Risk Is Low And Business Is Booming In The Malware Market

Feb 21, 2014
Originally published on February 21, 2014 2:29 pm

Malware is malicious, bad software. It's the code that cybercriminals use to steal credit card numbers and bank accounts. And the big hack against Target showed how good these criminals are getting: They've built a thriving underground where credit cards go on sale before anyone even knows that a massive breach has happened.

On a recent day at a crowded Starbucks in downtown San Francisco, Tom Pageler powers up his laptop and takes me online shopping — with a twist.

Pageler is not one of the cybercriminals. He's a former Secret Service agent who studied them and is now in the private sector, with a Bay Area company called DocuSign.

He takes me to the anonymous Tor network, to a website that requires a login. He doesn't want to reveal the name of the site because he doesn't want to tip off anyone. Being a trusted user on a criminal website takes work. It's a lot like eBay; you have to visit, buy and sell regularly, and get rated and reviewed by your peers.

"When they transact with you, no one's getting arrested, no one's getting burned," Pageler says. "So every time you make a transaction on the underground, you're just building your street cred."

Today, credit cards are on supersale. Pageler says that means a big breach just happened.

Strangely, platinum credit cards on the site are selling for less money than gold cards. Apparently people in the underground don't just look at credit limits; they do analytics to see, according to the data, what banks have the weakest security.

"For them, they'll know based on a bank ID number which bank it is, and where they're getting the best return on fraud," he says.

Pageler is showing me how a low-level operator would work this site. Say I wanted to launch an attack. Without any specialized coding skills, I could buy the package of services I need: A list of 10,000 emails, customized by age, gender, region, goes for just $79. To make sure the emails work, there's a "cleaning price" of $48, Pageler says.

For another $50, I get malware called a key logger, which will latch into a victim's operating system and follow every keystroke in search of strings that look like bank logins and account numbers.

Payment is made with an account that's like Paypal, except it is Internet cash that's hard to trace, and the servers are overseas, so American police can't really subpoena records.

I need one more thing, called a botnet — a vast network of computers under the control of a single bot master. For this, Pageler hands me off to his colleague, botnet specialist Tom Brandl, who shows me options as cheap as $16. He makes a simple analogy to the drug trade: "These would actually be the guys on the street corners, collecting money and distributing the drugs."

The bots send out emails, and between 5 percent and 10 percent of recipients open the attachment, which lets the crooks in. The bots crawl around waiting for bank passwords. Then they can drain the money to the overseas account.

Millions upon millions of unsuspecting computers — maybe even yours and mine — are part of botnets, making it nearly impossible to find the real criminal.

"If I'm the bank, I go back and say, 'Hey, I saw this login from this address.' I go to check that address, and it belongs to a grandmother in Sioux Falls. Basically the trail is dead at that point," Brandl says.

Giovanni Vigna, a professor at the University of California, Santa Barbara, who studies cybercrime, says it's basically a crime without risk.

"If you look at the size of what gets stolen, there are wildly varying estimates — we talk about billions, and you think about how many actual convictions there have been. It's amazingly low," Vigna says.

The incentives to join the underground are amazingly high. With just a couple hundred bucks, I could drain enough accounts to make $500,000 and grab data to resell on the hidden websites.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

STEVE INSKEEP, HOST:

If your credit card information was recently stolen, the man we'll meet next might have seen it. He will be our guide on a trip to a criminal corner of the Internet.

DAVID GREENE, HOST:

People use malware, malicious software, to suck up credit card information or bank account numbers. Some of those numbers go up for sale, hawked in a hidden online marketplace before the rest of us even knew a mega breach happened.

INSKEEP: A man who found out how to visit such a marketplace took Aarti Shahani along for the ride.

AARTI SHAHANI, BYLINE: At a crowded Starbucks in downtown San Francisco, Tom Pageler powers up his laptop and takes me online shopping with a twist. We go to the anonymous Tor network, to a website that requires a log in.

TOM PAGELER: I don't want to say the name, though.

SHAHANI: Okay. Pageler doesn't want to tip off anyone, because being a trusted user on a criminal website takes work. It's a lot like eBay; you've got to visit, buy and sell regularly and get rated and reviewed by your peers.

PAGELER: When they transact with you, no one's getting arrested, no one's getting burned. So every time you make a transaction on the underground, you're just building your street cred.

SHAHANI: Today, credit cards are on super sale. Pageler says that means a big breach just happened. I noticed something strange. Platinum credit cards are selling for less money than gold cards. Apparently people in the underground don't just look at credit limits. They do analytics to see, according to the data, which banks have the weakest security.

PAGELER: For them, they'll know based on bank ID number, which bank it is, and where they're getting the best return on fraud.

Pageler is not actually a cyber-criminal. He's a former Secret Service agent who studied them and is now in the private sector, at DocuSign. Today he's showing me how a low-level operator would work this site. Say I wanted to launch an attack.

SHAHANI: Without any specialized coding skills, I could buy the package of services I need: a list of 10,000 emails, customized by age, gender, region; that goes for $79. And to make sure the emails work...

PAGELER: There's a cleaning price, which is $48.

SHAHANI: For another 50 bucks I get the malware I need to latch into a victim's operating system and follow every keystroke in search of strings that look like bank logins and account numbers. It has a funny name, key logger, like logging my keys.

PAGELER: Exactly. Like logging what you type.

SHAHANI: I pay with an account that's like Paypal, except it's Internet cash that's hard to trace back, and the servers are overseas so American police can't really subpoena records. I also need one more item, called a botnet, a vast network of computers under the control of a single bot master. Pageler hands me off to his colleague and botnet specialist Tom Brandl, who shows me options as cheap at $16. He also makes this simple analogy to the drug trade.

TOM BRANDL: These would actually be the guys on the street corners collecting money and distributing the drugs.

SHAHANI: The bots send out emails. About 5 to 10 percent of poor souls open the attachment, which lets the crooks in. The bots crawl around waiting for bank passwords. Then they can drain the money into the overseas account. Millions upon millions of unsuspecting computers, maybe even yours and mine, are part of botnets, making it nearly impossible to find the real criminal.

BRANDL: If I'm the bank, I go back and say, hey, I saw this log in from this address. I go to check that address and it belongs to a grandmother in Sioux Falls. Basically the trail is dead at that point.

GIOVANNI VIGNA: This is crime without risk.

SHAHANI: Giovanni Vigna is a professor at the University of California Santa Barbara who studies cybercrime.

VIGNA: If you look at the size of what gets stolen, I mean there are wildly varying estimates. We're talking about billions, and you think about how many actual convictions there have been, it's amazingly low.

SHAHANI: The incentives to join the underground are amazingly high. With just a couple hundred bucks, I could drain enough accounts to make half a million dollars and grab data to resell on the hidden websites. For NPR News, I'm Aarti Shahani in San Francisco. Transcript provided by NPR, Copyright NPR.