Exposing the money behind the malwareOctober 2012 Chester Wisniewski

Who am I?

• Hacker• Speaker• Researcher

A guy with a really cool job

Social network spam

Social network spam trends

of social networking users reportbeing hit by spam via these services

That’s an increase of 20.3% froma year ago.

Social networking malware

KoobfaceWhat is it capable of?

Steal software keys Upload stored

passwords Web server/DNS proxy Search hijacking (PPC) CAPTCHA busting Fake AV Social network spam bot

How do we get infected?

Zbot/Zeus in the newsLaw enforcement crackdown, widely decentralized and international in nature

Image courtesy of krebsonsecurity.com

SEO – How they do it

SEO leads to social engineering

10

11

What’s driving these activities?

Brought to you by Партнерка[partnyo'rka]

Pharma hosting195.95.155.13 (AS2118) MoskvaCom Ltd, RU

Google search for pharma #s

Average sale = $140-180 USD

Map of people buying Rx

Spamit/GlavMed/GlavTorg

ChronopayMac fake anti-virus industry revealed

Pharma affilliate profitabilityDate Orders

01 30

02 74

03 216

04 193

05 231

06 191

07 189

08 78

09 99

10 128

11 52

12 7

Average sales/day 124

This affiliate used 66 unique domains referencing his Affilliate ID

• 124 orders per day• Average sale = $160• 40% commission

124 * 160 = $19840 * 40% =

$7936/day

Pharma partnyo'rka profitability

Image courtesy of krebsonsecurity.com

Fake anti-virus by the numbersTopSale2.ru

Fake anti-virus top affiliatesSome more successful than others

Affiliate IDAffiliate Username

Account Balance (USD)

4928 nenastniy $158,568.8656 krab $105,955.762 rstwm $95,021.164748 newforis $93,260.645016 slyers $85,220.223684 ultra $82,174.543750 cosma2k $78,824.885050 dp322 $75,631.263886 iamthevip $61,552.634048 dp32 $58,160.20

Courtesy of Secureworks.com

Ransomware

Complete Security

Email Data Endpoint Mobile Web Network

Clean up

Automation

Visibility Local self-help

WiFi security

Keep people working

Technical support

Access control

Intrusion prevention

Anti-malware User education

Data Control

Stop attacks and breaches

Firewall

Email encryption

Virtualization

Endpoint Web Protection

Mobile Control

Secure branch offices

Encryption for cloud

Live Protection

Mobile app security

Protect everywhere

Web ApplicationFirewall

URL Filtering

Anti-spam Patch Manager

ApplicationControl

Encryption

Device Control

Reduce attack surface

24

Why you’re safer in our world

• Complete security that works better together• Defense in depth you can actually deploy

You’ll also see the benefits of consolidating your security vendors:

Consolidated licensing costs One trusted partner for support

You’ll get better threat and data protection more simply, and more cost effectively

Complete Security

WithoutComplexity

Active Protection

25

@chetwisniewski on Twitter

chesterw@sophos.com

App.net/chester

Chester Wisniewski on G+

http://nakedsecurity.sophos.com

http://podcasts.sophos.com

http://www.sophos.com/security

Latest News

Podcasts

Security Hub

Contact me

Staying ahead of the curve

US and Canada 1-866-866-2802

NASales@sophos.com

UK and Worldwide + 44 1235 55 9933

Sales@sophos.com

http://www.sophos.com/en-us/security-news-trends/security-trends/money-behind-malware-threats.aspx