61

As a whitehat pentester I often wonder about the darkside. I see myself working in the office, and imagine that there is someone just like me in China or Romania or in their parent's basement that is pretty much doing the exact same thing, but hurting people for money or just for the "lulz".

Similar to this great question: "What are the career paths in the computer security field?". What is the job scene like on the darkside? What kind of crazy job opportunities await the amoral hacker? Do all of the "common roles" covered in AviD's answer have a darkside counterpart? What about the gray areas of computer security? (Which some of us consider to be just plain-old blackhat)

Community
  • 1
rook
  • 46,916
  • 10
  • 92
  • 181
  • 4
    Very interesting question! I often wonder the same thing... – Polynomial Sep 20 '12 at 07:36
  • 5
    Kaspersky have a good breakdown on [The geography of cybercrime](https://www.securelist.com/en/analysis/204792244/The_geography_of_cybercrime_Western_Europe_and_North_America), and how criminals profit from these ventures. – Diarmaid Sep 20 '12 at 08:50
  • 3
    If you are a criminal I wouldn't call that a career. You are either a better criminal then everyone else or another criminal who works for somebody else. There is no retirement plan, there is only the guarantee of you going to jail if you get caught, and the possability of being shot if you cause your boss to be caught. – Ramhound Sep 20 '12 at 11:26
  • 2
    Don't forget fields like hydraulic press operator (license plate manufacturing). – Dan Is Fiddling By Firelight Sep 20 '12 at 12:43
  • 1
    @Diarmaid Wow, people *actually* fell for that PCeU scam? – Polynomial Sep 20 '12 at 15:56
  • Ramhound, criminals do have careers. There can be a complex infrastructure, with a CEO, a legal front which pays taxes. And yes, you could have a retirement plan. You wouldn't necessarily be hiding, you'd just break the law for your job. For example, a super sketchy SEO service which we all know is blackhat, but which no one has solid proof is breaking the law. They are a company, with a CEO, who pays taxes, but it's still cybercrime. – forest Apr 08 '16 at 03:18

8 Answers8

35

My 2cents here: While not technically illegal these companies have managed to develop malware and exploits, without anyone bugging them, because they sell them to governments, law enforcement agencies, secret services, organizations and, in case of some of the companies, to anyone else interested.

Such companies include:

More information can be found: here.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
NlightNFotis
  • 1,130
  • 1
  • 10
  • 18
  • Maybe it was a VUpen employee ;). I upvoted, i thought it was helpful. – rook Sep 21 '12 at 18:34
  • 2
    @NlightNFotis Probably wasn't; just saying that if perhaps it *was* personal then it couldn't be *that* personal because he didn't even leave a comment. Get used to people down-voting for absurd undisclosed reasons. Giving down-votes costs you rep, so you normally don't without a good reason. But who knows. Also, note that 1 up gives you 10 and 1 down costs you 2. So +1-1 is a net +8 rep even though the score remains the same. That should at least make you feel a little better ;) – tylerl Sep 22 '12 at 07:38
34

I can't comment on the actual job scene, but I do know a bit about the statistics of cybercrime.

In terms of financial gain, the stats are quite interesting. In terms of profit, the top three are as follows:

  1. Pay-per-click advertising fraud - Wasn't so much of a profit-maker until recently, but blackhats seem to have focused on this method more intensely since the spam market got saturated. It's estimated that larger botnets, with numbers in the millions, generate up to $100k per day.
  2. Email spam - Still very profitable, but is a highly saturated market. Spam botnets have to be huge in order to turn a worthwhile profit, which makes them a top target for whitehats. More intelligent anti-spam systems also make it very difficult to target every-day users (e.g. hotmail, gmail, etc). It's estimated that the BredoLab botnet generated around $139k per month for the owner.
  3. Carding / skimming - The old standard. Whilst the effort required to capture credentials is reasonably easy, it's more labour-intensive and risky to actually use the cards. However, the pay-off generated by a usable card can be large - hundreds or thousands of dollars per success.

