I recently had the opportunity to speak with two representatives from the Netherlands-based security research firm Fox-IT--Maurits Lucas, InTELL Business Director, and Andy Chandler, VP of WW Sales & Marketing. Collectively, the two shared an in-depth story of cybergang warfare suitable for Hollywood.
As the events unfolded through their words, I quickly began to see into the business minds of the cybercriminals they described. Even more interesting to me was that a cyberbusiness was actually being created and an entirely new market was being defined. This piece provides a glimpse into how the cybercriminals used business best practices to rake in the cash.
Our business case begins in 2006 and is rooted in technology. On the surface, this business case could sound like any other presented by one of the top universities, where the subject business is created from a well-balanced mix of supply & demand, driven by revenue, enabled by innovation, and rife with competition. However, this story isn't about your traditional mainstream commercial business. Instead, it is one of a lucrative underground cybercrime business.
Commercializing the POC
The proof of concept (POC) for the new business began with the creation, introduction, and successful use of a man-in-the-browser (MitB) malware kit that formed a botnet specifically targeting financial institutions. Victims were typically companies or wealthy individuals with large amounts of cash periodically available in their bank accounts--for example, funds transferred to a specific account to pay the wages of their employees.
The malware itself was designed to first attach itself to the host browser, allowing it to modify any Web page it wanted to before rendering it to the user. Once hooked to the browser, the malware would insert additional code (a botnet) into the banking website page(s) the user visited.
This isn't the scary stuff, however. The real payload comes when the botnet leverages its newly-formed connection to the banking systems located on the other side of the browser as a channel through which it can insert the real attack--the insertion of monetary transaction code that essentially creates a digital money mule.
Zbot, now publicly referred to as ZeuS, was the first appearance of such a malicious botnet, complete with phone-home and command & control service management. Its creator, known on underground channels as Slavik, sold the industry's original malware kit on the cyber underground for a going rate of $8K. Slavik's proof-of-concept turned out to work extremely well; he made a lot of money and some of his customers made even more money by launching some serious online banking attacks using the malware kit he created and sold.
As the new market grew, the question for the business eventually became one of scale, margins--and greed.