Hacking for dollars

These days, attackers are motivated more by money than the desire to write disruptive worms like Sasser.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
6 min read
Hackers have traded fame for financial gain, experts say.

In the past, lone hackers defaced Web sites or launched global worm attacks, mainly to gain notoriety among their peers.

Today, they use their skills for profit. They hunt for security flaws and find ways to exploit them, hijack computers and rent those out for use as spam relays, or participate in targeted attacks that steal sensitive information from individuals or spy on businesses.


What's new:
In the past, hackers wanted to gain notoriety by writing the biggest worm they could. These days, they're more likely to be motivated by money.

Bottom line:
Though the shift could lead to a drop-off in global worms, it still spells trouble. The targeted attacks crafted by businesslike hackers are likely to hit harder.

More stories on this topic

"In the last year, we have seen a dramatic shift to hacking for financial gain," said Oliver Friedrichs, a senior manager at Symantec Security Response. "The benefit of creating a widespread worm on the Internet has really been superseded by the potential of monetary gain."

Though the shift could mean the end of big worms like last year's Sasser, it still spells trouble. The targeted attacks crafted by businesslike hackers can hit individuals and organizations harder--and in the pocket, rather than just in the PC.

There is an underground market. A hacker who finds a way to exploit a security hole in Windows could earn up to $1,000, or much more if the hole is not yet known to Microsoft or anyone else, said Dmitri Alperovitch, a research engineer at security vendor CipherTrust.

That flaw could then be used to hijack PCs. These compromised systems, called zombies, can then be used to relay spam, to host malicious Web sites or to launch denial-of-service attacks--at a price. Spammers, phishers and others who want to rent out a network of about 5,500 zombies typically pay about $350 a week, according to security company Symantec.

These zombie networks, known as "botnets," are sometimes used to extort companies, who are threatened with a denial-of-service onslaught aimed at hurting their business. British online payment processing company Protx went offline after an attack and was warned that problems would continue unless a $10,000 payment was made, according to a recent report in The New York Times.

The FBI has also seen an increase in hacking for money. "We have seen a rise in the cases where the motivation appears not just to be for purposes of bragging in chat rooms, but to actually profit financially," said FBI spokesman Paul Bresson.

Underground markets for selling credit card numbers, software vulnerabilities or renting out botnets are also on the rise, he said. "We're seeing a lot more of that today then we ever have," Bresson said.

New breed
As the motive of those involved has changed, so has their profile, Symantec's Friedrichs said. "In the past, they were teenagers or others who did it to gain notoriety. Today's hackers are white-collar criminals and criminals in foreign countries," he said.

Among that group, though, are coders who realized that they could take the hobby they had for years and turn it into a profitable business, CipherTrust's Alperovitch said. "Unless they are really good at it, they probably won't become millionaires. But it is a good side business," he said.

The change has been accompanied by an increasing ingenuity in crafting attacks. Phishing scams, for example, are becoming aimed at smaller groups of victims. Also, companies are being targeted with Trojan horses meant to get access to corporate networks or to enable industrial espionage.

"The deception techniques are getting better, and the payload is also getting more sophisticated," said Dan Hubbard, a senior director at Websense, a San Diego, Calif.-based security vendor. "As more money gets made, the attacks get more sophisticated."

All this means that stakes are higher for individuals and for businesses whose systems suffer an attack. With a worm, they might have had to apply a patch or reinstall a PC. With financially motivated threats, victims could have sensitive corporate information or their identity stolen.

One fraud area seeing a rise in activity--and therefore, a likely lift in scam revenue--is phishing. These scams typically combine spam and fake Web pages that look like trusted sites to try to trick the victim into divulging sensitive information such as passwords or credit card numbers. The number of phishing e-mails tracked by IBM's Global Business Security Index reached an all-time high in May, the company said. It saw 9.14 million messages sent to its customers, up from a previous high of 7.7 million in January.

Credit card data sells for up to $100 per account, according to a report on the economy of phishing, released in June by San Francisco antispam provider Cloudmark. The price depends on how high the limit

is and how much supporting information is supplied, though--an account with little supporting information will go for much less. American Express cards fetch more, as those come without a preset spending limit, experts said.

Symantec has seen a clear change in the malicious code, such as Trojan horses, used in attacks. In the final six months of last year, 54 percent of the attack code was targeted at obtaining personal data. That is up from 36 percent in the same period in 2003.

"The motivation behind today's new e-mail-borne threats is far more sinister than traditional large-scale attacks."
--Mark Sunner, chief technology officer, MessageLabs

But as victims lose more money, consumers' defenses in general go up, Websense's Hubbard said. Many people now realize the importance of installing security software and patches, and technology to fight phishing, such as browser toolbars, is becoming increasingly popular. Also, Microsoft has said it will include phishing protection in Internet Explorer 7, a test version of which is due out this year.

MessageLabs, an e-mail security company, has also spotted the trend of targeted attacks--but this time, aimed at businesses. Last week, the company said it had stopped e-mail messages containing a malicious attachment that was sent to only 17 addresses at a global company. It appeared to be an attempt to gain access to the company's network.

"The motivation behind today's new e-mail-borne threats is far more sinister than traditional large-scale attacks," Mark Sunner, chief technology officer at MessageLabs, said.

Hackers are getting paid to create the malicious programs, which could then be used in industrial espionage or to collect sensitive company data.

In late May, Israeli police made 18 arrests in a case of industrial espionage using Trojan horses. The programs were designed to spy on computer systems and had been planted on the computers of some of the country's top companies.

Sneaky worms
The underground market means that programs that exploit security holes in software are worth too much these days to waste on an attention-grabbing worm. Such major outbreaks get detected soon, triggering mass patching by users and investigations by law enforcement agencies.

Instead, hackers are more likely to create a slow, stealthy attack that will get malicious software installed on many machines, said Steven Hofmeyr, the chief scientist at Sana Security.

"There is no real incentive to write those kinds of mass worms other than the graffiti incentive," Hofmeyr said.

The lure of money likely is not solely responsible for the lull in large worm outbreaks, experts said. After a string of worms in 2003 and Sasser last year, many people realized the importance of security software and patching their systems.

Also, Microsoft, whose software is often the target of worms, has been working to improve its act. Windows XP Service Pack 2, a large security-focused update for the desktop operating system, was released last year. On the server, Windows Server 2003 is deemed more secure than its predecessors.

"The world has become much more aware of malicious activity," Debby Fry Wilson, a director at Microsoft's Security Response Center, said.

In the future, intrusion prevention products could play a part in protecting systems against targeted security threats. Some tools look at the behavior of software and block suspect activity. Other products look more closely at the data leaving a corporate network and can block the transmission of credit card data, for example.

Attacks have changed, not vanished. Security companies and Internet users face increasing challenges to fight the sophisticated threats that often fly under the radar. With money as a spur, hackers are motivated to keep creating new attacks--and to keep one step ahead of the competition.

"I call it the chess game, where the bad guys have the white pieces and always get to go first," Gartner analyst John Pescatore said.