Language: English
11-20, 10:00–10:50 (Canada/Eastern), Hackfest - Track 1
Botnets and DDoS, these words are never too far apart. However, DDoS is just the tip of the iceberg for what botnets are actually used for in the cybercrime community. Money talks - and botnets are the supply side of cybercrime that drive multiple different campaigns like phishing, exploit kit delivery, adware and banking trojans.
This talk uncovers the complex structure of cybercrime and how most criminal campaigns are linked to botnets as their supply and delivery mechanism. We will explore the economy of cybercrime and calculate in figures the amount of money renting a botnet or building a botnet can profit cybercriminals. You will learn exactly how and what botnets are used for outside DDOS and you will walk away understanding how phishing/spam emails or banking trojans link back to botnets. Afterall, how can you protect against criminals without understanding them?
Finally, I will present my Crime Economy map which I’ve designed that maps out the hierarchy and the revenue streams derived from hiring botnets to run coordinated campaigns. This aims to assist blue teams have a better understanding about the criminals they’re protecting against.
Introduction: What’s a botnet got to do with it?
This section unmasks botnets as the supply side of cybercrime, designed to send spam, drive information theft, deliver espionage, banking trojans, host malicious content and drive revenue from click-fraud and adware installs.
Why Botnets?
We uncover the evolution of botnets from the 2000s Earthlink spammer, the 2016 Avalanche takedown used to deliver Zeus, Citadel and Vawtrak banking trojans and the 2018 3ve botnet designed to make money off click-fraud all the way to 2021.
Why does evolution matter?
Two key words: fast flux. We explore how the advent of fast flux botnets introduced by Storm in 2007 has resulted in an escalation of campaigns run by syndicates using these malicious bots. This section has examples of websites found hosted on fast flux infrastructure.
Affiliate Programs
We talk about the affiliate programs as the underpinning economic structure of syndicates and the average revenue stream made by spammers and phishers who have rented out botnet infrastructure.
Understanding the Crime Syndicate
Remember Tony Montana from Scarface? The boss rarely gets his hands dirty. This section will highlight the crime syndicate structure and how they have organised departments. This will contain screenshots of dark web forums of some key threat actors including Nikolay group and The Dark Overlord as well as demonstrate how advances in services such as traffic distribution system has resulted in an escalation of more coordinated crime and revenue.
Money Talks
This section I break down the average revenue generated from organised crime syndicates per month. Please note, this is not designed to encourage cybercrime ;)
Takeaway
I’ll be showing the economics of cybercrime in a PDF that maps out the hierarchy and the revenue streams derived from hiring botnets to run coordinated campaigns. This was designed to give Blue teams a better understanding of the criminals they’re protecting against and highlighting how a ‘phishing’ email is rarely just a ‘phishing email’ and blocking an IP at the firewall, is a rudimentary protection against a larger infrastructure.
Key Takeaways:
• Learn about what botnets are used for outside of DDOS and the complex revenue structure behind botnets delivering banking trojans, phishing campaigns, spam and ad-fraud
• Learn about the syndicate structure of cyber crime - how it is structured, how crime is organised and how much revenue is derived from running or renting a botnet
• Learn about how different botnet structures compare in the cyber world - i.e. IOT botnets vs conventional host-based botnets
Lina Lau @inversecos is a Principal Incident Response Consultant at Secureworks, prior to this she was the Australia & New Zealand Threat Hunting and Incident Response lead at Accenture Security. Her primary interests lie in malware analysis and botnets.