LAS VEGAS. Built on the sorrows of gamblers, Las Vegas is a town where everyone is looking to make a fast buck. And so it was fitting that at the Interop networking conference here this week, researcher Chet Wisniewksi of Sophos explained how hackers make millions from unsuspecting and naïve users.
Wisniewksi's talk at Interop was all about uncovering the economic ecosystem that drives cybercrime and how the different gangs exploit people. In his view, hacking for money is likely the most dominant form of attack today.
"We know that the vast majority of attacks are not related to APTs (Advanced Persistent Threats), the vast majority is opportunistic malware," Wisniewksi said. Hackers are asking themselves, "how do I make a buck off some poor suckers, whether it's tricking them with a drive-by, or getting them to click on something," Wisniewksi said. "The whole point is to monetize."
In Wisniewksi's view, the way to make millions as a hacker is to build a partner affiliate network.
"To be the king of the criminal [version of] Amway, if you will -- [that's] the most profitable place to be," Wisniewksi said.
Take fake anti-virus software, for example. First the distributor creates the files and the download site. Then he sets up a reseller or markup model for affiliates, taking a piece of revenue from new affiliates that get signed up, in classic multi-level marketing fashion.
"You want to widen the network and build the pyramid," Wisniewksi said. "We see the affiliates making $150,000 a week, that means the people running he pyramid are making very large sums."
From a legal perspective, the affiliate model itself isn't necessarily always illegal. Wisniewksi noted that some of the kingpins simply say that they are just offering a product that other people are distributing. Laws around the world also vary. For example, in Russia, the authorities seem to focus law enforcement efforts on those networks that target Russians. When the activity doesn't target Russians, legal authorities don't seem to step in, according to Wisniewksi.
Defending Against the Hacker Affiliate Network
From an end-user perspective, companies such as Sophos provide security tools that can help to protect users against the payloads that the affiliate cyber gangs are deploying.
In the case of fake anti-virus, Wisniewksi said it is often distributed by way of what is known as server side polymorphism.
"So every copy that comes down is entirely different than the copy before it," Wisniewksi said. But that doesn't mean there's no defense against the malware. "Web filtering works great as there are only a few hosts that these guys are using to distribute the payload," Wisniewksi said.
Behavioral tracking is another key technique that can be used to defend against attacks. The malware might initially look like a legitimate remote access solution -- but by looking at the behavior in the application, malicious intent can be determined.
There are more tactics on the horizon, and Wisniewksi added that he is working with other researchers in the field to develop countermeasures against cybercrime and malware. His goal: To "cut off the head of the snake."