Anyone who doubts that internet commerce faces serious threats from online criminals should consider this: Criminal hacking has spawned a full-blown service economy– one that supports growing legions of relatively lower-skilled but fulsomely larcenous hackers.
In the past year, entrepreneurs, many of them based in Russia, have begun to create criminal hacking enterprises aimed not at stealing but at providing services to help others steal. Business has quickly taken off. Per unit of risk – of apprehension, prosecution, and incarceration – enabling online crime pays better than perpetrating it directly. Criminal services entrepreneurs are netting millions of dollars a month. Some experts estimate that, all told, they earned $1.5 billion in 2007.
網路交易是否面臨線上罪犯的嚴重威脅?如果你還不確定,不妨看看這個事實:駭客犯罪已然孕育出一種成熟的服務業,為愈來愈多有志當駭客、但技術不夠好的人提供支援。
過去這一年來設立的駭客犯罪企業,本身並不偷竊,而是提供服務協助他人偷竊;這類企業多以俄羅斯為基地。他們的業務量直線上升,而且被逮到、起訴與監禁的風險相對較低,因此報酬率優於直接犯罪。有些犯罪服務業者每月淨賺數百萬美元,據一些專家估計,2007年他們總共賺了15億美元。
Last year, two Russians created a subscriptionbased identity theft service. Rather than steal personal credentials themselves, the two hacked into PCs and then charged clients $1, 000 per compromised machine for 30 days of unfettered access.
The clients are betting that during the 30-day period( one billing cycle) victims will bank or otherwise submit personal data online.
去年有兩名俄羅斯人以接受客戶訂閱的方式,提供竊取身分的服務。他們並不是偷取個人證件,而是入侵個人電腦,供客戶無限制進入,每部電腦三十天收費1000美元。這些客戶打的如意算盤是,被害人在三十天內(一個收費週期)應會利用電腦與銀行往來,或是線上輸入個人資料。
To offer their subscription service, the hackers contracted with yet another service provider to obtain a sophisticated distribution system for the illicit code, called a bot, that they would use to infect the PCs. That distributor enticed website owners to hide its bot on their sites by promising weekly payments based on the volume of traffic, much the way newspapers are paid by advertisers according to the number of visitors to their websites. Other service businesses aggregate large networks of compromised computers, called botnets, and rent out portions of their networks for whatever task the client has,perhaps to distribute spam, disable a competitor’s website, or infiltrate a firm’s network in order to steal intellectual property.
為提供這項訂閱服務,駭客還與另一種服務提供者合作,透過後者提供的複雜系統來傳輸非法程式,稱為傀儡程式(bot),透過這個程式來入侵個人電腦。
傳輸服務提供者慫恿網站主人把傀儡程式藏在網站上,承諾每週按瀏覽人數付款,就像廣告主根據造訪公司網站人數支付報紙廣告費。另一些服務業者匯集一大群遭駭客侵入的電腦網路,就是所謂的傀儡網路( botnets) ,並把部分網路出租給客戶, 供他們任意使用,像是寄發垃圾郵件、癱瘓競爭對手的網站,或是滲透到某些公司的網路以竊取智慧財產。
As with any service business, customers wil ling to pay ex tra can obtain premium offerings. The two hackers behind the subscription service will “clean up” your data – get rid of low-value information and genera te helpful reports item izi ng what you’ve stolen. The botnet rental operations offer anc- illary consulting to maximize the effectiveness of your attack,some guarantee specifi ed service levels or your money back.
和其他服務業一樣,願意多付錢的顧客可獲得超值服務。例如,那兩名提供訂閱服務的駭客會「清理」顧客的資料,也就是刪除沒價值的資訊,並提供對顧客有用的報告,上面會逐項列出顧客竊取到的資料。傀儡網路租用業務也提供額外諮詢,讓你的攻擊能收到最大成效;有些則保證一定的服務水準,否則可以退費。
The biggest factor driving the emergence of this new service economy is the obvious one: an explosion of online banking and shopping, coupled with consumers’ increasing willingness to disclose personal information over the internet. For those with the technical skills, opportunities for exploitation are richer than ever before.
But something else is happening, too. Those gifted hackers are now enabling the far larger market of wannabes whose deficient skills would otherwise shut them out of the cybercriminal enterprise system.
By creating services for those people, hackers can generate huge profits without actually committing fraud. Gold prospectors may or may not strike it rich, but folks selling pans and pickaxes make a heck of a living either way.
