Pierluigi Paganini
June 09, 2013
The offer of cyber criminals in the underground is very dynamic and articulated and its observation is a privileged point of view for better understand how evolve cyber threats.
Recently we have spoken of new serviced that adopted curious monetization models for botnet renting such as the “pay per execution” and we have seen how the underground has reacted to the shutdown of the Liberty Reserve currency scheme.
Today I will introduce a couple of discoveries made by researcher Dancho Danchev on the offer in the criminal underground. Once cyber criminals have obtained the control of huge botnet they mainly try to capitalize them in two ways:
One of the sectors most targeted is the gaming market due its millionaire profits, cyber criminals in this case mine the botnet for accounting credentials for a gaming platform ad for activation key of the most popular game.
Danchev found a new e-commerce website that is specialized in the sale of stolen accounting credentials gaming platforms (e.g. Origin and Uplay) and for a variety of online services( Hulu Plus, Spotify, Skype, Twitter, Instagram, Tumblr and Freelancer).
Following a screenshot of the actual advertisement, the prices of the compromised gaming accounts are very cheap:
still more cheaply if we consider the prices for the compromised accounts:
The security experts analyze new services for profiling the activity usually consider various factors such as references to geographic area, methods of payments accepted and of course aging of the services.
This information could give an idea to the researchers of the level of organization behind the services, typically cyber criminals operate for short period and gangs of individuals operate together for the time necessary for specific campaigns.
Analyzing the feedbacks of the e-shop Danchev discovered that it is not a one-time inventory of compromised assets, but it appears like “a long-term operation fueled by an ongoing botnet operation relying on commercially/publicly obtainable DIY (do-it-yourself) malware generating tools, in combination with malware crypting services.”
The service discovered accept various payment methods including popular Bitcoin, Webmoney and PayPal, the shutdown of Liberty Reserve is increasing the popularity of Bitcoin in the underground despite some exchange such as MT.Gox announced more checks on the identity of the service subscribers.
The number of the E – shop that is selling access to hacked machines worldwide that accepting Bitcoin as the primary method of payment is increasing.
The newly launched services accept Bitcoin and guarantees up to 20,000 hacked PCs every day, has proposed in the following image the cost for 1K hosts is $30, 10K hosts go for $250, and 20K hosts go for $400.
The machines are located worldwide, this means that services doesn’t segment the offer ‘targeting’ any kind of machine to increment the portfolio.
The last interesting news from underground forums is related to Pharmaceutical scammers that impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs.
Danchev wrote in his post
“Opportunistic pharmaceutical scammers are currently spamvertising tens of thousands of bogus emails impersonating Facebook’s Notification System in an attempt to trick users into clicking on the links, supposedly coming from a trusted source. Once users click on the links found in the fake emails, they’re exposed to counterfeit pharmaceutical items available for purchase without a prescription.”
The figure behind the business are impressive, despite the products are counterfeit drugs the US accounting for 72% of pharmaceutical orders.
If you are interested in the evolution of underground offer … stay tuned!
Pierluigi Paganini
(Security Affairs – Underground, Cybercrime)
