Windows Boards

Cybercrime pays! How PCs are traded online-by hacker networks
30 April 2010, 12:00 am

They not only get your credit card details or confidential email communications, but also by trading the compromised PCs online. The cash is transacted in a syndicate involving the buyer and the seller.

But then again, does not every transaction involve a buyer and seller? Well, in cahoots, one may say.

Most of these cyber criminals are driven by financial motivation than fame and make their activities pass as legitimate. All the same, why could they be after your PC and how do they maximize the value of the compromised computer?

By using an exploit toolkit with a disguised code, they attack to distribute malware while systems are internetworked. They buy malware-infected PCs (though they appear brand new) from anyone anywhere in the market. First, for any part of the world, the price setting is usually based on demand and supply. They are well placed in tendering processes to many various financial institutions, government agencies and individuals.

This model encourages other hackers to compromise websites and infect visitors with malware. They know that they can sell these assets online anytime they want ,even later on – the market is there to stay!

So,how?

The criminals share and provide their partners with malware distribution technique, in which "partners" are recruited and paid to distribute the bot.

‘Partners', is normally a cybercriminal with any clandestine codename. For instance, take a name "Keyboard" or "Dice"

Dice, He (or she) distributes the bot (which is a disguised to appear a nice professional  window) by injecting Iframes (information transfer codes) into legitimate websites. These Iframes point to a malicious website that utilizes an unnamed exploit toolkit to infect visitors.

The cybercriminals also use an attack toolkit that is well known: an example is the Trojan "Zalupko." In an intelligence report published by a US Cyber research Center, it noted to have found malware names and download locations (mostly Russian domains).

And talking of Russia(ns), this writer is not however sure if ever the alleged Russian National who was previously nabbed downtown Nairobi by authorities at a local ATM booth with a lot of electronic cards are syndicated in this networks.

Some of these malware files help the cash networks to collect File transfer Protocol (FTP) root, overiding  credentials of legitimate websites from infected PCs. These credentials are later being used to enable its partners to insert their code into the website pages. This creates a highly profitable loop.

Sellers are no different. Businesses profits are made by buying low and selling high. By ensuring that a sustained breakdown  of injecting Iframes would lead to low priced saleout ,require technical expertise,and ativiruses or  more purchases of new PCs, obviously at low prices which they later sell through bids at a tidy profit margin.

That is not all; the happy customer(s) can also add an additional "task" or "order" in this easy-to-use system, such as preferred geographical area or avoidance of firewalls and other solutions. These solutions include antiviruses and counterfeit hardware of which they maintain to a steady demand to customers generously, but at a cost. In East Africa-Kenya, HP is the High net-Bot(HnB)

Their only trouble hinges on the latest technology and innovations. However as long as systems are networked it  makes everyday work coming in for them.

One way it makes work smooth for them is through fraud. An infected machine (or botnet) is no longer a one-time asset for an individual cybercriminal. It evolves into a digital asset that the cybercriminal can trade online – over and over again!

Each trade results into a different "owner", who can decide to install additional malware on the purchased infected machine and then sell it on to others.

In additions to spreading the malicious code, it is later on used to steal online banking credentials. The cybergang use the well-known commercial-grade, ‘LuckySpoilt'- crimeware toolkit -to exploit the users, browsers and install the Trojan on their PCs.

Having the Trojan successfully installed on the victim's PC, the bank URLZone- Trojan toolkit, is used to send instructions and to control the money transfer from the victim's bank accounts via money owners to the cybergangs. This software known as ‘URLZone' bank Trojan is applied in various techniques to stay under the radar of common anti-fraud systems.

To minimize discovery by anti-fraud systems, the cybergangs use various ways to define the amount of currency it will steal on each transaction.

Their accounts are legitimate bank accounts owned by legitimate bank users. To conduct their crime on this front, cybercriminals hire offshore, user's accounts by falsely telling them they are working for a legitimate business.

Due to the current economic slowdown, more and more innocent people find themselves becoming part of these criminal tricks without their knowledge. These bank account owners or "mules" as referred, are normally unaware that they are "muling" stolen funds, but think that they are being paid for "working from home"(backoffice) and other moneymaking schemes over the internet.

Needless to say, social engineering is part of the scam. The money mule system avoids any direct links to the cybercriminals – the "perfect" way to avoid detection! Once a "mule" is hired by the cybergang, the stolen money is transferred to his/her bank account. Later on, the "mule" is asked to transfer the stolen amount - after deduction of his or her commission - to a bank account provided by the cybergang.

To avoid warning signs by anti-fraud systems at the bank, the money mule accounts are only used for a limited number of times within a certain timeframe. The timeframe is usually defined by these group as a forced remission package with a strict way of handling transactions. Since banks monitor large bank transfers, the amount of money deposited in a money mule account is predefined in order to stay under the radar.

Solutions

The botnet trading platform is the latest development in the cybercrime evolution. Botnet business is booming. It poses a serious problem for organizations and businesses around the world. Some traditional security solutions, such as Anti-Virus, have botnet-removal capabilities.

They  do a good job in cleaning infected machines. However, due to their reactive nature, these web security solutions were not designed to thwart threats to a PC or laptops. For organizations, it is crucial to know if they have been infected. Since infected PCs communicate with the cybercriminal. Command & Control server, outbound traffic needs to be scrutinized. A Secure Web Gateway with outbound inspection capabilities should address this need.

To prevent corporate PCs from turning into bots, a pro-active approach is needed. The ideal line of defense is a Secure Web Gateway (SWG), utilizing active real-time content inspection. By understanding the intention of the code, such a web security solution detects and blocks malware regardless of its source, even when the code is obfuscated. Now you know. Be on side, the safe side.

 



Source: Find Articles, Free Articles Directory | Operating Systems Articles