Computers, Networks and Theft
by Yury Mashevsky - Virus Analyst, Kaspersky Lab - Friday, 20 October 2006.
However, cyber criminals aren’t only interested in credit card information. They are also interested in the email addresses which victim machines contain. How are these addresses stolen? Here, a crucial role is played by malicious programs which Kaspersky Lab classifies as SpamTools. These programs scan victim machines for email addresses, and the addresses harvested can be instantly filtered according to predefined criteria, e.g. the program can be configured to ignore addresses which clearly belong to antivirus companies. The harvested addresses are then sent to the author/ user of the malicious program.

There are other ways of planting Trojans on user computers, some of which are extremely brazen. There are cases where cyber criminals offered to pay website owners for loading malicious programs onto the machines of users who visited their websites. One example of this is the website: it offered webmasters a “partner program” that involved putting exploits on their websites so that malicious programs would be downloaded to the machines of those who viewed the sites. (Of course, this was done without the users’ knowledge). These “partners” were offered $61 per 1,000 infections.

Dealing in Stolen Goods

Unquestionably, the main motivation for stealing data is the desire to make money. Ultimately, all the information stolen is either sold or directly used to access accounts and get funds in this way. But who needs credit card data and email addresses?

The actual data theft is only the first step. Following this, cyber criminals either need to withdraw money from the account, or sell the information received. If an attack yields details which are used to access an online banking system or an e-payment system, the money can be obtained in a variety of ways: via a chain of electronic exchange offices that change one e-currency (i.e. money from one payment system) into another, using similar services offered by other cybercriminals, or buying goods in online stores.

In many cases, legalizing or laundering the stolen money is the most dangerous stage of the whole affair for the cyber criminals, as they will be required to provide some sort of identifying information e.g. a delivery address for goods, an account number etc. To address this problem, cyber criminals use individuals who are called “money mules”, or “drops” in Russian cyber criminal jargon. “Drops” are used for routine work in order to avoid exposure, e.g. for receiving money or goods. The “drops” themselves are often unaware of the purposes for which they are used. They are often hired by supposedly international companies via job-search websites. A “drop” may even have a signed, stamped contract which appears perfectly legal. However, if a “drop” is detained and questioned by law-enforcement agencies, s/he is usually unable to provide any meaningful information about his/ her employer. The contracts and bank details always turn out to be fake, as do the corporate websites with the postal addresses and telephone numbers used to contact the “drops”.

Now that the cybercrime business has matured, cyber criminals no longer have to look for “drops” themselves. They are supplied by people known as “drop handlers” in Russian cyber criminal jargon. Of course, each link in the chain takes a certain percentage for services rendered. However, cyber criminals believe that the additional security is worth the cost, especially as they haven’t had to earn the money themselves.

As for stolen email addresses, they can be sold for substantial amounts of money to spammers, who will then use them for future mass mailings.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th