Sunday, July 5, 2009

Making Money with Your Own Stealthy Botnet - Part III

So, how can you use a stealthy botnet and milk your victims for all their worth with the least likelihood of being detected? I've already discussed the vectors of modifying advertising in real-time and pay-per-installs, but what happens if you get more personal?

Sure, we've seen lots of FUD about identity theft and the roll botnets play propagating that threat. The problem with a lot of these "legacy" attacks is that they get noticed pretty quick and, more importantly, banks and financial institutes have become much better at automatically detecting the money-transfer part of the fraud/theft. Bot-masters embarking down this fraud path have little imagination or grasp of the value of all the other information they could be potentially tapping on each victim host.

If I had a botnet of 50,000 victims and was contemplating a life of crime, an interesting and stealthy route to make money could lie in household profiling.

3. Household Profiling
Consider for a moment the value of an identity. For the last five years the financial/tradeable value of an "identity" has been on the decrease. For example, an "identity" (consisting of name, address, phone number, birth-date, credit card number, card expiry, CCV code and Social Security Number) can be picked up for as little as $0.20 in batches of a thousand, but can rise to as much as $100 if it also includes the victims online banking credentials.

The problem though is that as soon as the accounts are tapped, the probability of the victim knowing, getting new credit cards, changing online banking details AND having the transaction voided, is practically guaranteed - and there is a high likelihood that the victim will hunt out bot agents on their host - not to mention being hunted down by law enforcement.

So, instead of focusing on this "short gain" fraud, why not embrace the long term - building up a complete profile of the user/family. Most of this concept could be categorized as "spyware", but there could be some tweaks to make it more profitable to the botnet operator.

Lets look some of the information that I think could be extracted from a family PC infected with a botnet agent capable of keylogging, screen-grabbing, man-in-the-browser, file scanning and encrypted C&C (which is basically every bot agent out there today...):
  1. Household Financial. Does the family have money to spend, and how do they manage their money? Every time a family member logs in to their online banking portal or receives an email, you could grab financial information such as:
    * Houshold monthly income
    * Total cash savings
    * Monthly spending patterns
    * Long-term savings and retirement plans
    * Stock-holdings and investment profile
  2. Bill Payments. Who supplies the household and how much are they spending? Monitoring online portals and scanning emails (or even VoIP traffic) it would be possible to uncover marketable profile information such as:
    * How much are they spending on utility bills?
    * Which stores do they regularly visit, what do they actually buy, and how much do they spend?
    * Are they up on their payments or behind?
    * Are they and the family in good health? Are they planning/saving for a major operation?
  3. Web Profiling. That holy grail proposed throughout the 1990's of building up a full profile of the family my monitoring their network traffic? Well it's all possible - but this time not inhibited by bothersome laws. Saleable information such as the following could be extracted:
    * Which sites do they visit, and how long to they spend on them?
    * What are they searching for or likely to purchase shortly?
    * What do their children and grand-parents do? How old are they?
  4. Contact Extraction. By scanning through mailboxes (both locally stored and webmail) along with social networks, gaming and other portals, the bot agent could extract detailed contact information - which in turn can be used for profiling (or infecting) friends.
  5. Affiliations. The monitoring of web traffic and emails will likely also reveal less tangible affiliation information such as religion and social groups.
Now, imagine you can automatically extract, group and sort this information from 50,000 hosts (which for the sake of arguments could encompass maybe 40,000 family units and a total of 100,000 personal identities) - how would you make money from it?

Several methods spring to mind:
  • Gray-channel marketing portals. Much of this personal information can be "washed" through the gray-market and be absorbed through a second-tier of marketing channels. While each record subset of information probably doesn't have much value by itself - probably only $0.50-2.00 per record and maybe $1-5 per family - it does have the advantage of being sold to multiple institutions as well as being offered as a "subscription" service. With that in mind, you'd probably be looking at earning something like $200+ per year (less expenses).
  • Targeted Profiled Sales. I've been told many times that it costs somewhere between $50-$200 to attract a new customer and entice them to move to a new utility/service provider. It would be relatively easy to provide profiles of households based upon existing utilities (and what their monthly bills are - along with history of payments) and sell them to competitors. I wouldn't be surprised if you could make $10-20 per "package" - and could net something in the region of $20k per month - by selling that info to commission-based utility sales reps. Sure, that's probably illegal and wouldn't be condoned by the Utility companies themselves, but I suspect quota-based sales would be a reliable vector. With that in mind, perhaps chopping out the middle-man and getting a job as the Utility sales rep directly may be more financially viable.
  • Just-in-time-sales. With sufficient effort, you could probably automate the identification of impending sales events. For example, the lease on the family car has just ended and they're now browsing the web for a 4-door convertible - or perhaps the family are just about to begin planning their summer/winter vacations. Extracting this information, passing it to a local dealer and taking a slice of the eventual sale price would be simple enough. It's probably not high value, but it is low risk.
  • Bulk Contact Sales. If all else fails, there's an existing market for email addresses and other bulk contact details. This type of info is trivial extract and its source can be easily obfuscated. However, even with 50,000 bots (potentially yielding 1-2m contacts), you're probably only going to make a few thousand dollars per year.
All in all, I think you could maintain a healthy revenue stream from simple household profiling with a relatively low threshold of being detected (and subsequently being thrown in jail). Out of all the botnet revenue models discussed thus far this one would probably be most preferable... so far...

No comments:

Post a Comment