Grey market entrepreneurs turn trojans into profit

A small gang of men living St. Petersburg, Russia, managed to elude law officials, Facebook and computer security firms for years. They operated Koobface, an infamous worm named after a play on Facebook which spread like wildfire on the social network.

Security outfit Sophos has an excellent investigation revealing the mistakes the men made, which is available to read here. But what Koobface really demonstrated is the link between those irritating spam posts you wish your friends wouldn’t fall for. Everyone know the sort: posts with names like “How can a girl be this sexy???” and “SHOCKING survivor story” which look almost real, but actually redirect the user and help to spread the virus. 

The Koobface gang even stole real information from real people on dating websites and pieced it together into Facebook profiles which looked real. Captchas were no problem – you can hire companies in China which will provide you with 1,000 of them solved for just a dollar. 

Koobface is a fascinating bit of malware. It made money for the Koobface gang in two ways. First, it played on the gullible by redirecting them to scareware which appeared semi-legitimate. Less tech-savvy users would then download a bogus program that did nothing but remove a virus which never really existed – paying roughly $60 for the privilege. 

Second, Koobface had its roots entrenched in the Russian pornography industry. Affiliates are an easy money spinner if you’re prepared to leave any moral scruples at the door. The Koobface gang would make profits from porn sign-ups and adverts ran by agencies that will claim ignorance. 

Koobface’s legacy highlights the far-reaching and enormously profitable black market on the web, though a security analyst, who does not wish to be named, says calling it that isn’t entirely accurate. But he does agree that we are talking about at least a billion dollar industry.

It’s not technically a black market, our analyst says, because often the perpetrators are aware that the countries they operate in don’t have the cyber laws in place that give authorities the powers to bring them down.

Dirk Kollberg, a lead investigator in the Sophos report, explains the link to Russia’s porn industry and web attacks clearly: “What we know is porn is a good way to make money, proven over the internet for years. So there are people in Russia who think it might be interesting for them to take it as a main source of income. If they want to boost their income, they might want to use some trojans to get more people on their site…”

Along with the porn link, there was the scareware. When users sign up for the “service” and pay the rate for the fake antivirus, the affiliate gets 40 or 50 percent depending on how much money they generate, Kollberg tells us. “There are other people just making money getting customers to the pages,” he continues, and it’s not just about Facebook. “You might get redirected while searching for something on Google Images – looking for pictures of nice cars, for examples – and you might get redirected to a blog. And if you sign up to where that blog redirects you, Koobface gets the money.”

Steve Jobs once said: “It is hard to think that a $2 billion company with 4,300-plus people couldn’t compete with six people in blue jeans.” 

But that is the way cyber crime can work. Sophos’ previous investigation was with a group calling itself InnovativeMarketing, based in the Ukraine, one of the biggest ever scareware vendors on the web. “They focus on creating the software and creating fake websites,” Kollberg says, “fooling ISPs into hosting their sites, and then also providing tech support for their users. Those people would tell them it’s not scareware and they’re fine. They had call centres in Germany, France, Switzerland, Denmark, Dallas and two call centres in India.” 

Providing their own infrastructure, using clever but morally bankrupt social engineering and tools available in the grey market, InnovativeMarketing brought in $180 million in revenues in 2008 alone. 

Kollberg says that the scene is “very modular” now. “You just put the stuff in that you need: Look at the Zbot trojan. Someone buys the software, configures it for its own need, then puts it somewhere on the web.” 

Brazen grey-market entrepreneurs have never had it easier. “If you want to distribute the trojan, to thousands of people,” says Kollberg, “you can just rent a botnet.”