In the backrooms of the internet, an “explosion” of spyware products has changed cybercrime forever, putting more Australians at risk.
Over the past decade, the number of remote access Trojan spyware products on the black market has increased tenfold to at least 50, according to University of Melbourne senior cybersecurity lecturer Shaanan Cohney.
The increase coincides with a long-running shift in cybercrime – what was once a show of ego, dominance and control is now a lucrative business model.
“What we have seen is a relative explosion in the number of these products for sale,” Dr Cohney said.
“The gangs or the individuals that are selling and making this software … have an increased incentive to make it, because they realise that it could be profitable.”
Remote access Trojans are a popular type of spyware because they give users an “all-in-one” solution to steal information, Dr Cohney said.
In their broad suite of powers, attackers can monitor key strokes to see what victims type, remotely turn on webcams and microphones, and download programs to mine cryptocurrency.
Data on remote access Trojan-specific attacks is scarce, but the Australian Federal Police last week announced the alleged mastermind behind a product called Imminent Monitor was charged.
More than 14,500 people across 128 countries bought it. Global cybersecurity firm Palo Alto Networks received 65,000 samples or reports about the program.
Police allege the 24-year-old made up to $400,000 off Imminent Monitor, selling the program for about $35 – a relatively small price, Dr Cohney says, considering some products go for tens of thousands.
More than one in three investigations conducted this year by Palo Alto Networks’ specialist cyber attack team were related to ransomware, making it the top attack.
Looking at historical data, that would mean about 24,300 annual Palo Alto Networks cybercrime reports are related to ransomware.
However, indications are that this number has increased alongside the proliferation of remote access Trojans, says the firm.
Palo Alto Networks, along with the FBI and European authorities, helped Australian police with the Imminent Monitor investigation.
“Authorities are typically going to focus on a particular jurisdiction (and), because we’re a multinational company, we’ve got that global viewpoint,” Palo Alto’s Japan and Asia Pacific region chief security officer Sean Duca said.
Knocking out one remote access Trojan only has limited impact, Dr Cohney said.
Tracking down the criminals behind them is “extremely difficult” and prosecuting them is even rarer, says RMIT University cybersecurity Professor Matt Warren.
“When you talk about people being prosecuted in Australia for cybercrime, you can count them on a hand,” Prof Warren said.
The AFP believes the 24-year-old’s matter is the first case where a malware developer has been charged with aiding and abetting offences committed by their customers.
The police operation that led to his charges was the first of its kind in Australia.
Overseas, the situation becomes more complex. Russian authorities, for example, recruit ransomware gangs, Prof Warren explained.
He believes the relationship between private cybersecurity companies and authorities is a win-win situation, as authorities are often limited by expertise, wages and reach.
International authorities and companies are now doing ongoing investigations together.
The Australian Federal Police has co-led the operation with Europol since 2019, and acknowledges the proliferation of malware poses a “significant challenge” to international law enforcement.