Wednesday, April 15, 2009
Conficker's Scareware/Fake Security Software Business Model
It doesn't take a rocket scientist to conclude that sooner or later the people behind the Conficker botnet had to switch to monetization phase, and start earning revenue by using well proven business models within the cybercrime ecosystem.
Interestingly -- at least for the time being -- there's no indication of mainstream advertising propositions offering partitioned pieces of the botnet, managed fast-fluxing services (Managed Fast Flux Provider; Managed Fast Flux Provider - Part Two), hosting of scams and spam, examples of which we've already seen related cases where a money mule recruitment agency was using ASProx's fast-flux network services, next to Srizbi's botnet managed spam service propositions.
How come? Pretty simple, starting from the fact that scareware/fake security software as a monetization process remains the most liquid and efficiently monetized asset the underground economy has at its disposal. The scheme is so efficient that the money circulating within the affiliate networks are often an easy way for cybercriminals to quickly money launder large amounts of money in a typical win-win revenue sharing scheme.
The Conficker gang is monetization-aware, that's for sure. But they forget a simple fact - that in a cybercrime ecosystem visibility is not just proportional with decreased OPSEC (Violating OPSEC for Increasing the Probability of Malware Infection), but also, that despite their risk-decreasing revenue sharing model, the "follow the money trail" practice becomes more and more relevant.