Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

For Rent: 500 Malware Networks. Great Locations. Close to Shopping and Banks.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Rent your own malware network. No money down. Just pay per install (PPI). Mathew J. Schwartz’s piece says that a host of online attacks in 2012 will come from malware delivery networks. Called malnets, they’re rented by the cybercriminals to infect PCs. “Renters” pay by the PPI, the number of successful downloads or infections.

Now, a malnet is measured by how many hosts, servers, and sites participate in getting the user from “the bait” to “the payload.” The bait could be something along the lines of: “Click here for the most amazing video you’ve ever seen.” Clicking, of course, will get the user to the “payload,” i.e., the malware. Once infected, the user or victim’s device becomes part of the botnet for which there’s also a big rental market.

In the article, researcher Chris Larsen comments, “It takes a lot of infrastructure to run a large-scale spam attack, or poison search engines and get results in the top page, to coordinate hacked sites that are hosting parts of your attack.”

Schwartz says, “[S]potting malnets remains difficult, given the speed with which malnet operators can… vary malware payloads and websites used, to fool some types of security tools. Furthermore, many types of low-cost but high-impact infection techniques rely on social engineering attacks, which remain quite difficult to stop.”

One study showed that in 2011, “the principle ways that attackers lured users to malnets was via search engine results (40%), spam or phishing emails (12%), social networking attacks (6%), and pornography (4%), the last by way of disguising malware as an adult movie made available free for download.”

The prevalence of search engine poisoning or tricking search engines into including links to sites that host phishing attacks, advertisements for off-brand pharmaceuticals, or drive-by downloads of malware has been growing in 2012. While Google and Bing are relatively good at blocking these attacks, other search engines–especially outside the United States—have proven more vulnerable.

So, how do you keep a malnet from turning your network into a botnet? One is reengineering social engineering. Larsen says, “I’ve yet to meet a user who understands that going to Google or Bing and searching for anything can be dangerous.” Best estimates are that there’s a ten percent probability that one of the top ten or twenty search engine results will lead to malware. Another easy fix that’s easy to implement is blocking employee access to bad Websites.

By ThreatMetrix Posted