The Money Behind the Malware

How cybercrime works and what to do about it

It's important to understand the motivation behind the onslaught of malicious code bombarding our firewalls, users, and servers. At SophosLabs we see hundreds of thousands of malicious files every single day. And these files aren't the world of by governments and spies to spark the next cyber war. It's about money.

We can prepare for this onslaught. But to do so, we need to know how it works.

The tools at their disposal

Cybercriminals have a lot of options to make money. Fortunately, there's a lot of steps to get there, and every step a cybercriminal has to take is a point where we can stop them.

They begin by finding victims. And oh, do they have options for catching unwitting victims. Cybercriminals ensnare victims in a number of ways, including:

  • Spam: The classic. Spam, where it all began, has dropped in volume as defensive options have become better and users more aware, but we still see billions of messages every day – there's always a chance you'll click through.
  • Phishing: While spam promotes products and services, phishing is more nefarious email attack, pretending to be a trusted source like your bank to gain access to your personal information.
  • Social media: Users spend countless hours on Facebook and other social media sites, and cybercriminals are using that to their advantage. Messages using similar tactics to trick users into clicking unsafe links are common in social media.
  • Blackhat SEO: Manipulating search engine results, often called Blackhat SEO or SEO poisoning, continues to be a problem. "Poisoned" search results can lead to exploits, malware, and phishing sites.
  • Drive-by downloads: It's possible to have your operating system, browser, plugins, and applications exposed to exploits looking for vulnerabilities just by visiting an unsafe website. SophosLabs sees tens of thousands of new URLs every day containing drive-by downloads.
  • Malware: Worms, viruses, and other malware files still serve their masters well. While less common now, opportunistic crooks still exploit malware to infect exposed systems and recruit people's computing devices for their own purposes.

Money behind the malware

So the cybercriminal has access to your information or computer. What do they do with it, and how do they make money off it?

  • Ransomware: Ransomware has been making more and more headlines in recent months and is considered the number one threat to users right now. A type of malicious software which can block access to your computer, files, or servers until the user or company pays a fee to the cybercriminal, this is a threat that has trapped not just regular end users but multinational corporations, healthcare systems, and more. Ransomware originally came out almost exclusively from Russia, but its grown to plague the internet from all over the world.
  • Selling products: This is an older scam, but criminals still set up a store offering great bargains on products, often to simply steal payment information. Others actually do send sham products to unwitting consumers.
  • Stealing login details: The purpose of phishing spam messages is to convince you they come from someone you know or trust. Criminals use social engineering techniques borrowed from real brands to collect usernames and passwords associated with high-value websites like PayPal, banks, Facebook, Twitter, Yahoo and web-based email services. Phishing emails taking advantage of a user's lack of awareness of hacking attacks and data breaches.
  • Pay-per-click fraud: After compromising a user's computer, the criminals can download malware that manipulates Internet traffic. They divert the victim's clicks to advertisements located on the criminals' webpages. The criminals make money from ad networks by generating traffic to their customers' ads.
  • Fake security software: This is an older threat as well, but one users still fall victim to. The user visits a compromised site and is convinced they need to download (and pay for) a (fake) antivirus. Not only do scammers get these users to pay for the original install, they can often convince them to buy extended support and more.
  • Social media spam: It hasn't gotten easier for spammers. Spam filters get more and more effective with time, and users more savvy about spotting fake names. Criminals have, instead, moved on to abusing social media, where they make use of users' social circles to spread fraudulent sites—users are far more likely to click through a link if it comes from a friend or family member.
  • Banking malware: Cybercriminals follow the money. There's an entire industry based on capturing authentication information to access online financial institutions. It's moved far beyond simple key-logging software to capture usernames and passwords; modern banking Trojans can capture SMS messages and record videos of your screen while you log in. Hundreds of millions of dollars are stolen in this manner.
  • Premium-rate SMS fraud: Instead of attacking your bank account directly, they go after you through social media, asking for your phone number when you fill out a survey—which just entered you into a premium-rate SMS service. These services also tag along with pirated apps on your phone sending SMS messages to premium rate numbers at your expense.

Specialized scammers

With so many tools at their disposal to launch an attack or scam, cybercriminals tend to specialize, so that they're better prepared to evade our defenses and avoid law enforcement. Let's take a look at some of their roles.

  • Exploit writers specialize in discovering vulnerabilities in software and creating exploit packs—a collection of vulnerabilities packaged together. The exploit writers then sell the exploit pack to less technical criminals, who use it on websites and in email attachments to embed malware on vulnerable computers.
  • Translators are exactly that—they rework the language in spam or social engineering attacks to improve their effectiveness. Poor grammar or spelling in the user's native language is usually a good indicator of an untrustworthy message, so the better the writing, the more likely the victim.
  • Bot herders infect all of the zombie computers that are used for creating a botnet, which the criminals use for spamming, DDoS attacks, proxying and other cloud computing needs of the criminal underground. Bot herders segregate and sell or lease computers based on geography and type of bot needed by the purchaser.
  • Money mules and mule managers fill an important role in the cybercrime ecosystem: someone needs to walk into banks and transfer funds. Mules assist with the movement of money, and mule managers recruit them, oftentimes through work-from-home scams.
  • Partnyo'rka loosely translates to "partner network" in English. Like legitimate networks, they work to spread the word about—and pay commissions for sales of—scam products.
  • Tool providers write tools to aid in spreading spam and malware, like exploits, toolkits, and more. There's nothing illegal about writing software, but there is an entire industry based on creating tools for cybercriminals to purchase.
  • Malware writers are exactly that—they're writing malware for sale to organized cybercriminal operations, rather than distributing their wares directly.

How we win

As long there is money to be made criminals will continue to take advantage of opportunities to pick our pockets. While the battle with cybercriminals can seem daunting, it's a fight we can win. We only need to break one link in their chain to stop them dead in their tracks. Some tips to success:

  • Deploy patches quickly
  • Eliminate unnecessary applications
  • Run as a non-privileged user
  • Increase employee awareness
  • Recognize our weak points
  • Reducing the threat surface

All of this can make the job so difficult for the scammers that they will look elsewhere for their victims.