Russian Underground Offers Cybercrime Services at Dirt-Cheap Prices

November 5, 2012

Photo: paulafunnell/Flickr

Wanna buy a botnet? It will cost you somewhere in the region of $700. If you just want to hire someone else’s botnet for an hour, though, it can cost as little as $2.

Maybe you’d like to spy on an ex — for $350 you can purchase a Trojan horse that lets you see all incoming and outgoing texts. Or maybe you’re just in the market for some good old-fashioned spamming — that will cost you $10 for someone to send a million e-mails on your behalf.

Wired U.K.

These are the going rates in Russia’s underground cybercrime market — a vibrant community of ne’er-do-wells offering every conceivable service at dirt-cheap prices — as profiled in security firm Trend Micro’s report, Russian Underground 101, which provides insight into the workings of the hidden economy.

Russia’s cybercrime market is “very mature,” says Rik Ferguson, Trend Micro’s director of security research and communications. “It’s been in place for quite some time. There are people offering niche services, and every niche is catered for.”

The report details a range of products offered in the underground, including ZeuS, a hugely popular Trojan horse that’s been around for at least six years. ZeuS creates botnets that remotely store personal information gleaned from users’ machines, and has been discovered operating on everything from home-based computers to the networks of large organizations such as Bank of America, NASA and Amazon. In 2011, the source code for ZeuS was released into the wild, which has made it “a criminal open source project,” Ferguson says. Variants of ZeuS now sell for $200-$500.

Cybercrime techniques go in and out of fashion like everything else — and in that sense, ZeuS is unusual for its longevity. Its success in large part is due to the fact that viruses and Trojans can be easily adapted to take advantage of whatever hot story is in the news — presidential elections, hurricane Sandy — in order to make fraudulent messages and spam emails seem more legitimate to users.

DNSChanger is another popular Trojan horse that operated from 2007-2011. It altered the DNS settings on machines to redirect a victim’s browser to a webpage with ads that earned the scammers affiliate revenue. One prominent DNSChanger crime ring called Rove Digital was busted in Estonia in 2011 following a six-year FBI investigation. During that time, it’s estimated the scammers earned around $14 million.

As a result of the bust, the FBI was left with a lot critical web infrastructure on its hands that controlled infected machines, including machines at major organizations. Victim machines could only access the web through the Rove Digital servers. So authorities spent months warning computer users to check their computers for DNSChanger infections so that when the Estonian servers were finally taken offline, it wouldn’t affect the ability of victims to surf the web.

So-called “ransomware” is an example of a more recent cybercrime trend, whereby the victim’s computer is locked down, and the hard drive is encrypted by a remote attacker. All the user sees on the screen is a message that tells them that local law enforcement has detected child pornography or pirated software on their PC. In order to unlock their machine, the message instructs victims to send money to a certain bank account. No payment, no unlocked hard drive.

Some victims who have paid the “fine” actually report getting their information back, says Ferguson. “But you’ve labeled yourself as an easy mark, and there’s no telling if they haven’t left behind a backdoor which will let them come back and try again,” he says.

The most recent trends in cybercrime are focused on mobile — particularly Android devices — Ferguson says.

“We’ve seen so far 175,000 malicious threats for Android, and we expect that to be a quarter of a million by next year,” he says. “Those threats come from malicious apps — if you want to stay safe, stick to official channels like Google Play, don’t just download from any site.”

Prices are going down across the Russian underground, Ferguson says.

“The bad guys are using technologies to drive down costs in the same way businesses are,” he says, noting the person who recently claimed online to have bought the personal information of 1.1 million Facebook users for just $5.

While hackers and other cyber criminals can save by buying in bulk, the cost to the individual, or the business, that falls victim to one of these techniques is much higher.

The following is a survey of current prices on the Russian underground market:

  • Basic crypter (for inserting rogue code into a benign file): $10-$30
  • SOCKS bot (to get around firewalls): $100
  • Hiring a DDoS attack: $30-$70/day, $1,200/month
  • Email spam: $10 per one million emails
  • Email spam (using a customer database): $50-$500 per one million emails
  • SMS spam: $3-$150 per 100-100,000 messages
  • Botnet: $200 for 2,000 bots
  • DDoS botnet: $700
  • ZeuS source code: $200-$500
  • Windows rootkit (for installing malicious drivers): $292
  • Hacking Facebook or Twitter account: $130
  • Hacking Gmail account: $162
  • Hacking corporate mailbox: $500
  • Winlocker ransomware: $10-20
  • Unintelligent exploit bundle: $25
  • Intelligent exploit bundle: $10-$3,000