The recent arrest of a 27-year-old Russian-Armenian botnet operator, the third “retirement” of the Russian programmer who wrote ZeuS, and the $873 million judgment awarded to Facebook against a Montreal spammer, are helping to further clarify the elusive profile of today’s modern email scammer.
According to recent reports, the Russian-Armenian Georg Avanesov operated a network of hacked computers around the world. The computers were infected with Bredolab, a malicious software application that would send spam, attack websites and open up avenues for other criminals to access and steal from online bank accounts. Unlike early spammers of the past who simply sent unsolicited advertisements, Avanesov actually leased and sold portions of his botnet to other cybercriminals, collecting an estimated $140,000 a month as a reseller to other cybercriminals.
The ZeuS programmer followed his first two retirements in 2007 and 2008 with another retirement announcement this year. Like Avanesov, the programmer sold the malware toolkit to organized crime gangs, who would turn around and target companies, banks, towns and people. Experts estimate that the malware has stolen more than $100 million this year from organizations and individuals, and they also believe that the programmer’s retirement is just a ruse, as he likely has something new on the horizon, and will also continue to update and provide support for his customers.
Finally, Canadian Adam Guerbuez has garnered significant notoriety as the convicted spammer who used phishing attacks to steal passwords and a botnet to hack computers in order to gain access to Facebook accounts. The Quebec Superior Court upheld a previous ruling by the U.S. court system that ordered Guerbuez to pay Facebook $873 million. A self proclaimed Internet marketer, Guerbuez was found guilty of sending more than 4 million spam messages through Facebook.
Building a Profile
In addition to being smart and technologically savvy, modern scammers have a disregard for the law and the risks associated with their criminal activity. Guerbuez, for example, told thestar.com[i] that Facebook will not likely see a dime of the settlement, noting his recent bankruptcy. He now flaunts his infamy peddling media opportunities and hyping his pending book deal. As noted in the ZeuS and Avanesov cases, not all scammers are looking for notoriety; most are simply trying to make money.
It’s All Business
The story of these modern day spammers plays out a little like the combination of the Hollywood films “Catch Me If You Can” and “Bourne Identity.” As detailed in the cases above, the scammers operate their criminal activities as if it were a business, driven by money and the “commercialization” of his/her products and services, which just so happen to be botnets, crimeware-as-a-service, malware toolkits and spam. Given their business models, they are constantly looking for ways to bypass their prospective victims’ email filtering technology and other security measures. To keep up with those trying to stop them, the scammers have to continue to release regular updates and provide customers with ongoing support. They are as interested in protecting their products and services as their victims are with protecting their identities and information.
Now You See Me…
Finding the malware devlopers and botnet suppliers has proven difficult, while those that rent the botnets and use the malware have been leaving trails that lead to arrests; as in the case of Avanesov Guerbuez. Finding criminals like the ZeuS programmer and Avanesov can be compared to trying to unwind a spider web to find the starting point. They will continue to hide behind their networks, using sophisticated methods to conceal their identity. One investigator who helped in the capture of Avanesov suggested that botnet managers employ upwards of 20 measures to protect their anonymity. Capturing malware makers who simply sell their code to other criminals may be even more difficult to track down. When asked recently about the ZeuS programmer, Don Jackson, director of threat intelligence at SecureWorks, told Reuters, “Once he attracts a lot of attention, he goes underground.”[ii]
The barrier to entry for spammers will likely continue to shrink as crimeware developers and botnet operators become more sophisticated in their methods and technologies. With developers selling their malware toolkits and botnet operators leasing the networks of hacked computers, it has never been easier to become a spammer. The majority of the work has already been done for the modern cybercriminal, which means we are likely to see further growth in spam, phishing attacks and virus outbreaks. So when it comes to creating an accurate profile of the modern day scammer, it may get harder to do because the list of possible suspects just went up… again.