If the public's image of the online criminal -- the brilliant but maladjusted teen breaking into systems just to prove he can -- were ever true, those days are long gone.
Not long after people first figured out how to break into computer systems, they started creating tools to make it easier for themselves; not long after that, those tools made their way into the hands of people who could use them without really understanding how they worked.
Today, few malware developers use their own code. They write it for the same reason commercial software developers do: to sell it for a healthy profit. If you've ever bought anything online, buying from them may be disconcertingly familiar.
If you want to break into a computer or steal credit card numbers, you can buy the necessary software online, just like almost anything else. More than that, you can find user friendly, point-and-click attack applications that have been pre-tested and reviewed by experts, and read through customer feedback before making your purchase. You might even be able to buy technical support or get a money back guarantee. Some developers offer their malware through a software-as-a-service model. If you prefer an even more hands-off approach, you can simply buy pre-screened credit card numbers and identity information itself, or sign a services agreement with someone who will do the dirty work for you.
As in many other industries, money has given rise to professionalism. Online crime and malware development has become a full-blown and extremely profitable commercial enterprise that in many ways mirrors the legitimate software market.
"We're in a world where these guys might as well just incorporate," says David Parry, Trend Micro's Global Director of Security Education. "There's certainly more money in the cybercrime market than the antivirus market. The internet security industry is a drop in the bucket; we're talking about hundreds of billions of dollars."
"The general dynamics within this market are just like any other business model," says to Thomas Holt of the University of North Carolina at Charlotte's Department of Criminal Justice. "You have to offer a good price, you have to be readily able to communicate with your customers, you have to give them reliable products, because nobody's going to buy something if it doesn't quite work like you say it can."
According to Shane Coursen, Senior Technical Consultant at Kaspersky Labs, malware development is easily profitable enough to attract professional talent. "The financial model is absolutely huge. The amount of money that a developer could make at least matches what they can make at a software company. You could even set it up as a legitimate business, reporting earnings and everything."
Go To Market
Holt leads a team of researchers that tracks the online marketplaces where malware developers, brokers, and criminal "service providers" sell their wares. Starting with nothing more than Google searches, they have identified a network of approximately 30 publicly accessible sites of surprising sophistication, with features that rival eBay and Amazon.
The particular marketplaces Holt's team tracks are generally incorporated into hacker community forum sites hosted in Russia, Eastern Europe, and other regions where criminal prosecution and extradition are difficult or impossible. Prospective sellers post detailed descriptions of their products and services. Those selling malware will often including screenshots, claims about resistance to antivirus or other countermeasures, and penetration capabilities. Those selling stolen account data will often specify the nationality of the account, the bank, the type of account (Visa v. Mastercard, gold v. platinum), and the total value of each account. In many cases, they will also have complex pricing models, including purchase minimums and volume discounts.
At the same time, the purchaser sends a sample their product to a forum moderator -- a copy of the malware code or a sample of the stolen data -- who will then review and test it. If the moderator finds that the product does not work as advertised or that the data is invalid, they will block the seller from posting; otherwise, they will post a detailed review alongside the seller's product description. Moderators may also block products or services they consider too risky. VPN services, for example, have been widely turned away by various site moderators after law enforcement tracked down a particularly well-known online gang through their VPN connections.
Next: A Buyers' Market