SV: The figures that affiliates can make seems staggering but it doesn’t seem logical. How can they make this much with just a few pop up banners?

Dave: You’re right. If you receive less than 10 cents for redirection in an affiliate scheme, then you need to install a lot of links to make a good income. The best way to do this is to automate the process so that thousands of links can be set up, just as millions of spam e-mails typically are needed to generate any significant response.

SV: How do they circumvent ISPs shutting them down for spamming?

Dave: Activity on this scale tends to attract attention from crime fighters. So it is best performed on other people’s systems. The robot network, or botnet, is a scattered group of computers that have been infected with software that makes them act as slaves. In particular, they can be commanded to send out spam e-mails, as in the phishing emailswith messages such as; ’We regret to inform you that your credit card has been de-activated in response to suspicious activity. Please click here to re-activate it.’ to attract the recipient to reveal personal data

SV: How can companies deal with the botnet issue?

Dave: Early botnets were easily dealt with because they were controlled by a central server that sent out instructions that could be traced back to it. But today, the servers use fast-flux Domain Name System (DNS) techniques to constantly change their location and names, making them difficult to locate and shut down.

In addition security researchers who try to find the control servers are likely to be hit by DDoS attacks against their systems. Typical DDoS (distributed denial of service) attacks involve flooding an Internet service with so much traffic that it ceases to function. DDoS can be used as a threat to critical services to force the provider to pay rather than lose business, or it can be used as a weapon in cyber warfare against rival gangs, or against security workers as in this example.

SV: So to make a lot of money as an affiliate people need to get a botnet to perform some spamming and defend themselves from security researchers. How easy is this to do?

Dave: Relatively easy. In March 2009 a research team from the BBC paid for a botnet consisting of 22,000 infected PCs. According to them “Computers from the US and the UK go for about $350 to $400 per 1,000 nodes because they’ve got much more financial details, like online banking passwords and credit cards details.” As a test they were able to use the botnet to flood their Gmail account with spam, and they also did a test DDoS attack against a facility owned by a security company who agreed to the experiment.

SV: How are botnets created?

Dave: The Storm botnet was created in 2007, beginning with spam e-mails with fake news headings like "230 dead as storm batters Europe." People who clicked the link to get the full story had malware downloaded into their PC. The network grew to include some 5 million PCs and is continuing to evolve as it is maintained to get round each new defense that is created.

SV: And you can buy parts of this botnet and other malware?

Dave: The malware software market is now so mature that it runs just like the legal software market. Anti-detection vendors sell services to malware and botnet vendors, who sell stolen credit card data to middlemen. Those middlemen then sell that information to fraudsters who deal in stolen credit cards.

One example was last year’s 'Gozi Trojan' for sale as a service from a company who bought it from a group of Russian hackers. The Trojan server was hosted by the Russian Business Network, which security vendors allege offered "bullet-proof" hosting for phishing sites and other illicit operations. As well as off-the-peg products, malware can be tailored to individual clients, while vendors offer support services, often bundling anti-detection. One Trojan written by hacker Havalito is advertised as being undetectable, with the ”guarantee” that if it does get detected, it will be replaced with an updated version.

References

SV Videocast: Cybercrime 2009
Wikipedia: Storm Botnet
ComputerWorld 2007: The New and Improved Gozi Trojan
ZDNet: Cracking Open The Cybercrime Economy