Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Feel the Heat, Look for New Revenue Streams

As 100+ New York and New Jersey area mobsters learned recently, “You can run, but you can’t hide.” Does the same apply to hacking?

As 100+ New York and New Jersey area mobsters learned recently, “You can run, but you can’t hide.” Does the same apply to hacking?

Part 10 in a Series on Cybercrime – Read Noa’s Other Featured Cybercrime Columns Here

It seems it might. In an attempt to throw off the hackers from their game, the security community has taken on a proactive security approach. The impact: we foresee attack campaigns and techniques and quickly adapt to changes in the “threat-scape.” And guess what happened? Hackers are feeling the heat.

The Unearthing of Cyber-Criminal Groups

In the past few months we have heard about the uncovering of a surge in cyber-criminal groups. These are not single-shot, lucky-hits by the feds. Rather, these are the culmination of lengthy investigations, at times in collaboration with world-wide law enforcement agencies.

Take for example the arrest of Zeus botnet ring members at the end of September. With an international effort, 11 people were arrested in the UK. A couple of days later, 60 people in the U.S were arrested. One of the techniques used by the security researchers that investigated the group, was to infiltrate the C&C servers belonging to the hackers.

But the Zeus individuals were not the only ones to be caught. That same month, Facebook declared that the authors of the Koobface worm were close to capture. And as October ended, the master mind behind the Bredolab botnet was arrested.

Even when specific individuals were not being sought, the security industry did not rest. The weapons and vehicles of attack suffered damage. ISPs pulled the plug on the C&C servers of the infamous Pushdo botnet, while other security researchers searched for ways to hijack Zeus’ C&C channels.

Feeling the Heat, Hackers Look for new Revenue Streams

Inventing new techniques to bring in revenue is a trend not only because it makes business sense, but also because it helps insulate hackers in the event some component of the business is exposed to law enforcement. It’s a simple principle: diversify your portfolio. And we are seeing numerous examples of this.

For example, we witnessed the Avalanche phishing group changing their tactics. The group was notorious for being the most prolific phishing group, yet as they realized where the real money resided they started distributing Man-in-the-Browser Trojans. In October they completed this two-year long move.

Hacktivists provide yet another example. The Iranian-Cyber Army (ICA) was looking for other sources of revenue. This group is infamously known for engaging politically motivated DDoS attacks. Last year, for example, they attacked Twitter and Baidu, China’s most widely used search engine provider. Yet, as 2010 rolled to an end, the security industry became aware that the ICA was advertising their bots for rent. The ICA, it seems, have asked themselves why they can’t make extra on the side if the infrastructure already.

Hackers and Competitive Pressure

As the hacker industry grows, competition becomes fiercer. While the market for toolkits flourishes, hackers are taking a lesson from corporate. Features are added, products are enhanced, and customers’ opinions count. For example, the developers of a DDOS attack software have taken their customer support to a new level. In this case, the developer takes pride in offering real software support to their DDoS system, with a separate help-ticketing system in place!

Black Market Support

Business practices also tend to change in course of competition. Take the two botnets, SpyEye and Zeus, which are intent on taking control of a victim’s machine. As rules of competition go, when installing SpyEye there is even the “Kill Zeus” capability. If this bit is chosen, the SpyEye installer first checks whether there are any installations of the Zeus Trojan, and uninstalls it before installing SpyEye. Interestingly, the two sides seem to have changed course. Towards the end of October, the bot code developers of SpyEye and Zeus bots showed signs of an upcoming merger.

The Trend: The Wal-Mart of Cybercrime

Security researchers will continue to look into hacker operations and unearth less diligent criminals. In general, the hacker industry will react by investing more resources in their attack techniques and detection evasion. In fact, a variant of Zeus put in place a “hacker-honeypot” in order to foil researchers attempting to track the criminals’ activities.

The hackers that cannot step up their game will go out of business. Other cybercriminal organizations will buy out other groups or merge their operations with others. This will lead to the second change. The current powerful cybercrime organizations will consolidate their power and grow. After all, antitrust laws don’t apply to them.

Coming Up Next – Valentine’s Day, Do Hackers Have Hearts?

It will be interesting to follow the “threat-scape” as hackers evolve and attempt to counter proactive security approaches. Taking a further look into the hacker industry, we realize that hackers lack morals. The follow-up question though is whether hackers even have feelings. Stay tuned for the exclusive Valentine’s Day column!

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.