Hacking for dollars

These days, attackers are motivated more by money than the desire to write disruptive worms like Sasser.

Hackers have traded fame for financial gain, experts say.

In the past, lone hackers defaced Web sites or launched global worm attacks, mainly to gain notoriety among their peers.

Today, they use their skills for profit. They hunt for security flaws and find ways to exploit them, hijack computers and rent those out for use as spam relays, or participate in targeted attacks that steal sensitive information from individuals or spy on businesses.


What's new:
In the past, hackers wanted to gain notoriety by writing the biggest worm they could. These days, they're more likely to be motivated by money.

Bottom line:
Though the shift could lead to a drop-off in global worms, it still spells trouble. The targeted attacks crafted by businesslike hackers are likely to hit harder.

More stories on this topic

"In the last year, we have seen a dramatic shift to hacking for financial gain," said Oliver Friedrichs, a senior manager at Symantec Security Response. "The benefit of creating a widespread worm on the Internet has really been superseded by the potential of monetary gain."

Though the shift could mean the end of big worms like last year's Sasser, it still spells trouble. The targeted attacks crafted by businesslike hackers can hit individuals and organizations harder--and in the pocket, rather than just in the PC.

There is an underground market. A hacker who finds a way to exploit a security hole in Windows could earn up to $1,000, or much more if the hole is not yet known to Microsoft or anyone else, said Dmitri Alperovitch, a research engineer at security vendor CipherTrust.

That flaw could then be used to hijack PCs. These compromised systems, called zombies, can then be used to relay spam, to host malicious Web sites or to launch denial-of-service attacks--at a price. Spammers, phishers and others who want to rent out a network of about 5,500 zombies typically pay about $350 a week, according to security company Symantec.

These zombie networks, known as "botnets," are sometimes used to extort companies, who are threatened with a denial-of-service onslaught aimed at hurting their business. British online payment processing company Protx went offline after an attack and was warned that problems would continue unless a $10,000 payment was made, according to a recent report in The New York Times.

The FBI has also seen an increase in hacking for money. "We have seen a rise in the cases where the motivation appears not just to be for purposes of bragging in chat rooms, but to actually profit financially," said FBI spokesman Paul Bresson.

Underground markets for selling credit card numbers, software vulnerabilities or renting out botnets are also on the rise, he said. "We're seeing a lot more of that today then we ever have," Bresson said.

New breed
As the motive of those involved has changed, so has their profile, Symantec's Friedrichs said. "In the past, they were teenagers or others who did it to gain notoriety. Today's hackers are white-collar criminals and criminals in foreign countries," he said.

Among that group, though, are coders who realized that they could take the hobby they had for years and turn it into a profitable business, CipherTrust's Alperovitch said. "Unless they are really good at it, they probably won't become millionaires. But it is a good side business," he said.

The change has been accompanied by an increasing ingenuity in crafting attacks. Phishing scams, for example, are becoming aimed at smaller groups of victims. Also, companies are being targeted with Trojan horses meant to get access to corporate networks or to enable industrial espionage.

"The deception techniques are getting better, and the payload is also getting more sophisticated," said Dan Hubbard, a senior director at Websense, a San Diego, Calif.-based security vendor. "As more money gets made, the attacks get more sophisticated."

All this means that stakes are higher for individuals and for businesses whose systems suffer an attack. With a worm, they might have had to apply a patch or reinstall a PC. With financially motivated threats, victims could have sensitive corporate information or their identity stolen.

One fraud area seeing a rise in activity--and therefore, a likely lift in scam revenue--is phishing. These scams typically combine spam and fake Web pages that look like trusted sites to try to trick the victim into divulging sensitive information such as passwords or credit card numbers. The number of phishing e-mails tracked by IBM's Global Business Security Index reached an all-time high in May, the company said. It saw 9.14 million messages sent to its customers, up from a previous high of 7.7 million in January.

Credit card data sells for up to $100 per account, according to a report on the economy of phishing, released in June by San Francisco antispam provider Cloudmark. The price depends on how high the limit

Featured Video