However, don't think it's all sunshine and rainbows and high-class hookers! Most large botnet operators and card frausters get caught, and a lot of them go to prison:

  • The writer of BredoLab got 4 years in prison.
  • 3 people were arrested and are awaiting sentencing regarding the Mariposa botnet.
  • As part of the FBI crackdown on the Zeus trojan, around 100 people were arrested and several received jail sentences.
  • The Srizbi botnet caused an entire hosting company to be shut down by the government, and further arrests were made.
  • The writer of the Akbot botnet got arrested, but was later released due to problems with the case. Lucky escape!
  • Hundreds of people are arrested every year for credit card fraud.
Polynomial
  • 132,208
  • 43
  • 298
  • 379
15

One option not mentioned here is espionage. Patriotism or corporate funding could be part of the reason you might end up in espionage.

Corporate

As a espionage contract worker you could charge a pretty high fee for doing any of a number of different black hat operations.

Stealing, corporate information (design plans, blackmail, corrupting data, stealing funds). In the documentary called the Corporation they interview a corporate espionage consultant.

Governmental

Working in the government sector as cyber warfare officer. You would be working in teams to do things like render the Iranian uranium inrichmant facility inoperable.

Or weeding out government dissidents like the gmail hack of 2009. Stealing advanced designs and plans for next generation military equipment (F35 JSF). The Aurora hack

nelaaro
  • 635
  • 2
  • 7
  • 11
  • Russian hacker identified as attacker by Georgian government. http://arstechnica.com/tech-policy/2012/11/how-georgia-doxed-a-russian-hacker-and-why-it-matters/ – nelaaro Nov 12 '12 at 07:39
7

Like NlightNFotis's answer, there are a number of companies writing legal malware for governments, which are vendors at the ISS World Training. I documented them here: http://0xdabbad00.com/2011/12/10/legal-malware/

0xdabbad00
  • 1,065
  • 7
  • 5
6

I would imagine most of the money would be in organized crime rings, operating botnets to distribute malware. From there they can attack individual bank customers to steal money or setup mule accounts. They could also rent out their botnets to others do to distributing computing.

Probably a lot of spyware is still out there, maybe you inject your affiliate ids into all amazon links on a large number of zombies, maybe you serve them popups or fake antivirus software.

Maybe you take down corporate websites through extortion.

Perhaps you just do a lot of automated tasks that generate revenue over a large network, click fraud, search engine poisoning.

I read a pretty good book a few years ago with various academic papers on Cyber crimes, if I can find it or an update set I'll come back here and post it.

Eric G
  • 9,691
  • 4
  • 31
  • 58
4

In addition to what Eric has said, there is another money generating field out there - coding custom malware. An example is of this guy - Tataye - author of the famous Beast Trojan. He is now selling his work for monnies at http://www.spytector.com/. Another example is this guy - http://www.nuclearwintercrew.com/Buy-Princeali/

Sky is only the limit if you know to code.

Metahuman
  • 493
  • 1
  • 5
  • 12
  • 2
    Some people just don't understand business. – rook Sep 20 '12 at 06:42
  • I'm sorry I did not quiet catch your "whitehat pentester" question securityninja. I would rather sell my private findings to Core Labs other than the ZDI for obvious reasons. But then you legalize it. I really would keep them to myself and then upload my remote access tool to siphon off money the Zeus way. – Metahuman Sep 23 '12 at 07:34
  • he is selling his shitty tool for like $100. I am sure he makes less than me. – rook Sep 23 '12 at 20:05
4

Partially anecdotally - it does look like barring a handful of exceptions, the only big winners in this business are the organised crime gangs, who are in a position to use skilled exploit writers, hackers, social engineers etc to create money makers.

While some of these exploit coders get paid reasonably well (for example the blackhat exploit market pays 5 to 10 times what the white hat market will give you) they are unlikely to be able to retire on their earnings. In fact, if they are very successful, they may find threats from organised crime may force them to stay in business.

Alternatively, many exploit writers actually get paid very little.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • On top of that, the organised crime guys are likely to (figuratively) throw the malware devs under the bus when the cops come knocking on the door, to save their own asses. – Polynomial Sep 20 '12 at 09:44
0

While not at all about hacking, I think the following has a lot in common in principle with living the "underground" life and explains why the vast majority of people in that scene can't make a living, much less a fortune:

http://www.freakonomics.com/books/freakonomics/chapter-excerpts/chapter-3/

Tracy Reed
  • 618
  • 4
  • 5