Malware is malicious, bad software. It's the code that cybercriminals use to steal credit card numbers and bank accounts. And the big hack against Target showed how good these criminals are getting: They've built a thriving underground where credit cards go on sale before anyone even knows that a massive breach has happened.
On a recent day at a crowded Starbucks in downtown San Francisco, Tom Pageler powers up his laptop and takes me online shopping — with a twist.
Pageler is not one of the cybercriminals. He's a former Secret Service agent who studied them and is now in the private sector, with a Bay Area company called DocuSign.
He takes me to the anonymous Tor network, to a website that requires a login. He doesn't want to reveal the name of the site because he doesn't want to tip off anyone. Being a trusted user on a criminal website takes work. It's a lot like eBay; you have to visit, buy and sell regularly, and get rated and reviewed by your peers.
"When they transact with you, no one's getting arrested, no one's getting burned," Pageler says. "So every time you make a transaction on the underground, you're just building your street cred."
Today, credit cards are on supersale. Pageler says that means a big breach just happened.
Strangely, platinum credit cards on the site are selling for less money than gold cards. Apparently people in the underground don't just look at credit limits; they do analytics to see, according to the data, what banks have the weakest security.
"For them, they'll know based on a bank ID number which bank it is, and where they're getting the best return on fraud," he says.
Pageler is showing me how a low-level operator would work this site. Say I wanted to launch an attack. Without any specialized coding skills, I could buy the package of services I need: A list of 10,000 emails, customized by age, gender, region, goes for just $79. To make sure the emails work, there's a "cleaning price" of $48, Pageler says.
For another $50, I get malware called a key logger, which will latch into a victim's operating system and follow every keystroke in search of strings that look like bank logins and account numbers.
Payment is made with an account that's like Paypal, except it is Internet cash that's hard to trace, and the servers are overseas, so American police can't really subpoena records.
I need one more thing, called a botnet — a vast network of computers under the control of a single bot master. For this, Pageler hands me off to his colleague, botnet specialist Tom Brandl, who shows me options as cheap as $16. He makes a simple analogy to the drug trade: "These would actually be the guys on the street corners, collecting money and distributing the drugs."
The bots send out emails, and between 5 percent and 10 percent of recipients open the attachment, which lets the crooks in. The bots crawl around waiting for bank passwords. Then they can drain the money to the overseas account.
Millions upon millions of unsuspecting computers — maybe even yours and mine — are part of botnets, making it nearly impossible to find the real criminal.
"If I'm the bank, I go back and say, 'Hey, I saw this login from this address.' I go to check that address, and it belongs to a grandmother in Sioux Falls. Basically the trail is dead at that point," Brandl says.
Giovanni Vigna, a professor at the University of California, Santa Barbara, who studies cybercrime, says it's basically a crime without risk.
"If you look at the size of what gets stolen, there are wildly varying estimates — we talk about billions, and you think about how many actual convictions there have been. It's amazingly low," Vigna says.
The incentives to join the underground are amazingly high. With just a couple hundred bucks, I could drain enough accounts to make $500,000 and grab data to resell on the hidden websites.