Prevention

The Underground's Cash Cow

By Robert Lemos

Cybercriminals regularly buy and trade their victims' personal and financial information. Yet, security researchers are finding that online thieves are expanding their illegitimate businesses beyond just selling data. Now they are selling access to your computer.

In June, Web security firm Finjan reported that its researchers found an online trading platform that allows criminal buyers to lease or purchase blocks of compromised systems, commonly referred to as bots or zombies. The criminal exchange, named "Golden Cash" by its creators, presents an easy way for cybercriminals to profit from the control of their victims' systems.

The service, which has vanished since its discovery, aims to be a one-stop shop for a cybercriminal's needs, says Yval Ben-Itzak, chief technology officer for Finjan.

"You can go there and you can buy as many infected computers as you want," he says. "Then, you can configure the systems the way you want them ... all (just by using) the site."

Such services can be a lucrative business for their criminal owners. At the time of the report, the Golden Cash site paid its partners between $5 and $100 for a block of 1,000 infected PCs. Prices varied, with systems from China, Taiwan, South Korea and the Philippines at the low end and systems in Australia at the high end. Buyers could then "purchase" the systems for prices ranging from $20 to $500 for 1,000 bots -- again, depending on location. Because buyers can use the systems and sell them back when they are done with them, the number of available bots is constantly refreshed.

"The same computers are being traded again and again and again and being reused by different people," says Ben-Itzak. "You can buy them and use them forever, or you can just use them for a week.

Evolution, not revolution
Like many lucrative businesses, the Golden Cash network is not an entirely new technology, but a combination of business models that have done well on the Internet.

In the past, for example, groups of cybercriminals with large botnets would segment the pool of compromised computers into smaller networks that could be sold. Yet, Golden Cash has improved on that system, allowing buyers to not only choose the size of their botnet, but customize the software that will be placed on those systems.

"I think what we are seeing here is an evolution," says Ben-Itzak.

The criminals collect a margin from every trade, so keeping their clients trading more and more bots boost profits, he says.

The cybercriminals also realized that trying to manage botnets of hundreds of thousands -- even millions -- of compromised computers was a nightmare. Instead of a single botnet of a million computers, 100 networks of 10,000 systems each makes more sense, says Vincent Weafer, vice president of Symantec's security response group.

"We have seen well-hosted Web sites, the formation of affiliate groups, and paying for clicks," says Weafer. "All of these things have been around for a number of years now, but they have all been brought together in Golden Cash."

Digital slave trade
Keeping your system off the digital auction block is not easy. Cybercriminals -- or their partners, known as affiliates -- compromise even well-known Web sites with code that can then be used to infect the computers of unwary consumers.

The first thing, for example, that the Golden Cash trojan does after infecting a victim's computer is to look for usernames and passwords that allow access to file servers. Using those credentials, the cybercriminals can continue to take control of Web servers and the sites hosted on those servers. In its research, Finjan found a cache of usernames and passwords to more than 100,000 sites.

"These credentials are later being used to enable its partners to insert their ... malicious code into the Web sites' pages," the report states, adding that "corporate domains from all around the world were identified on this list."

In some cases, fraudsters include malicious code in fake online advertisements that are then distributed by advertising services to appear on a variety of Web sites.

Popular Web sites are not immune to these attacks. In early September, the online edition of the New York Times played host to a number of advertisements that had embedded attack code. CNN, ZDNet, Yahoo!, and even some sites owned by security companies have all been successfully co-opted in various ways to host malicious code.

The result: Consumers who go to legitimate Web sites hosting malicious ads could have their computer enslaved by rogue code and sold on underground exchanges, like Golden Cash.

Cycle of crime
The business of selling bots has its own cycle, and that cycle starts with the affiliate. Affiliates sign up with the Golden Cash service and infect victims' computers with a custom trojan, collecting money for each computer compromised by the software.

Once the unwelcome visitor has infected a computer system, the first order of business is to grab any usernames and passwords for Web sites that may be maintained by the user of the system.

Then, the victim's computer system becomes part of the pool of enslaved bots and are eventually offered to other online criminals using the dedicated Web site. Computers based in the United Kingdom, Australia and European countries are more valuable than computers in Africa and Asia, says Weafer.

"It varies from a cent or two (per system) to paying 50 cents," Weafer says. "It all depends where the assets are."

The profits from such illegal schemes can be enormous. Affiliates stand to make millions of dollars from helping infect consumers' computers with Golden Cash or other malicious code. A screenshot found online by security researcher Dmitry Samosseiko of antivirus firm Sophos showed that one affiliate for a fake video-player scheme made almost $6,500 in a month. Another cybercriminal service boasted that one of its partners made nearly $5,000 in eleven days, the researcher wrote in a paper published in September.

"Assuming that most webmasters direct their traffic to more than one sponsor at a time, it is no surprise that affiliate marketing and (other techniques) are extremely appealing career paths for a computer savvy person in Eastern Europe," he wrote.