Chapter 4. It’s Good to Be Bad
In this chapter we’ll look at what motivates bad guys to break in to computers, and what’s going on inside their heads. It used to be that people created viruses and worms for silly reasons: perhaps just to prove to themselves or their friends that they are clever, or perhaps because they want to cause misery. There aren’t too many people like that in the world.
No, most people on the dark side of the force are there for one reason: easy money!
Let’s say you’re a bad guy and you get some bad software onto somebody’s machine. What kinds of things could you do to make money? Here’s a short list that is by no means exhaustive:
You could collect credit card numbers and the data associated with it (such as the CVV validation code). You could collect the data as users enter it into e-commerce shopping sites, then sell it off to other bad guys. Eventually someone might use the credit card information for a day or maybe just for the occasional single transaction, in hopes the credit card holder will never notice the fraud.
You could wait until people use their online banking sites, then sniff important account information (such as username, password, account number, and so on), or even take over the connection when the machine goes idle so that you can move money around.
You could collect any kind of account information. If you collect valid credentials to large corporate networks, for instance, you might suspect that there’s a black market for that kind of thing. Even for regular old PCs, you could sell the account information to people who want to run some of these other scams.
You could wait for people to buy stuff from an online merchant, like Amazon.com, and trick the online merchant into thinking that you referred the user to Amazon to buy a particular item, when in reality, the user went there by himself. This attack doesn’t harm the user at all, just the merchant, since it ends up paying out a commission to someone who doesn’t deserve it.
You could send spam from an infected computer. You might wonder why somebody would do this. If bad guys only spam from a few places, it’s easy to find and stop the sources, but if spam is sent through millions of PCs, many of them doing mostly legitimate stuff, it’s a much tougher nut to crack.
You could deliver ads to users that they wouldn’t otherwise have gotten. This is the model of many adware companies. They often sell cheap ads to legitimate businesses. The legitimate businesses don’t know how the companies get users to click on ads, they just care that the clicks occur.
You could fraudulently generate “clicks” for ads in order to generate revenue for your own site, which does nothing but serve up a ton of ads. You put up your big web page of ads, you have infected computers click the ads on those pages (the infected user doesn’t even have to see the pages), and the ad network will pay you the referral fee for the click. Or, if your business has a competitor, you could click on all your competitors’ links to eat up their advertising budget, taking away their “real” traffic (most ad campaigns stop when the budget is used up).
Similarly, you could replace all the ads that were supposed to be delivered to a user with ads that are served up from your home page. This closely mimics “real” traffic, making it even tougher for ad networks like Google to detect the fraud.
If the user’s PC is connected to an active modem, you could dial a premium 1-900 number (like a psychic hotline), and cause the modem to dial it. You could then take advantage of the phone call time, but the call would be billed to the user. Or, if you own the 1-900 number, you would get all the money. Generally, you would want to keep calls short and few, so that people won’t notice or won’t complain if they do notice.
If you’ve got a large number of infected computers under your control, you could take money from other people to try to “take down” popular websites using a so-called distributed denial-of-service (DDOS) attack. There’s probably not a big market for this, but this kind of denial-of-service (DOS) attack does happen occasionally. It’s probably most often caused by bad guys with political agendas, or just people looking to make mischief.
You could use an infected computer to attack another computer. You could break in to other computers on your network and use any of the aforementioned techniques to make money on those new computers you’ve infected.
You could hold important data for ransom (such as personal photos, locally stored email messages, music files, and video). This is usually done by encrypting files on the computer so that the victim can’t access them until he gets the decryption key.
The more computers a bad guy has, the better off he is in terms of making money. Having more computers makes it easier to get spam through, and to keep generating fraudulent clicks if the work across is distributed as many machines as possible so that no single machine is doing too much work.
A lot of bad guys end up installing general-purpose software that they can control remotely to do whatever they want. The industry calls such software botnet software (bot is a short form of “robot,” indicating that the infected computer will probably run automated software to do the bad guy’s nefarious bidding).
Clearly, it’s in the bad guy’s economic best interests if the victim doesn’t know his or her computer has been taken over. There’s a lot the bad guy can do to use a victim’s computer to make money, without the victim having to know that the bad guy’s on there. The less intrusive a bad guy is, the better off he is. So, in this day and age, when a computer is infected, it’s probably the case that the bad guy only wants to slowly and unnoticeably drain money from the machine’s owner, because he doesn’t want to get kicked off the machine! If the bad guy does something extreme like hold files hostage (so-called ransomware), he may never get the money, and if he does give the files back, the machine will probably be cleaned up afterward, making it difficult to further monetize the machine. Therefore, ransomware isn’t too popular.
I’d expect this to be the kind of thing bad guys would try to do as a last resort—if their primary malware is detected and removed, some secondary ransomware can hold the machine’s data hostage as a last resort.
All in all, being a bad guy on the Internet pays! It’s a lot easier than traditional crime, for a couple of major reasons:
The bad guys don’t have to be physically near their victims to commit crimes against them. In fact, a lot of computer crime is launched from countries like Russia and China, where both computer crime laws and enforcement of those laws are weak. If crime crosses jurisdictional boundaries, it becomes a lot harder to find and punish the bad guys.
It’s a lot easier to leave no real evidence behind. While computers do have addresses that can be used to track them to a certain degree, there are a lot of things a bad guy can do to cover his tracks. For instance, some systems allow people to do things over the Internet anonymously.
At the end of the day, computer crime is a lot cheaper for the bad guy than other kinds of crime, if the bad guy has the technical skills to pull it off. And there are plenty of ways to make lots of money without stealing it directly from end users (such as click fraud, where you end up stealing from corporations in small amounts). Plus, not too many people get caught. No wonder it is a reasonably popular and attractive profession in countries whose economies don’t offer many high-paying career opportunities.
Get The Myths of Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.