Since the disintegration of the USSR, the Russian Federation has suffered
economic pain and political instability, before re-emerging as an international
power with a booming economy. But one economy in particular is doing really well here in Russia, along with other countries in the East. Hacking, viruses and malware are now big business. That's because there's so much
money to be made.
If you use your computer for banking, shopping, even online gaming, it'll contain sensitive information that can be stolen if you leave your PC's defences down. Leaving your firewall switched off, leaving your operating system unpatched, not running anti-virus software, can all lead to your computer being infected by trojan horse software that says it's one thing, but which has something very malicious hiding inside. This software is often designed to sit unnoticed, and gradually syphon off your personal details to a location somewhere else on the 'net. Every credit card number that's stolen, every phishing email that cons someone out of their details, even every piece of spam is potentially money in the bank. Recent research shows that even though a minute proportion of spam convinces people to pay, the vast amount of it that's possible to send out means a large network of spam sending computers can make $2 million a year.
The content of that spam is getting more sophisticated Mark Sunner, Messagelabs: "Towards the tail end of 2007, we started noticing that we were intercepting a high quantity of spam that had sound file attachments. They were all called things like beatles.mp3 or elvis.mp3, even celine-dion.mp3.
"If you were to click on the attachment it really would play - it was a genuine sound file. You'd hear a synthesized female voice, touting a potential stock that was about to go up. Now this is part of the stock-pumping phenomenon, where the bad guys will have taken out a genuine investment in a real stock, but with stolen credit cards.
"So they'd take the investment, blast out the messages, cash out quick, hopefully having made a profit, but also having laundered the money in the process." Off the Shelf Hacks Creating a program which performs these operations used to be the reserve of hardcore computer programmers, but the market has evolved, making it much easier to commit this kind of crime even if you're not technically proficient. Greg Day, McAfee Security:
"we've really seen an evolution in commercial cybercrime tools. "You hear about vulnerabilities that allow others to sneak onto our systems and compromise them. I can now subscribe to a service which provides me with the latest vulnerabilities, to allow me access to other people's systems. "Or there are other graphical tools that will create me my own attack. By pulling together hundreds of different techniques I can literallyclick and say whether I want to be a password stealer, a keyboardlogger or a spammer, and it will compile me my own threat." User-friendly, multi-purpose cybercrime tools like these can put someone with criminal intentions on the brink of stealing highly valuable information. They can even have a trojan written specifically for a certain task.
Mark Sunner: "A targeted trojan is the one-off. It's where someone wants in to a single company or even a single individual, and they want that particular target because they may be holding data that is of interest. So we're dealing with industrial espionage.
"You can buy that, off the shelf, just for you, for $200, from certain Russian websites. You can buy a purpose-built trojan, guaranteed to go under the nose of virusdetection, $200.
"If it subsequently becomes caught by a virus-scanner, you can pay an additional $50, and get an update, because you're now a customer. Or for $2500, you can get the bad-guy equivalent of a service contract, and get automatic updates. "But the thing about that is it lowers the barrier to entry. It's notexpensive anymore. You or I could buy this, and we're not virus writers.
You don't need technical sophistication, you just need the intent."
In chat rooms and forums across the 'net, hackers advertise and sell their wares. A keystroke logger, which will record passwords as they are entered, goes for an average of $23. Stolen bank account information goes for anywhere between $10 to $1000. Anyone who does want to hire the
services of a hacker or discuss a targeted attack, will probably need to be able to do one thing - speak Russian. Russia, along with several others countries in the East, is becoming the home of hacking, forthe very simple reason that the law can't catch them here. Mark Sunner: "If British law enforcement has information about a bad guy in the States, there is enough information-sharing that they'll follow it all up. If that same guy is in Russia, it's a dead-end.
"You've got Russia, Ukraine and China, they won't join the big boys' club that makes joined up legislation, so if they're not going to play ball, that's why those territories are a safe haven." The authorities may find borders an obstacle, but the hackers don't.
A Hacker Speaks While I was in Russia, I arranged to meet a hacker. He agreed to meet me in a public place, but didn't want to be identified on camera, asking that he only be known by his hacking name - Sp0raw. His website (www.sporaw.com) offers information and services, along with contact details for anyone who'd like to employ them. And these people, he says, stand to make far more money than the hackers themselves.
Sp0raw: "It's not just hackers who make money on illegal stuff. Other people hire hackers for money. It's an entire industry. "It's not just about stealing credit cards and bank account details. Some legitimate websites which charge for membership will pay you commission if your site provides a click-through to theirs, and that person signs up.
"So we can hack people's computers and change their browser homepage to one of these sites, or even replace search resultswith ours. Do it in large enough numbers and some people are bound to sign up, earning us commission. "The real money comes from
knowing how to turn internet traffic into cash. Managers and administrators who can do this can make really good money. You may create a wicked virus, but that doesn't make you a fortune on its own. Maybe someone could buy it for 500 bucks. But if you know someone who could convert the infected traffic into cash, your earnings would soar to 100,000 or even 500,000 dollars.
"People who have a background in maths, that kind of person can make good money.
"The most risky part is the contact between the virtual and the real world. I don't need protection because I've never stolen anything.
If you attack someone in Russia it's dangerous, but most hackers attack western business. It's very difficult to arrest them because there's lots of international bureaucracy - different parts of the chain in different countries, and under different laws."
It was an unusual interview; Sp0raw was nervous, worried that even our blurred pictures could be unblurred by the authorities, and his identity revealed. Despite what he told us beforehand, he continually insisted he himself hasn't broken
the law, and the biggest hack he's done is changing his friends' school grades to get them into a better university.
He left me a little frustrated, but understanding that this is a serious business, where hackers are employed by serious criminals. It's not a profession you boast about.
Courtesy: BBC Click!
0 comments:
Post a Comment