Russian Underground Offers Cybercrime Services at Dirt-Cheap Prices

Photo: paulafunnell/Flickr

Wanna buy a botnet? It will cost you somewhere in the region of $700. If you just want to hire someone else’s botnet for an hour, though, it can cost as little as $2.

Maybe you’d like to spy on an ex — for $350 you can purchase a Trojan horse that lets you see all incoming and outgoing texts. Or maybe you’re just in the market for some good old-fashioned spamming — that will cost you $10 for someone to send a million e-mails on your behalf.

Wired U.K.

These are the going rates in Russia’s underground cybercrime market — a vibrant community of ne’er-do-wells offering every conceivable service at dirt-cheap prices — as profiled in security firm Trend Micro’s report, Russian Underground 101, which provides insight into the workings of the hidden economy.

Russia’s cybercrime market is “very mature,” says Rik Ferguson, Trend Micro’s director of security research and communications. “It’s been in place for quite some time. There are people offering niche services, and every niche is catered for.”

The report details a range of products offered in the underground, including ZeuS, a hugely popular Trojan horse that’s been around for at least six years. ZeuS creates botnets that remotely store personal information gleaned from users’ machines, and has been discovered operating on everything from home-based computers to the networks of large organizations such as Bank of America, NASA and Amazon. In 2011, the source code for ZeuS was released into the wild, which has made it “a criminal open source project,” Ferguson says. Variants of ZeuS now sell for $200-$500.

Cybercrime techniques go in and out of fashion like everything else — and in that sense, ZeuS is unusual for its longevity. Its success in large part is due to the fact that viruses and Trojans can be easily adapted to take advantage of whatever hot story is in the news — presidential elections, hurricane Sandy — in order to make fraudulent messages and spam emails seem more legitimate to users.

DNSChanger is another popular Trojan horse that operated from 2007-2011. It altered the DNS settings on machines to redirect a victim’s browser to a webpage with ads that earned the scammers affiliate revenue. One prominent DNSChanger crime ring called Rove Digital was busted in Estonia in 2011 following a six-year FBI investigation. During that time, it’s estimated the scammers earned around $14 million.

As a result of the bust, the FBI was left with a lot critical web infrastructure on its hands that controlled infected machines, including machines at major organizations. Victim machines could only access the web through the Rove Digital servers. So authorities spent months warning computer users to check their computers for DNSChanger infections so that when the Estonian servers were finally taken offline, it wouldn’t affect the ability of victims to surf the web.

So-called “ransomware” is an example of a more recent cybercrime trend, whereby the victim’s computer is locked down, and the hard drive is encrypted by a remote attacker. All the user sees on the screen is a message that tells them that local law enforcement has detected child pornography or pirated software on their PC. In order to unlock their machine, the message instructs victims to send money to a certain bank account. No payment, no unlocked hard drive.

Some victims who have paid the “fine” actually report getting their information back, says Ferguson. “But you’ve labeled yourself as an easy mark, and there’s no telling if they haven’t left behind a backdoor which will let them come back and try again,” he says.

The most recent trends in cybercrime are focused on mobile — particularly Android devices — Ferguson says.

“We’ve seen so far 175,000 malicious threats for Android, and we expect that to be a quarter of a million by next year,” he says. “Those threats come from malicious apps — if you want to stay safe, stick to official channels like Google Play, don’t just download from any site.”

Prices are going down across the Russian underground, Ferguson says.

“The bad guys are using technologies to drive down costs in the same way businesses are,” he says, noting the person who recently claimed online to have bought the personal information of 1.1 million Facebook users for just $5.

While hackers and other cyber criminals can save by buying in bulk, the cost to the individual, or the business, that falls victim to one of these techniques is much higher.

