The criminals behind adware and click-fraud malware are looking to significantly increase the profits they generate from these programs.
Instead of only making money by bombarding people with ads or directing a person’s computer to silently click on ads, attackers have realized that selling access to infected machines on the black market is a far more lucrative venture.
“It’s really about monetization models,” said Cybereason CISO Israel Barak during an interview with CSO Online at Black Hat, adding that the people behind these operations have honed their “ability to launch targeted operations based on most commodity malware.”
While machines infected with adware and click-fraud malware will generate a profit of $10 to $20 per machine across its lifetime, attackers can sell “interesting machines” on the black market for anywhere between $10 and $1,000 per machine across its lifetime, said Barak, who delivered a talk at Black Hat on this topic.
Several factors determine how much a machine will sell for, Barak explained. Basic machines will sell for $8 and those with administrator privileges will fetch a slightly higher price of $9 to $10. Computers with a public IP address allowing anyone to access it without using a virtual private network or proxy will increase that price by a dollar or two, he added.
Machines with interesting programs installed, like point-of-sale software, will raise the price between 50 percent and 100 percent. But computers affiliated with corporations will command the highest price. “It’s going to jump the price between 500 percent and 1,000 percent,” Barak said.
Another factor that influences the asset’s selling price: the industry it’s associated with, especially if the vertical involves financial services. Those machines have a starting price of $1,000 and can cost as much as $5,000 or $6,000.
“[The sellers] wouldn’t tell you in advance what made them price the machine at $6,000 instead of $1,000. But their reputation is behind the sale. If [you’re] scammed, they’re not going to be able to sell anything else,” Barak said, noting that people take to social media to discuss their buying experiences.
To compromise servers, attackers typically exploit weaknesses. Endpoint infiltration usually occurs through a piece of commodity malware, like adware, that a user unknowingly downloaded. In a case observed by Cybereason, after realizing that a basic adware program had landed in a high-value corporate environment, attackers upgraded the software with components usually found in malware, making the program much more malicious.
“The organizations that run these tools decide that after they’ve classified that machine, it’s worth some money on the black market so instead of just operating it as an adware machine, they sell it,” Barak said.