One of the most terrifying realities of cyber crime is that it’s now easier than ever to become a cyber criminal. Yes, people are more tech savvy and therefore understand phrases like ‘botnet’ and ‘DDoS’, but the online black market that aids cybercrime has become sophisticated and user friendly too. “All-in-one” kits for spamming phones, buying credit card data and buying hacking software is readily available in an underground industry that has developed and innovated as quickly as the tech industry - its legal counterpart.
Two separate reports released earlier this year by the Rand Corporation and Trend Micro delved into the workings of the online criminal underworld, otherwise known as the ‘darknet’, and found that the market had dramatically changed in the last decade. Previously, the darknet was inhabited by small dispersed groups of hackers who knew and trusted each other. Now it’s dominated by highly organised, sophisticated and financially driven groups that are operating with huge sums of money.
Why? Because online, crime pays. Well, it pays a lot more than “traditional” crime like the drug trade. In the UK, the Cabinet Office estimates that the cybercrime industry is worth £27bn a year, whereas the illegal drug trade is worth just £10bn a year. This is largely because with cyber crime, the links to end users are more direct and the relative ease of worldwide distribution in comparison to the expense of shipping physical products, such as drugs.
It’s this ease that has seen the darknet rapidly develop. The Trend Micro report looked into the telecoms black market in China and found that almost anyone can order “all-in-one” mobile spamming kits online, for a range of prices, from shops that look like black-market versions of Amazon. For example, a kit that subscribes people to premium text services without their permission, which is one of the most common scams in China, can be rented per year for between $2,500 to $36,000 depending on the availability of premium service numbers.
This scam is particularly sophisticated. Normally, to subscribe to a premium text service, you would need to send a confirmation text message that clearly states that you want to receive premium rate messages. But this scamming kit automatically tells your phone to send a confirmation text, which it then deletes so there’s no trace of wrong-doing. The rented premium service number even sends the scammer diagnostics and reports on how many people have subscribed. This is all automatic and requires little or no attention, allowing the criminal to run multiple scams at once.
Prices for ‘exploit kits’ that are used to hack into servers and personal computers can wildly range in price too, depending on whether they’re rented or bought, the quality of the kit and, interestingly, how trusted the “brand name” is. A rented exploit kit that would be used to hack into an account can cost anywhere between $500 to $10,000 a month, whereas purchasing a hacker’s time can cost between $16 and $325 depending on the target.
The iMessage service for iPhones has also become a popular target, with iMessage spamming kits selling for $4,500. For that price you can buy a kit that sends out iMessages to random numbers, it then records which numbers the messages are delivered to, and that number then becomes a spamming target. Just like the premium number scam, the iMessage kit provides diagnostics and reports.
Indeed, malware for mobile phones has been increasing in recent years because of both the popularity of smartphones and the relative ease of setting up a spamming operation. As the RAND report explains “such malware does not require extensive customisation”. Short Message Service (SMS) Trojans and fake installers are the most popular forms of malware and accounted for more than 70 per cent of mobile malware as of March 2013, up from 56% in 2011. Similarly, Kaspersky Labs found that the number of SMS banking trojans doubled from 1321 to 2503 in the first quarter of 2014.
User friendly
These kits have become more user friendly and don’t require mass amounts of technical knowledge to set up. Many offer technical support and other subsidiary services like cloud storage. Vendors often guarantee, for example, that a particular piece of malware is good for 10 hours before it’s detected by anti-virus or that a credit card record is good a certain amount of money. The RAND report claims that some vendors even protect their product with a form of digital rights management by tracking what the customer is doing with the product and making sure that they don’t break the “terms of use”. Some vendors have been known to shutdown customers using their products if they’re making too much noise or infecting too many machines.
Outside of setting up your own spamming business, simply purchasing stolen data can be done on the cheap. The RAND report claims that a Twitter account costs more to purchase than a stolen credit card because of the potential yield (from sending out spam messages to the account’s followers) is higher. Stolen credit card data prices vary depending on supply, how old the data is, type of card, expiration and the card’s credit limit. At its lowest, a stolen credit card record will sell for around $2, but at its highest, when there’s limited supply, it will sell for up to $45 a record.
The ease of setting up an illegal scamming operation online will likely increase, as the RAND report predicts, “because of the greater proliferation of websites, forums and chat channels where goods and services can be bought and sold.” Similarly the rise in YouTube videos and guides on “how to exploit kit X” or “where to buy credit cards” have acted as a bridge for wannabe scammers. But, most importantly, the market needs these new scammers because it needs to grow and expand, and sellers want to maintain their high profit margins.
