• United States



by Dave Gradijan

Bot Herders Selling Stolen Financial Data to Criminals

Mar 19, 20074 mins
CSO and CISOData and Information Security

The underground economy where criminals sell stolen personal and financial data appears to often rely on network infrastructure supplied by the kingpins of the botnet world, according to Symantec’s biannual Internet Threat Report published Monday.

Symantec tracked 6 million separate bots—compromised computers used to send spam or steal personal data—controlled by roughly 4,700 separate servers through so-called “bot herders” who could be anywhere in the world. During the same six-month period, from last July through December, Symantec also watched 332 of what it calls “underground economy servers,” where stolen personal data, such as credit card and bank account information, is routinely bartered and sold. According to Alfred Huger, Symantec’s vice president of engineering, it’s not unusual for these underground economy servers to be the same as those maintained by the bot herders.

“We think the bot herders are people maintaining the infrastructure for this criminal activity,” Huger said.

Symantec came to this conclusion, described in the “Symantec Internet Security Threat Report, Trends for July-December ’06,” through both its global sensor network and researchers who spent time lurking in the online criminal world where buying and selling of stolen personal information takes place.

At these “underground economy servers,” Symantec watched 5,000 criminal transactions over a five-month period. As to where these servers are situated, Symantec says 51 percent are in the United States, 15 percent in Sweden, 7 percent in Canada and 6 percent in Germany, with the remainder elsewhere. Often, these servers are stolen too, used remotely right under the noses of their rightful owners, particularly small businesses and consumers.

And it’s a bustling marketplace for identity theft. “You can buy a U.S. identity—a credit card, bank account, Social Security, date of birth—for US$20,” said Huger. “A single U.S.-based credit card ranges from $1 to $6, with U.K.-based cards a little higher, $2 and $12. We think it’s because the pound is worth more money.” Access to an online bank account with $9,900 in it would go for about $300. The main language is typically English.

According to Symantec, there’s often a direct relationship in shared infrastructure between those running botnets and those maintaining these underground economy servers. “Whoever is running one of these underground servers is almost always running a botnet, too,” Huger said.

Symantec also observed a second trend: The various bot herders seem to be in competition with each other, driving an online consolidation as they fight with mafia-like intensity. “It’s Darwinism at its best,” Huger joked.

Over the past year, there has been a decrease in the command-and-control servers to about 4,700 controlling servers now, compared with about 6,000 during the first six months of 2006, according to Symantec. The company says it believes vicious competition is leading to botnet power grabs.

“They’re pushing out other competitors, both by strong-arming and stealing their bots. They steal access to the computer someone else already had stolen, pushing them out. It’s territorial,” said Huger. Distributed denial-of-service attacks will erupt as one botnet master shoots at a competitor’s network, he added.

On the question of where the 6 million bot-infected computers may reside around the world, Symantec identifies China as having the greatest number of infected computers, at 26 percent. The United States is second, at 14 percent; France and Germany are at 6 percent, with the rest largely based in Spain, the United Kingdom, Taiwan, Poland, Brazil and Canada.

Huger said Symantec does share information it gleans about suspected criminal activity with both law enforcement and ISPs around the world. He said ISPs often quietly go about pulling the plug on botnet-related networks when they learn about them without law-enforcement involvement. Huger added that this process would probably benefit from more public disclosure.

-Ellen Messmer, Network World