The monetization of cybercrime
There are some handy hackers out there, no doubt; but hacking by hand is becoming an increasingly scarce commodity with the rise of automatic cybercrime. Davey Winder investigates.
The automation of cybercrime is absolutely nothing new. It’s hard to say when it all started precisely, but I’d hazard a guess that the release of AOHell in 1994 is as close as you are going to get.
AOHell was freely distributed and basically bundled together a bunch of utilities for manipulating the America Online (AOL) interface directly from the client software. It also included phishing functionality (quite possibly another first right there) for stealing user passwords and more that would enable anyone so minded to run riot on the world’s most popular online service of the day.
Most importantly, you didn’t need to be a skilled hacker to use AOHell. Anyone could run the scripts it used, and anyone did with spam and mailbombs becoming the order of the day as disruption for the sake of it took over.
The point being, that this signalled that start of lamer culture; n00bs, packet monkeys and most widespread of all, script kiddies, became a thing. Call them what you will, they all used script-based tools created by others (who did have the hacking skillz for such things) and used them to automate the process of what you might loosely refer to as hacking.
Automated cybercrime was born with AOHell, and it quickly inspired copycats to release their clones. I have heard claims that across the next decade there were more than 1000 such programs released; and that’s just for people to attack AOL.
As AOL dwindled, and the rise of the Internet and its sidekick the World Wide Web continued, so script kiddies found it easier and easier to get hold of code that would do whatever they required. Trouble was, they didn’t really know what they required beyond an ability to cause trouble and proclaim they were ‘L33T’ or ‘1337’ (leet in other words.)
Truth be told, they were nothing close to being an elite of any kind. What they were close to doing is proving that there was a market for such tools, and just possibly this was a market that could be monetized. Using that decade on from AOHell works pretty well when looking at how hacking automation became profitable. Research suggests that the first exploit kits, distributed initially within the Russian dark market, surfaced in 2006.
Exploit kits certainly tick the monetization of automated cybercrime brief. Typically consisting of a management console from where add-on functionality enables the user to launch an attack targeting one to many known vulnerabilities, they have become the bread and butter of the cybercrime arsenal. And that is on both sides of the commercial crime fence; exploit kits are sold by crime groups to other crime groups, and exploited by everyone.
More recently, the monetization of this automation has moved with the times and away from the ‘buy once use often’ licensing model of old. Nowadays, most criminals will be renting the use of an exploit and ‘exploit kits as a service’ has become a legitimate business model on the dark web.
More generally part of the broader ‘crimeware as a service’ phenomena, this brings ease of use through automation together with ease of payment through a ‘pay as you use’ system. It’s a lethal mix, and one that organisations and individuals are at the sharp end of, day after day.
It is easy to think of cybercrime as being the almost romantic province of the criminally-inclined nerd, applying technical skills to ripping off the establishment and making a fortune whilst doing no physical harm to folk. Easy, but wrong. Just as wrong as it is to think of cybercrime being dominated by a handful of overlords, almost James Bond villain in nature, guiding gangs to do their bidding. Sure, both exist in the cybercrime ecosystem; but neither are the norm.
The norm is the modern day equivalent of the lamer, and that’s the criminalized and money-motivated script kiddie. These are the folk who read of high profile breaches and see the media reporting about losses amounting to millions. These are the folk who aspire to having some of that easy action.
Again, the truth is that most users of exploit kits are not raking in the millions nor pulling off the headline hacks of big corporates. Instead, they are the cybermatic; the force of automated nature that applies exploit kits and rented attack services willy nilly in the hope of making a small profit from many victims. These are the same folk who use a scattergun approach such as non-targeted phishing to steal credentials, who scan swathes of connected devices and servers looking for an in, who probe and prod and profit.
Then there is DDoS-as-a-Service, which has also hit the monetization big time. Thanks to tools originally developed by hacktivist groups such as Anonymous, the point and click denial of service attack has not only become a reality, but has morphed into pay and click model. Choose your target, choose how much bandwidth you want to pay for and the duration you can afford, throw your bitcoin in the right direction and a site goes down. It really is as simple as that.
The irony here being that DDoS-as-a-Service couldn’t itself exist without a certain level of automated attack process behind the scenes. The tools used to launch the denial of service attacks themselves usually rely upon botnets of compromised machines to do their bidding. The more machines, the more powerful the botnet, the more the service can charge. Those vulnerable machines are often identified using automated scans and exploit kits or compromised using automated phishing tools to get the required credentials.
That anyone with a small amount of technical knowledge and a small amount of spare cash to invest can join the cybermatic should be of prime concern to each and every one of us involved in the cyber security industry at whatever level. It should be on the agenda of every organisation, and in the mind of every individual user. Yet we, in the broadest sense, still don’t get it and remain convinced that it’s a spotty nerd or hench gangster pulling the hack attack strings.
It’s not really a matter of changing much, just applying the right mindset to protect yourself from such automated attacks. In fact, it’s pretty much a matter of cracking on with cyber security basics. So have a patch management strategy that removes the vulnerabilities that are used by exploit kits, employ education to prevent credential theft from phishing expeditions and use multi-layered protection to defend against the opportunistic cybermatic.
Image: Thomas Leuthard