The following is a survey of current prices on the Russian underground market:

  • Basic crypter (for inserting rogue code into a benign file): $10-$30
  • SOCKS bot (to get around firewalls): $100
  • Hiring a DDoS attack: $30-$70/day, $1,200/month
  • Email spam: $10 per one million emails
  • Email spam (using a customer database): $50-$500 per one million emails
  • SMS spam: $3-$150 per 100-100,000 messages
  • Botnet: $200 for 2,000 bots
  • DDoS botnet: $700
  • ZeuS source code: $200-$500
  • Windows rootkit (for installing malicious drivers): $292
  • Hacking Facebook or Twitter account: $130
  • Hacking Gmail account: $162
  • Hacking corporate mailbox: $500
  • Winlocker ransomware: $10-20
  • Unintelligent exploit bundle: $25
  • Intelligent exploit bundle: $10-$3,000

Twitter No Longer ‘Disappearing’ Infringing Tweets

In an effort to be more transparent about disappearing tweets, Twitter has started adding a note to inform followers when it removes infringing links at the request of a copyright holder.

Twitter is obligated under the Digital Millennium Copyright Act to remove infringing links at the copyright holder’s request, to avoid legal liability. Failing to do so could make Twitter legally liable for infringing works posted on its site.

But until now, tweets with infringing links had simply disappeared into the ether, leaving users to question what had occurred with them.

Now, when a tweet is removed, the micro-blogging site leaves a message in the tweeter’s stream, saying that the tweet “has been withheld in response to a report from the copyright holder.” Twitter also leaves a link to its copyright policy.

Google’s YouTube also gives viewers a notice when it removes videos for this reason.

Jeremy Kessel, Twitter’s legal affairs manager, said in a tweet that “We now offer more transparency in processing copyright reports by withholding Tweets, not removing them.”

Under the DMCA, Twitter users can challenge a tweet takedown, or a “withheld” tweet, as Twitter calls it. Twitter advises users not to re-tweet the same material until the dispute is resolved, which could take days or weeks.

“Re-posting material removed in response to a DMCA notification may result in permanent account suspension,” Twitter notes on its website. “If you believe the content was removed in error, please file a counter-notification rather than simply re-posting the material.”

Twitter said it received 3,378 requests to remove copyrighted material in the United States during the first half of 2012.

Female Cop Gets $1 Million After Colleagues Trolled Database to Peek at Her Pic

Anne Marie Rasmusson, in her police uniform, during the time she says fellow officers were violating her privacy. Photo: Courtesy of City Pages

A former police officer who filed invasion of privacy suits after fellow cops illegally accessed her driver’s license record more than 400 times just to get a peek at her, will receive more than $1 million in compensation according to settlements reached in several of the suits.

The Minneapolis City Council has agreed to pay Anne Marie Rasmusson $392,000, on top of a $280,000 settlement she reached with several other cities whose cops broke the law by accessing her record for non-work reasons. She will also receive $385,000 from the city of St. Paul, Minnesota, for a total of $1,057,000 that taxpayers will have to shell out for the wrongdoing.

That figure is likely to grow higher, pending a lawsuit Rasmusson filed with the state of Minnesota.

It’s one of the largest private data breaches by law enforcement in history, according to the Minneapolis independent paper City Pages, which broke the story earlier this year.

Rasmusson, a former police officer with the St. Paul Police Department, who was known by colleagues as “Bubbles” because of her effusive personality, first became aware that other officers were abusing the database to look her up when a former police academy colleague mentioned to her in 2009 that she looked great and that he and his partner had used their squad car computer to view her driver’s license photo.

Rasmusson had once been overweight, but had undergone a dramatic makeover since last seeing him, according to City Pages.

This and a number of other incidents over the years prompted Rasmusson to suspect that randy colleagues were abusing Minnesota’s driver’s license database to look her up. In August 2011 she contacted the state’s Department of Public Safety asking if it was possible to restrict access to her driver’s license file. After explaining the reason behind her request, a worker in the office investigated and found that her record had indeed been accessed by cops repeatedly across the state going back to 2007.

Further investigation revealed that 104 officers in 18 different agencies across the state had accessed her driver’s license record 425 times, using the state database as their personal Facebook service.

Officers in the Dakota County Sheriff’s office, Bloomington Police, and state troopers, were among those who illegally accessed her file over the course of nearly four years. There were 24 police officers in Minneapolis who accessed her record 133 times, and 42 officers in St. Paul who looked her up 175 times. A female officer in St. Paul looked up Rasmusson’s record 30 times over the course of two years.

