How Cybercriminals Make Their Millions
Botnets have become the online center of highly profitable criminal enterprises, but how do they actually rake in the cash?
Botnets have been getting a lot of headlines lately, whether from last months arrest of the man allegedly behind the Mega-D botnet, or angry supporters of the WikiLeaks organization who have voluntarily allowed their computers to become part of the Low Orbit Ion Cannon (LOIC) as part of Operation Payback. Most botnets are used as part of a criminal enterprise, and their purpose is simple: make money.
"A botnet is a network of computers that have been infected with malware and placed under the control of a single individual," explained Martin Lee, senior software engineer at Symantec Hosted Services. "When you get infected by one of their pieces of malware, your computer is then placed under the control of whoever wrote that malware."
Lee added that once a computer becomes infected, it contacts a command and control server, one of the main computers behind which an operator of the botnet sits.
"The person who controls the botnet can issue whatever instructions they would like to the computers that are under their command," Lee said.
Those instructions can include sending email, connecting to another computer or installing a piece of software so that it's hidden so that the owner of the machine will never find it.
"Once your PC has been infected by a piece of malware and is part of a botnet, it no longer belongs to you," Lee said. "It belongs to the controller of the botnet, and they can do whatever they want with what used to be your PC."
Malicious email remains one of the most common ways to infect a machine with malware. "Last year, we measured that one in every 284 emails contained malware," Lee said. "The vast majority of all those pieces of malware were destined to make the victim who opened it part of a botnet."
However, even users who are careful with the email they receive and the attachments they open remain vulnerable to attacks. For instance, Lee said, some criminals hack social networking accounts and seed links to malicious URLs on the hacked accounts' pages, infecting anyone who clicks on the link. Lee added that it is also common for criminals to hack legitimate websites to seed links, which are then picked up by search engines. Lee said they are also adept at finding terms used in breaking news stories and using them to get their URLs picked up by search engines. In these cases, the victims don't need to install anything, they just need to visit the website and they receive a drive-by install.
Lee said Symantec identified 42,000 distinct domains serving up malware this year. "On average, we identify 3,000 new malware websites each day."
Botnets out in the wild range from tens of thousands to more than a million infected computers, Lee said.
So once criminals have built their botnet, what do they do with it? There are multiple ways to make money with a botnet, but Lee said that far and away the most common way to use a botnet is to send spam.
"Spam can be incredibly profitable," he said. "One study estimated that although the click-through rate on spam is phenomenally low, the bad guys can make millions of dollars a year out of these spam campaigns."
Believe it or not, people actually buy stuff advertised in spam messages, Lee said, and it's primarily spam advertising pharmaceuticals.
"The studies that have been done on pharmaceutical spam have shown that you're never quite sure what you're actually buying," Lee said. "A lot of it is counterfeit product. Or there's poor dosage control. You may actually be getting a placebo. Or you may not get anything."
Although spam has an incredibly low response rate, the volume of spam that can be sent with a botnet more than makes up for it. Lee said 89.1 percent of all email sent during 2010 was spam.
And he noted that URL shortening services have made it easier for spammers to get victims to open their messages.
"The spammers have jumped on the back of these services because it allows them to launder or whitewash what the actual URL you're going to is," Lee said.
Stealing from Bank Accounts
Another common task for botnets is stealing from Internet bank accounts, Lee said. He explained that the malware on an infected machine waits until the victim connects to a bank's Internet service. It allows the victim to do the authentication. It then takes over the connection and injects its own money transfer commands into the system and hides those transactions when the victim looks at the balance.
"You can't trust what details you are seeing in your browser," Lee said. "The browser belongs to the guy who runs the botnet, and he's showing you what he wants you to see."
Lee explained that the botnet operators also create their own money laundering networks to get the money from victims' accounts to their pockets. They recruit money mules using spam ads for work-from-home opportunities. Three percent of all spam consists of work-from-home opportunities, he said.
"What the job requires is for the applicants to become money mules," Lee explained. "People throughout the world are being asked to transfer money and take a cut."
He added that it is often difficult to track the ultimate destination of the money because it has crossed numerous international boundaries before it reaches the bad guys' pockets. Additionally, the sums taken are usually just under the threshold that would trigger a money laundering investigation by the bank, which means it is often a while before the victim realizes money has been stolen.
Denial of Service Attacks
Another way to make money with a botnet is a really a modern take on a very old scheme: the protection racket.
Lee explained that the criminals search out businesses that do a lot of commercial activity online. The criminals then threaten to bring down the business's website for a week or a month if the business doesn't pay them. If the business refuses to pay, the criminals direct the computers in their botnet to start requesting pages on the victim's website. Since botnets can make hundreds of thousands of requests every second, they swamp the site or slow it down so much it is practically unusable.
Lee said the extortion demands are generally between $10,000 and $50,000, which makes victims who stand to lose much more than that if their sites are brought down apt to pay.
"There are no new crimes," Lee said. "These old crimes are just being updated for the 21st Century."
Stealing Intangible Goods
Another way to make money with botnets is to steal intangible goods, though Lee conceded he's only heard of a few instances to date.
This crime involves hijacking victim's online gaming accounts and selling the intangible goods they have acquired in the game.
"If there is a market for something, if someone is willing to pay money for something, then that something can be stolen," Lee said. "People spend an awful lot of money and time and effort on online games. Some of the Trojans are specializing in stealing credentials to be able to access online games precisely for the reason of being able to steal the intangible goods that people have acquired."
Lee noted that one gang in Asia that specialized in such attacks made at least $140,000 doing so.
Holding Information for Ransom
Finally, for another spin on the extortion angle, Lee said a botnet could be used to hold the information on a victim's computer for ransom. The malware encrypts the victim's hard drive so the information becomes inaccessible. The botnet operator then demands payment to decrypt the drive.
"I think it's fairly rare," Lee said. "There was an occurrence of it fairly recently. It's not common, but it's still a way that the bad guys can make money."
Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards and security, among other technologies.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.