,000
- Microsoft Word: $50,000 – $100,000
- Mac OSX: $20,000 - $50,000
And DDoS botnets-for-rent can cost from $19 to $38 an hour per month.
In a recent Bitdefender OEM webinar, Understanding Malware as a Service, Bogdan Botezatu offers some valuable insights into how these prices are set, and how much it costs to make a MaaS business operational:
MaaS: are you a part of it?
As complex as the MaaS may seem, know that there’s much more to that complexity. Because it’s not only about the bad actors hacking into company networks or user devices to steal their precious details. In many cases, it’s also about them hacking into legitimate web services as a means to distribute malware, exploit kits etc. to end user devices. For example, a popular way for the bad guys to distribute their malware is malvertising – using legit online advertising channels to embed malicious code within legit advertisements on trusted websites.
Case in point: cyberciminals’ “Kyle and Stan” malvertising network that distributed sophisticated, mutating malware for Windows and even Macs, through more than 700 domains – many of them popular, such as youtube.com and ads.yahoo.com – hosted by Amazon.
Another example is that of cybercriminals abusing the Akamaihd.net content delivery network (CDN) owned by Akamai, to redirect users to web pages hosting exploit kits. So legitimate web services may unknowingly become intermediaries or facilitators for malware infections, stolen data and more. And these are some weak points the security industry should focus more on.
“Cyber criminals should not have a safe haven to shop for the tools of their trade and Operation Shrouded Horizon shows we will do all we can to disrupt their unlawful activities,” said Deputy Director Mark F. Giuliano of the FBI, in his statement about the Darkode takedown.
But is it enough for organizations that may unknowingly become intermediaries in or even targets of cybercrime? Should they just wait for law enforcement to “disrupt” these unlawful activities?
Looking at cybercrime from a business perspective can help understand it better. Understanding cybercrime better can help implement better security standards and procedures. In this context, having the right security technology in place can be viewed as a strategic corporate asset.
In our next article, Malware-as-a-service part III, we’ll look at how MaaS will evolve given the Internet of Things (IoT) and e-money trends, and ways to mitigate the risks it poses.