Sunday December 11, 2016

Cybercrime-as-a-service: inside the botnet black market

A flourishing underground market in botnets is worrisome thanks to poorly secured, internet-connected household devices.

A flourishing underground market in botnets is worrisome thanks to poorly secured, internet-connected household devices. (Michelle Parise)

Listen 13:08

As the market grows for 'smart' internet-enabled household devices, hackers have started turning them into botnets. Botnets are networks of remotely controlled devices, which can be used for malicious purposes. Now, these Internet of Things botnets are turning up for rent on secret markets.

Botnets have been around for a long time, harnessing desktop computers by getting users to install malware. Now, though, hackers are targeting poorly secured, internet-connected household devices to create the botnets. Botnets can be harnessed for Distributed Denial of Service attacks, where a website is temporarily brought down by overwhelming it with traffic. In October, the Mirai botnet took on an internet infrastructure company. That attack temporarily knocked out popular sites like Twitter and Spotify.

338 finn brunton

Finn Brunton

There's a flourishing, underground market in botnets. Finn Brunton is an assistant professor at NYU, where his research focuses on the history and theory of hacking. He says the marketplace for botnets is very straightforward. "Everything is transacted more or less anonymously," he says. "It's pretty simple. They say 'we will charge, let us say, x number of hundreds or thousands of dollars, depending on the size, for x number of machines, for let's say, a week...' and then you pay up."

"They are part of a larger transformation in the world of hacking and cybercrime, which is cybercrime-as-a-service."

The scary thing is that you don't really need much technical expertise to rent one of these botnets. "From the side of being a customer of one of these big botnets, it's very 'plug and play'," Finn says. "You never need to know or think about the hundreds of thousands of 'smart' door locks and tea kettles, and internet routers...and all the other objects...that are the mechanisms that make this possible.... To some degree you need to be in the mix of this world to know where to go and who to talk to," Finn says. But "they are part of a larger transformation in the world of hacking and cybercrime, which is cybercrime-as-a-service."

One reason these botnets are potentially so worrisome is that in the rush to create a market for 'smart home' devices, security has not always been a top priority. "The way that the Internet of Things has developed as a market has been one of the great setbacks in the safety and security of the online world," he says, referring to the last few years. "What we've witnessed is the production, on an enormous, unprecedented scale, of devices which are a) not secured particularly well, and in some cases at all by the original manufacturer," he cautions. "And b) that are designed...to be very difficult to impossible for the consumer themselves to make any changes to."