“There is nothing that I would say about this driver’s license photo or any of my previous ones that in any way would deserve the attention that they’ve gotten,” Rasmusson told the paper. “I can’t begin to understand what people were thinking.

One officer told investigators that he’d been out on patrol one day when his supervisor called his cellphone to tell him he should check out Rasmusson’s record. When investigators asked why he was told this, the officer replied, “to look at her picture, um, and this had something, I believe the conversation surrounded plastic surgery that she had done.”

Rasmusson, who took a medical retirement several years ago after suffering a work-related injury and left the police department, told Wired earlier this year that the activity was symptomatic of a larger problem involving data abuses by police and feared retribution from officers for bringing the problem to light.

In the lawsuits she filed, she alleged that the officers violated, among other things, the federal Drivers Privacy Protection Act, which Congress passed in 1994 after actress Rebecca Schaeffer was killed by a stalker who obtained her home address through her driver’s license record.

The Act prohibits states from disclosing personal information that drivers submit to obtain a driver’s license, including their photograph, Social Security number, name, address, phone number, and medical or disability information.

The city of St. Paul denied Rasmusson’s invasion-of-privacy allegations and any liability for her claims, but said it agreed to settle in order “to avoid the uncertainties and costs associated with continued litigation of this matter.”

“The city’s liability could have been upwards of $565,000 because the statute provides $2,500 to be assessed per each unlawful look-up of the database, and we had 226 look-ups,” City Attorney Sara Grewing told the Pioneer Press. “So we were looking at $565,000 plus attorney’s fees, if we were found liable.”

The settlement requires the city to remove Rasmusson’s name, picture, address and other personal information from the city and police department’s internal directory and website.

Discipline for the perpetrators has been light in most cases or non-existent.

An officer who looked at Rasmusson’s record 13 times was subsequently demoted and received a five-day suspension, the harshest penalty anyone has received so far. Others have had warning letters placed in their files or were sent for training.

But according to City Pages, Minneapolis hasn’t disciplined any of the 24 officers who looked up Rasmusson’s record, and St. Paul absolved four of its officers and was still considering discipline for 38 others under investigation.

A former U.S. State Department research analyst fared much worse in 2008 when he was charged under the Computer Fraud and Abuse Act for illegally accessing the passport files of presidential candidates and celebrities and was sentenced to one year of supervised release and ordered to perform 50 hours of community service.

Lawrence Yontz illegally accessed the passport records for then-presidential candidates Barack Obama, John McCain and Hillary Clinton, and admitted that between 2005 and 2008, he read the passport applications of “approximately 200 celebrities, athletes, actors, politicians and their immediate families,” among others. Yontz claimed his illegal snooping was “idle curiosity.”

Millions Download SMS Spoofing Code Found on Google Play

A few days ago, researchers from North Carolina State University published a video demonstrating how an app can simulate the reception of a text message from a spoofed source. SMS spoofing can be used for a number of malicious intentions, including SMS phishing attacks (SMSishing), which could trick someone into providing banking credentials or subscribing to paid services.

The code to perform this action has been publicly documented and in use since August, 2010. However, we have not yet found any instances that use the code for an SMSishing attack. Instead, the vast majority of apps use the code to deliver advertisements, including a couple hundred applications hosted on Google Play.

To send a spoofed SMS message there is no need to send a text message over the air. In fact, a message is never sent or received, instead, the system service in charge of receiving text messages is tricked into thinking a message has arrived—and it will happily store the text message and notify the user of the event. One can specify any arbitrary "from address" for the SMSishing attack and no special permissions are required to insert a spoofed message.

We have recorded more than 250 applications that contain code using this technique including 200 that are currently available on Google Play with millions of combined downloads. Some of the applications use the code to better integrate text messaging with instant messaging or other online services. The vast majority are using an ad network software development kit (SDK), which pushes ads straight into your SMS inbox. However, the network’s ad servers are down at the time of writing.

These applications are identified by Norton Spot and any future malicious usage are detected by Norton Mobile Security. Users should also be wary of the source of any suspicious incoming text messages while Google modifies Android to prevent spoofing of these text messages.