Webroot researcher Dancho Danchev reported uncovering a cyber black market that rents access to location-specific compromised hosts in a public blog post.
"The service is currently offering access to malware-infected hosts based in Russia ($200 for 1,000 hosts), United Kingdom ($240 for 1,000 hosts), United States ($180 for 1,000 hosts), France ($200 for 1,000 hosts), Canada ($270 for 1,000 hosts) and an international mix ($35 for 1,000 hosts), with a daily supply limit of 20,000 hosts, indicating an ongoing legitimate/hijacked-traffic-to-malware-infected hosts conversion," read the post.
Webroot manager George Anderson, told V3 the news is troubling as the malware-hosting stations can be used for a variety of harmful purposes.
"Compromised hosts are basically owned. They can be used by the cyber criminal for any activity that will make them money: as a spam relay, as spear-phishing of the host's friends, as a Command and Control point, or a relay to steal the host user's identity, their banking and financial access credentials. The list is pretty much inexhaustible," he said.
"The reason why spam botnets are commonly used is because they can be easily hidden on the host and can equally easily use the host as a launch platform for further compromises or to build botnets. Botnets can then be used to launch distributed denial of service (DDoS) attacks, where seemingly legitimate traffic floods a website to make it inaccessible to others – which is a major business loss for any company operating online."
He added that the location-based offering also means criminals renting the hosts can improve their schemes' profitability.
"Criminals are pricing hosts by location because it's an indication of an ‘economic value' of the host. For instance a US citizen will generally be better off than a Russian citizen, therefore targeting that host or using that host to mine others in that region (for example grabbing the email addresses of a US person's compromised host to then compromise their friend's PCs too) will most likely lead to a specific financial gain," he said.
Danchev said the location-based offering is likely designed to help differentiate the criminals' rental services from other similar black marketplaces.
"Today's modern cybercrime ecosystem offers everything a novice cyber criminal would need to quickly catch up with fellow or sophisticated cyber criminals. Segmented and geolocated lists of harvested emails, managed services performing the actual spamming service, as well as DIY undetectable malware-generating tools, all result in a steady influx of new (underground) market entrants, whose activities directly contribute to the overall growth of the cybercrime ecosystem," wrote Danchev.
Cyber black markets selling attack tools and services have been a growing problem for the security community. For years numerous vendors have reported seeing a growth in the number of illegal online marketplaces selling attack tools and web user account passwords. Webroot researchers also discovered thousands of Twitter and Skype user account details for sale on a Russian cyber black market in April.
No comments:
Post a Comment