Botnets as cybercriminals’ viable option in the emerging economic crisis

Most botnets are currently deployed for the distributed denial-of-service (DDoS) attacks but can also be used for delivering spyware, email spam, phishing, ‘click fraud’, stilling confidential information or the bitcoin mining.

Looming economic crisis

The world has changed dramatically in the three months since our last update of the World Economic Outlook in January, warns the International Monetary Fund (IMF). The April’s IMF World Economic Outlook projects global growth in 2020 to fall to -3 percent. This is a downgrade of 6.3 percentage points from January 2020, a major revision over a very short period.

Now, fears are growing that the downturn could be far more punishing and long-lasting than initially feared as the world is almost certainly ensnared in a devastating recession delivered by the coronavirus pandemic, opinions the New York Times.

Many experts believe that this crisis is only the extension of the 2008 global financial crisis. This makes the Great Lockdown the worst recession since the Great Depression, and far worse than the Global Financial Crisis.

Botnet economics

The term “botnet” is a combination of the words “robot” and “network” and is usually used with a negative or malicious connotation. Botnets are simply defined as networks of private computers infected with malicious software and controlled as a group without the owners’ knowledge.

In the fourth quarter of 2019, Nuspire registered 2.7 million botnets, totalling 30,000 infections per day. Bots currently account for nearly 40 % of online traffic.

In the past ten years, botnets have evolved from small networks of a dozen PCs, controlled from a single command and control centre (C&C), into sophisticated distributed systems comprising millions of computers and other digital devices with decentralised control.

Why are these enormous ‘zombie’ networks created? Most botnets are currently deployed for the distributed denial-of-service (DDoS) attacks but can also be used for delivering spyware, email spam, phishing, ‘click fraud’, stilling confidential information or the bitcoin mining.

The answer to the above question is money. For example, Kaspersky points out that the DDoS attacks price tag can range from USD 50 to several thousand dollars for 24-hour continuous operation of a botnet.

The same source emphasises that the cost of stolen personal data is directly dependent on the country of its legal owner’s residence. For example, a complete set of data on US resident costs between USD 5 and 8.

On the other hand, the EU resident data is particularly valued on the black market and is two or three times more expensive than data for US and Canadian residents. This is because cybercriminals can use this data in any EU country. Worldwide, the average cost of a full package of data on one person is about USD 7.

Moreover, cybercriminals (mostly phishers) pay botnet owners USD 1,000 to 2,000 per month for hosting ‘fast flux’ services. These services are used by botnets to hide phishing and malware delivery sites behind compromised hosts acting as proxies.

The above examples inevitably point out that the botnet attacks can be very viable options for going through economic and financial crisis almost seamlessly – particularly when other options of earning money become scarce.

Warning signs

Preventing cybercriminals from using your digital devices in their botnets is not an easy task – any malware can cause almost all of the same symptoms that a bot can.  However, some signs should not be ignored if we are serious about fighting the botnet related problems.

Unusual activities of the cooling fan of your idle computer can be a sign of a dirty fan or perhaps receiving Microsoft updates but can also be the sign that your computer is serving the botnet nefarious activities.

Slow running programs or lengthy shutdown of your device can be caused by other technical glitches but can also be a sign that hidden programs are using a lot of your computer’s resources.

Increase in failed login attempts should warn you that there might be a bot attack on your or your customer’s credentials.  

Difficulties with downloading operating systems or security software updates are signs that your device might be a part of a botnet. An unusually slow internet connection can also be a warning sign.

Duplicates of your content on non-approved sites might be a sign that bots are stealing information that you have taken the time to create. This allows malicious site operators to host it on domains they own for boosting their traffic.

Traffic originating from unusual geographic locations can also hint that your device is part of a botnet, warns Cloudflare. The same source cautions about increased card validation failures. This one is a particularly dangerous sign as the credit card stuffing bots will test thousands of stolen credit card numbers in an attempt to find one that works.

In the time of crisis when every cent counts, the low yield on advertising spend can be particularly upsetting. Digital advertising can be an effective tool for driving traffic to your site, but it is also a lucrative weapon for bad bots. Many traffic bots mimic the behaviour of human users — clicking your ads repeatedly to drive up your pay-per-click (PPC) spend, then bouncing without making a purchase. So it is crucial to become proactive and monitor every click that comes through your ads, warns Cloudflare.

These are only some signs that should not be ignored if we are to protect ourselves and our organisations from digital ‘zombies’. It is, however, equally important to know how to fight bad bots.

Tactics for fighting bad bots

Various tactics can be used for fighting bad bots and preventing our organisational and private devices of becoming a part of malicious botnets. Here are some of the common measures.

One of the basic technical ways to fight botnets is to deploy the intrusion-detection system (IDS) and intrusion-prevention systems (IPS) – and to fine-tune them to look for bot-like activity. It is also advised to use remedial tools that can detect and clean even the hardest rootkit infection.

Most malware is written for the most used operating systems and internet browsers. Diversifying operating systems, disabling browsers’ scripts and ‘AutoRun’ facility or using not-so-popular browsers can also be helpful measures for preventing botnet malicious activities.

Training end-users, reviewing and revitalising organisational cybersecurity policies are highly important for both fighting malicious botnets and enhancing general cybersecurity posture. Higher awareness and cybersecurity culture also safeguard consumer trust as well as the brand’s reputation.

Blocking malicious bots as soon as they are discovered, by blocking related network traffic, can save substantial costs on bandwidth and storage. At the same time, it is important to whitelist all the useful bots. These are, for example, bots used by search engines or by your partners that provide third-party services.

Finally, here is a sci-fi sounding tactics: Zombie eats zombie!

What is a zombie’s worst enemy, asks US Telecom? Potentially, another zombie – answers the same source. It is explained that botnets quite often infect devices already infected by other botnets – and delete their rivals to increase their dominion.

As bots (‘zombies’) that ‘eat’ other bots become more common, and profits are at stake, there is significant pressure on botnet operators to fight their rivals using the latest tools or at least take steps to defend themselves. Some botnets will actively patch security vulnerabilities after they break into a device, to prevent a rival from breaking in.

The tendency for botnets to compete will likely drive their evolution in new directions, possibly making them more resilient to mitigation efforts, believes US Telecom.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s