Well it looks like the recession, combined with how easy it is to plant malware, have driven down the price of botnets to record lows. Prices are dipping below $100 per day, according to this Network World article "With botnets everywhere, DDoS attack get cheaper":
"Criminals have gotten better at hacking into unsuspecting computers and linking them together into so-called botnet networks, which can then be centrally controlled. Botnets are used to send spam, steal passwords, and sometimes to launch DDoS attacks, which flood victims' servers with unwanted information. Often these networks are rented out as a kind of criminal software-as-a-service to third parties, who are typically recruited in online discussion boards.
DDoS attacks have been used to censor critics, take down rivals, wipe out online competitors and even extort money from legitimate businesses. Earlier this year a highly publicized DDoS attack targeted U.S. and South Korean servers, knocking a number of Web sites offline"
"And DDoS attacks aren't the only thing getting cheaper. Stevens says the cost of stolen credit card numbers and other kinds of identity information has dropped too. "Prices are dropping on almost everything," he said."
It sounds like a case of supply and demand. Spear phishing emails have become more sophisticated at planting Trojans on PCs and cyber crime is now integrated into complex criminal activity, so it could be that botnets are not needed as much these days.
Brian Krebs describes an attack on a church where the church treasurer's PC was knocked out with a virus as the criminals wired money from the church account to accounts of work-from-home "money mules", who then transfer the money abroad:
"Imagine being in charge of your organization's finances, and learning from your bank one morning that thieves had stolen tens of thousands of dollars from company coffers overnight using your online banking credentials. Now imagine your frustration when you go to log in to your PC to assess the damage, only to find that the computer you typically use to access the account has been kneecapped by the bad guys."
It's clear that a lot of thought is going into cyber crime. We don't appear to be winning the battle.
Spear phishing, hand SPAM would all be virtually eliminated by DNSSEC, cutting off email as an attack vector and detecting redirection to malicious web sites. Until we have broad adoption of DNSSEC this type of fraud will continue to grow.
Comments