Risk Is Low And Business Is Booming In The Malware Market
Filed by KOSU News in Business.
February 21, 2014
Malware is malicious, bad software. It’s the code that cyber-criminals use to steal credit card numbers and bank accounts. As we all saw with that hack against Target, cyber-criminals are getting really good at using malware.
They’re getting so good they’ve built a thriving underground where credit cards go on sale before the rest of us even knew a mega-breach happened.
On a recent day, at a crowded Starbucks in dowtown San Francisco, Tom Pageler powers up his laptop and takes me online shopping — with a twist. We go to the anonymous Tor network, to a website that requires a log in and that he didn’t want to reveal the name.
Pageler doesn’t want to tip off anyone, because being a trusted user on a criminal website takes work. It’s a lot like eBay; you’ve got to visit, buy and sell regularly and get rated and reviewed by your peers.
“When they transact with you, no one’s getting arrested, no one’s getting burned,” Paegeler says. “So every time you make a transaction on the underground, you’re just building your street cred.”
Today, credit cards are on super sale. Pageler says that means a big breach just happened.
Strangely, platinum credit cards on the site are selling for less money than gold cards. Apparently people in the underground don’t just look at credit limits. They do analytics to see, according to the data, what banks have the weakest security.
“For them, they’ll know based on bank ID number which bank it is, and where they’re getting the best return on fraud,” he says.
Pageler is not actually a cyber-criminal. He’s a former Secret Service agent who studied them and is now in the private sector, at DocuSign. Today he’s showing me how a low-level operator would work this site. Say I wanted to launch an attack. Without any specialized coding skills, I could buy the package of services I need: a list of 10,000, customized by age, gender, region; that goes for just $79. To make sure the emails work, there’s a “cleaning price” of $48, Pageler says.
For another $50, I get malware called a key logger, which will latch into a victim’s operating system and follow every key stroke in search of strings that look like bank logins and account numbers.
Paymen is with an account that’s like Paypal, except it is Internet cash that’s hard to trace back, and the servers are overseas so American police can’t really subpoena records.
I also need one more item, called a botnet, a vast network of computers under the control of a single bot master. Pageler hands me off to his colleague and botnet specialist Tom Brandl, who shows me options as cheap at $16. He also makes this simple analogy to the drug trade.
“These would actually be the guys on the street corners, collecting money and distributing the drugs,” Brandl says.
The bots send out emails, and about 5 to 10 percent of poor souls open the attachment, which lets the crooks in. The bots crawl around waiting for bank passwords. Then they can drain the money to the overseas account. Millions upon millions of unsuspecting computers — maybe even yours and mine — are part of botnets, making it nearly impossible to find the real criminal.
“If I’m the bank, I go back and say ‘hey I saw this log in from this address.’ I go to check that address and it belongs to a grandmother in Siou Falls. Basically the trail is dead at that point,” Brandl says.
Giovanni Vigna, a professor at the University of California Santa Barbara who studies cybercrime, says this is basically a crime without risk.
“If you look at the size of what gets stolen, there are wildly varying estimates, we talk about billions, and you think about how many actual convictions there have been, it’s amazingly low,” Vigna says.
The incentives to join the underground are amazingly high. With just a couple hundred bucks, I could drain enough accounts to make $500,000 and grab data to resell on the hidden websites. [Copyright 2014 KQED Public Media]