Like eBay For Malware: Computer Crime Is Slicker Than You Think

Prospective buyers are then free to ask detailed questions about the product, and actual buyers will post their own feedback and reviews. "Thank you for a FreeJoiner, is the best program in its class I have ever seen," wrote a satisfied customer wrote on one of these sites. "Purchased a freejoiner 2 and left very happy," wrote another.

Over time, moderators use their own reviews and customer feedback to track each seller's reputation, and maintain rankings ranging from "Verified Seller" (good) to "Ripper" (bad). Sites will often develop "blacklists" and "whitelists" to block out or provide quicker access to specific sellers, and a number of "ripper databases" are distributed throughout these communities.

These "open forum" sites represent only one subset of the cybercrime market; other models may look very different, but can be just as sophisticated. Some malware developers, for example, maintain what amounts to their own channel programs.

"There are programmers who are working for brokers, and the brokers are selling the malware to other criminals, who are then reselling the malware to other criminals," says Trend Micro's Parry. "When they capture a bunch of systems, they resell those systems to another criminal, and another criminal. The actual hacker types don't want to get their hands dirty with something that would actually send them to prison."

Other groups build affiliate networks that tap into legitimate and semi-legitimate businesses. In a presentation at the Defcon hacking conference this year, Peter Gutmann of the University of Auckland's Department of Computer Science described networks in which businesses would pay affiliates up to 30 cents for each machine they infect with spyware or adware. Some of these companies claim to terminate unethical affiliates and include user licensing agreements in their software, while the software itself is hidden and often includes keystroke loggers and measures to render it difficult or impossible to delete.

Customer Service

Just like their go-to-market strategies, the array of services offered by malware developers and other online criminals have grown in sophistication alongside their legitimate counterparts. Extensive customer service, technical support, and update subscriptions have all become standard practice.

"They have to provide good customer support to compete," notes Holt. "If you buy 50 dumps [credit card or bank account records] from somebody, and 25 of them are invalid, the 'good' sellers are the ones who are going to say, "You know what, here's 25 dumps in return.' The malware writers will say, 'You know what, if you're having a problem, just contact me. I'm always around. I'll be happy to help you with whatever I can.'"

Some of these vendors focus entirely on services. They may offer technical support or customization contracts on existing malware packages, for example. Others offer to conduct attacks or spam campaigns on your behalf. One group advertises an hour-long denial of service attack for $20, and 24 hours for $100, noting that their botnet is distributed across multiple time zones and can therefore launch and maintain attacks at any time, day or night.

"One group in particular says, kind of like Dominoes Pizza, 'if the first hour of our denial service attack doesn't work, you get your money back'," notes Holt. "That's pretty common."

Other operations mirror legitimate software as a service providers. These "malware-as-a-service" providers rent out access to botnets or Web-based attack tools. Gutmann noted one example in which a Russian group rented out its malicious Website. A prospective buyer could get the 100 visitors for free, but then had to pay $4 per 1,000 visitors up to 5,000, $3.80 per 1000 up to 10000, and $3.50 per 1,000 if they bought 10,000 or more.

"Software rental is just another way to get money out of this market," says Oliver Friedrichs, Symantec's Director of Security Response. "It's common to see authors who write keyloggers and botnetworks, and then rent them out to people ultimately who may launch a phishing campaign or a spam campaign."

Next: Quality Product