Understanding the Russian Hacker Underground
Viruses, worms, fake AV programs - they are the bane of every network administrator's life, and they can cost companies dearly in terms of network downtime, reduced productivity, wasted IT staff hours and even lost data.
But where does all this malware come from, who is responsible for it, and what is the motivation for creating this malicious code in the first place? These are questions that two Russian security experts have spent six months trying to answer. Fyodor Yarochkin and "The Grugq" spent six months monitoring dozens of underground Russian language hacker Web forums where malware, scams and other criminal activities are openly discussed. The sites in question are protected by nothing more than the language barrier and the use of fenya -- Russian prison slang; anglonims -- English words that have been Russianized , like "partnerka ;" and other obscure jargon. They presented their findings at the Hack In The Box security conference in Amsterdam last month.
Many people believe that malware is controlled by organized criminal gangs or government agencies that target large foreign enterprises, and while this may be the case in some countries, it does not appear to be true in Russia. "Basically we poked around in these forums to see what we could discover," says Yarochkin. "What we found is that those involved are geeks, not gangsters. They are actually extremely unprofessional criminals, and the typical cybercrime guy is a student who wants a little cash in his pocket and finds no problems getting it off the Internet. As far as he is concerned, everyone outside Russia is rich, so he has no problem taking their money."
Perhaps the most striking thing the two Russian researchers discovered is that there appears to be a whole underground economy based around getting money from Western victims . Not only is malware available for purchase or rent, but a whole range of supporting services are available to hackers to help them do so more efficiently. eBay-style feedback systems are even used to help the suppliers of these services establish good business reputations.
For example, a hacker may set up a malicious Web site that infects visiting PCs with malware, but how does he generate a steady stream of visitors? One way is to sign up partners who generate traffic to the site. These partners can use any number of methods, including placing enticing adverts on porn sites and using their own malware to redirect traffic on infected machines to the hacker's website. In return the partners get paid a commission for every visitor they are responsible for whose PC subsequently gets infected, and they can check the commissions they and other partners have earned on a Web dashboard.
Hackers that have competitors in a given field may decide to give themselves an advantage by subjecting their rivals to a denial of service attack. These can disable websites, and more recently DDoS attacks on Twitter accounts have also been advertised. The going rate for DDoSing a Twitter account is currently around $80 for a 24 hour period, with bulk discounts available for multiple accounts, and a free five minute DDoS attack thrown in to prove that the person offering the service is genuine.
Many types of malware are designed to seek out credit card details which may be stored on an infected machine or entered into an infected machine's browser during an online transaction and to send them back to the person responsible for the malware. But what does that person do with all the credit card details he receives?
Obviously he could use the details to buy a laptop or some other high value good and have it delivered to his house, but there's a high risk of the police turning up as well, says Fyodor. For that reason hackers sometimes use a set of credit card details and then publish them in forums where they can be used by others for nothing. Yarochkin believes that this is probably to obscure the original purchase, because if enough people use a given stolen credit card then it becomes harder for the police to trace the person who stole it originally.
A more attractive and lower risk option is to use the services of a "drop": someone who offers to have goods bought with stolen credit card details delivered to his house. "When you use a drop, someone provides a name and address for you to have goods delivered to. They then sell the goods back to you at half the original price," says Yarochkin. Becoming a "drop" is an easy way to get a foothold into the cybercrime world and make a little money, he adds, and lists of bad "drops" and a reputation system means that dishonest drops can quickly be weeded out and honest ones encouraged.
Another alternative is simply to sell a list of credit card details to someone else. Of course the buyer is likely to be skeptical that the credit cards actually work, so lists of credit cards are offered with a guarantee, says Yarochkin: If any of the cards stop working within the guarantee period the buyer is provided with new ones.
Instead of buying physical goods, a lower risk option for hackers with stolen credit card details is to use them to buy services or non-tangible goods which don't need to be delivered to a physical address. One thing that appears popular is the login details for a Skype account which contain credit for making international phone calls. These come with a money back guarantee from sellers - who often ask for feedback from buyers to help prove their trustworthiness - and cost about $5 for $12.50 of Skype credit. For an even bigger illegal bargain, the Russian hackers can also get together with their Chinese counterparts to buy iTunes cards at a rate of 12 renimbi (or about $2) for $100 of iTunes credit.
The picture that Yarochkin and The Grugq have built up during their research is of a hacker scene which is 100 percent money driven, targeting unsophisticated home PC users rather than corporate users in larger enterprises. Essentially the message is this: Russian hackers are after money, and to get it they'll exploit the easiest potential victims. That's good news for those responsible for securing enterprise networks to the extent that they should have the resources to ensure that the machines under their control are patched in a timely fashion and to provide users with security awareness training.
The bad news is that careless enterprise users who let their guards down can easily end up compromising countless machines on your network. While this might not result in the loss of confidential corporate information - as this is not what most Russian hackers are after - it could result in some unexpected credit card charges at the very least.