by David Sancho (Trend Micro Research)
The modern cybercrime landscape has changed much from around a decade ago, when most criminals either built their own toolsets or hired other developers to create them. The skills and knowledge needed meant that gifted programmers often started these worldwide online attacks. Eventually, the people behind these attacks created peer-based communities where they shared and distributed attacktools and knowledge on how to operate them. These evolved into marketplaces where other criminals could purchase very advanced tools they could use to launch attacks that are more dangerous.
These marketplaces still exist today in the form of dedicated websites or online forums. While the developers of these tools know perfectly well how their products are being used, they commonly try to dodge responsibility by placing the onus on the buyer, who is supposed to be solely responsible for the way the software is used. In this case, though, these developers only sell their wares on criminal forums, where there is little doubt regarding their usage.
This article details how these underground vendors peddle their products, as well as the sales tactics they use, with a focus on their similarities with the way legitimate software is sold and marketed.
Underground marketplaces offer a variety of products to cybercriminals. While not all of these software suites are marketed for malicious purposes, most of them have potential criminal uses while others are undeniably malicious in nature.
These tools can be categorized into the following:
Contrary to the popular notion of the underground being a chaotic place where potential buyers have to go through hoops to purchase their tools, many underground software vendors present their products in a very professional manner. In fact, modern underground software sales pitches often resemble how legitimate software is marketed — from variable pricing and bulk discounts to aftersales support.
These are the most prominent features we have observed:
The examples above demonstrate that developers of software often sold on the criminal underground are not disorganized individuals that resort to “shady back-alley deals.” In fact, many of them present their wares in a manner that is similar to the way mainstream software makers reach out to their audience.
It is also important to make a distinction between regular cybercriminals and these developers. Cybercriminal operations are 100% illegal and usually entail much more than just software development. Criminals have more complex operations (including money laundering and trojan distribution) and typically, higher revenue. In contrast, these developers are usually one-man shops that make their money by selling the software they write themselves. In order to stay in business, they need to market themselves well to other cybercriminal parties.
While these developers aren’t the ones directly performing the attacks, in many respects, what they do is just as reprehensible, to the point where they can be considered just as criminally culpable. On top of this, they are well aware of what they do and their strong links with the criminal underground make this crystal clear. As long as there is money to be made from the sale of these tools, we can expect these developers to stay around.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.