It's not news that cybercrime is big business. Here's a telling statistic from a presentation by Lance Wolrab, senior security engineer with SecureWorks, at the SC Congress Data Security Conference and Expo on Wednesday: Bank robberies netted about $40 million worldwide last year. The Zeus group of malware alone raked in nearly $100 million.
What I hadn't realized is that cybercrime has matured to the point where it mimics the structure of Big Business. There are services online that amount to cybercrime ERP.
“Does anyone remember the early days of hacking? You actually had to know something,” Wolrab said. Now, not so much. PayPerInstall.org will deliver your virus on a per-machine basis (supply chain management and distribution). Virus Total will test your malware against 41 antivirus engines (QA). There are malware tech suppoprt sites with manuals, translation services, even referrals to hosts (the site even has weekly specials). One site features case studies and examples of what “affiliates” can expect to earn. You can rent a botnet for a certain window of time, just like a retailer might scale out its cloud services for the busy holiday season.
The one that floored me, though, was the MyLoader Botnet, which offers a reporting dashboard to monitor how many machines are infected and how much money your botnet is making you. It's business intelligence for cybercrooks.
The kicker: “Generally, it's not illegal,” according to Wolrab.
We are so far behind the curve legally that it's frightening.