Wearing the mandatory black hat, Guillaume Lovet, resident cybercrime expert at Fortinet introduced the audience to the darknet. That place were your credit card number or even your identity, amongst thousands others, might sell for cheap. Lovet first introduced the players in that scene, starting from the coders at the top of the food chain. Those are the ones with the skills. They use them to pump out exploit codes to abuse the latest vulnerability or create the next hacking kit. They might make from a few hundred dollars a month to a few thousands selling their wares (the well-known MPack hacking kit sells for around $700, for example, and then there are options available to ensure it will stay undetected from major anti-viruses for a certain amount of time).

The Who's Who of cybercrime

Then there is an army of what Lovet called "kids" out there, who hang on IRC channels and spend most of their time buying and selling "stuff" (and bragging a lot, hence the name...). Those do not create much, but they form a real ecosystem on their own. They usually scam each other on a regular basis as they trade lists of stolen credit card numbers (80% of which are fake, according Guillaume Lovet), hacked banking accounts and other supporting services (like mailers ready to spit out spam, etc...).

Then drops account for the third specie in Lovet's bestiary. They are the ones - usually living in a country with no cybercrime laws - who accept to receive stolen goods or money and launder them for a fee. They get to keep from a few percents to 50% of what they process. Since scammers usually scam each others a lot, a "ring of trust" have to be formed before such an operation can take place, especially since it deals will be made from different countries.

Finally, the mob, mafia or whatever you want to call the organized crime, is supposed to be the great daddy of them all, having figured out that cybercrime is cheaper, more lucrative and less dangerous than the drug business. Lovet could not get into much details about organized crime involvement. Much higher investigation requirements to get hard data on this group puts it out of reach of a private cyber security researcher. But there is no doubt, according to Guillaume Lovet, that the mob has become the final destination of much of the hacking business profits.

How much ?

Carding (the dealing in stolen credit card details) is the most obvious business on IRC chat forums where hackers hang out. Full credit card information might sell between $2 to $5 a piece, usually in packs of hundreds. Sellers usually give out a sample to try on a transaction to make sure the list is legitimate, but still scamming is very common here. The buyer usually use the cards details to get goods (at "cardable" online shops, those who accept to deliver good to another address than the one attached the card). They are then forwaded to the scammer through a drop and sold back on eBay. Lovet hinted at net income in the $14,000 a month from such activities.

A variant of Credit Card details sale is the banking accounts business. Accounts with several thousands dollars on them and activated for wire transfer are going for a few hundred dollars a piece (Lovet showed the example of a $170,000 account sold for $300). Of course, buying such an account is just a start for the scammer, hence the low price. Then, he would need to arrange to wire the money to an international mule, and pickup of the money by Western Union or eGold, two of the favorite tools used by cyber-criminals to move money around.

Ruining other's PCs is still lucrative 

Another way to make money in that business is to plant adwares on unsuspecting PCs. While far from being new (fortunes have been made that way, as well as years in jail), the practice is still going strong. The hackers usually rent an existing botnet (or create their own), in order to have access to hundreds or thousands of PCs. They then install an adware on each of them, getting paid a few cents for each installation. At that moment, the PC owner starts seeing annoying popup advertising all over the place, not knowing that he contributed to a hacker's retirement fund.
Earnings in the $15,000+ a month with a 5,000 nodes botnet can be made that way. Lovet cited the example of the "Better Internet" adware, where Fortinet's own probes record spikes of installations each week on monday and thursday. "Each week, twice a week, someone out there having a huge botnet is installing adware on its victims, getting paid for it, then deleting it the next day, until the week after", confirms Guillaume Lovet.

Finally, the "PHP mailer" business is there to serve the needs of spammers (another lucrative activity not covered in Lovet's talk). Those are hacked servers around the world where some graphical interface and PHP gateway to SMTP have been installed by hackers. They can be rented to pump spam for a few hours (before that server gets blacklisted by most RTBL around the world, much to the dismay of its legitimate owner). The most expensive PHP mailers are of the "direct to box" kind, meaning they can get email in the inbox of Gmail or Yahoo! Mail users instead of the Bulk (or spam) box. For this, they have to be servers publishing a valid SPF record, which makes them more valuable to hackers.

Coming soon...

Of course, such a presentation would not be complete without a peek at what's to come. For Guillaume Lovet, the next serious money-making tool for hackers will come from the convergence of mobile phones (and PDA) with botnets and dialers. Those malicious code designed to force a telephone to call premium numbers or download ringtones could indeed very well be a gold mine for hackers. Unless, of course, telcos do a better job of protecting their network. Which is their gold mine, too...