促使這種新型服務業出現的最主要因素,其實相當明顯:網路銀行與網路購物的交易暴增,而且消費者也愈來愈願意在網路上透露個人資料。對某些網路高手來說,可乘之機比先前大增。
不過,另外還有一個現象值得注意。在駭客高手的支援下,眾多有心從事網路犯罪卻技術不夠者,現在實力大增。駭客為這些人提供服務,不必親身涉險即可獲取暴利。淘金客未必個個發財,但販賣淘金工具的商人鐵定荷包滿滿。
What surprises some experts about this new service economy is just how innovative and vibrant it has become. The hackers code at a PhD level. Their solutions to problems are creative and effi cient. They respond to market conditions with agility. Their focus on customer service is intense. If this loose collective of criminal hackers were a company, it would be a celebrated case study of success.
Cybercrime services are so sophisticated and powerful that they make one pine for the days of simple website defacements and e-mail viruses with cute embedded messages. The new breed don’t just disrupt business, they threaten it by frightening customers and undermining commercial confi dence. As the victims of online crime pile up, more and more of them will look for someone to hold responsible.
And it won’t be the hackers, it will be the brands that customers trusted to protect them.
這一新興服務業的創新與活力,連專家都感到驚訝。駭客撰寫的程式碼是博士級水準,問題的解決方案既富創意又有效率,加上對市場狀況反應靈活,也極為注重客戶服務。如果這個由不法駭客組成的鬆散集合體是一家公司,必然是極具研究價值的成功個案。 網路犯罪服務如此複雜又威力十足,不禁令人懷念起過去簡單的網站破壞技倆與電子郵件病毒,裡面通常附有可愛的訊息。這類新型犯罪不僅干擾企業經營,甚至威脅到企業的生存,因為會驚嚇到顧客,讓人們對電子商務失去信心。隨著網路犯罪日益猖獗,會有愈來愈多受害者想找出該為此負責的人,只不過他們的矛頭不會指向駭客,而是他們原本相信能保護顧客權益的企業。
延伸閱讀 惡意軟體成熱門商品
網路犯罪近年來日益猖獗,所造成的損失也不斷升高。
美國電腦安全協會(CSI)的2007年電腦犯罪與安全調查報告指出,美國公司的平均全年損失增一倍,由2006年的16萬8000美元倍增到2007年的35萬424美元。金融詐欺取代病毒攻擊成為最重大的財務損失原因,之前連續七年蟬聯冠軍的病毒攻擊則下跌到第二主因。
另外,根據美國聯邦調查局(FBI)的一項調查,單在美國,線上犯罪在2005年便造成672億美元的損害。這項調查是向2066家機構進行訪問,其中將近九成在該年度均曾發生資安事件,而遭受財務損失的案例平均為每起2萬4000美元。當時,病毒(83.7%)和間諜軟體(79.5%)是最常見的問題。
愈來愈多證據顯示,早期駭客入侵及寫作病毒純係好玩,現在則已轉變成撰寫惡意程式以牟取不法利益。電腦安全專家一再警告,「地下網路經濟」已然成形,惡意軟體服務公然在線上販售,其開發方法和產品保證與合法軟體廠商無異。
防毒軟體大廠邁克菲(McAfee Avert Labs)資安研究經理大衛.馬克斯表示,人們可以從德國及東歐集團的特洛伊木馬程式開發網站購買套件,還可以簽訂年度合約獲得惡意軟體的支援。
邁克菲的營運董事喬.特拉菲奇表示,在過去這一年,惡意軟體的開發及銷售管道已達到和傳統軟體開發商一樣的成熟。特拉菲奇說,不久前一個案例顯示地下網路經濟已臻於成熟。一群撰寫專門用以迴避防毒軟體的加殼程式(Packer)的駭客,最近把程式碼給公開便洗手不幹了,原因是「競爭太過激烈,沒有賺頭。」
奧克蘭大學的資安研究員彼得.古特曼在報告中指出,2007年由人出錢僱用他人以間諜軟體或特洛伊木馬程式去感染電腦用戶的案例愈來愈普遍。他說,不同網站的服務費用可以相差一兩倍,非俄羅斯網站的價格通常比較高。古特曼說:「想要低價的話,就去跟俄羅斯的網站買。」
古特曼說,去年3月時,惡意軟體網站販售Gozi Trojan(竊取資料,再以加密格式寄送給駭客)基礎版的報價介於1000到2000美元之間,買家可以再付費購買外加服務,由20美元起價。