The Cyber Threat Industry: Into the Darknet*
By Natalie Novitski
Friday, May 2nd, 2014 @ 12:00AM
Deep in shadowy chat rooms, where normal users never visit, there’s an entirely different world. Its denizens conduct their business secretly, keeping their distance from journalists and information security experts who try to meddle in their affairs. This business has rules of its own — the collection of forums and websites we call “darknet”. The tracks of every virus and malware that threaten innocent users lead there.
Did you ever attempt to enter a specific site while surfing, when suddenly a pop-up window asked you to update a software for you to be able to view the content? In many cases this is a trojan. It’s also important to remember that even if you press X to close that pop-up window you still get infected. Software, however, has to be updated regularly despite all that, to avoid a totally different type of attack, and it’s important to download these updates through official websites rather than through pop-ups in third-party websites. These software updates, in many cases, deal with software vulnerabilities that can be abused by hackers in order to infect computers.
“Computer vulnerabilities can be software mistakes, with the most common being all sorts of additions to operating systems. These mistakes can be abused by hackers,” said Guy Mizrachi, CEO of Cyberia. “In this case the users aren’t aware of anything, they just click on a link and get infected. They aren’t required to verify anything and can’t see any changes. This sort of infection requires abusing system vulnerabilities through exploits. Exploits like these are used by intelligence agencies, and there are also companies who specialize in producing them – they’re actually pretty common.” Where can you find these system vulnerabilities? In hacker forums found only in the darkest reaches of the world wide web – darknet.
Hackers have changed and advanced along with the technologies involved, and today their job is much easier. “In the 90s people were doing it for fun, but now it’s all about the money,” said Amir Karmi of ComSecure, ESET’s representative in Israel. “Most hackers today use ready-made tools rather than tools they created themselves, and in many cases people give them titles that they simply don’t deserve, because they take tools that other talented people created. In the past they used to download tools one at a time and put them together in creative ways to conduct an attack – now even that’s redundant. Everything is bundled up in automatic kits that include security breaches and easy-to-use attack tools – anyone can use them. All you need is access to the appropriate forum or website and you have a ready-made kit you can use on the website you attacked.”
Reaching these forums is not an easy task. You can’t use Google to find them, they can only be reached by getting their address from someone else. The addresses themselves change from time to time, and forum members are naturally suspicious towards new members. “If employees of security companies enter these forums, for example, the goal of forum members would be to expose these infiltrators, kick them out or feed them bad information,” adds Karmi, who is an employee of an antivirus company himself. “It all started with hacker chat rooms, where they could share files, ideas – and even trojans and malware.”
These places are hard to access, but once you’re in and the “natives” are convinced you’re one of them, you get access to many and varied products. There are, by the way, price lists for everything. A ready-made attack kit, for example, costs between 200 and 3000 dollars. The price of a recently discovered vulnerability in a new system can reach tens of thousands of dollars, even more. Sometime you even get ads: One attack kit, for example, can includes ads for other kits created by the same developer.
There are also “job opportunities” for novice hackers who are looking for a more stable work environment, or simply for additional income. “There are PPI – Pay Per Install programs. If I’m a beginner who wants to make some money without working too hard I can just buy one of these attack kits – it offers money for every time the virus is installed, and I get a monthly income. I can even get into all sorts of partnerships and there are very clear price lists for everything. It all depends on how many people I’ve infected and their country of origin – 1000 Americans, for example, are worth much more than 1000 Indonesians,” explained Karmi. “Operators from East European countries run most of these programs. There are organized crime families with research teams, QA teams, interface teams. Everything is organized, it’s a huge business bringing in hundreds of millions of dollars per year.”
Every tool described here is used by hackers to break into private computers, but the same methods are used when trying to infiltrate military or commercial systems. More on that next time.