There’s big business in finding and exploiting the software flaws we seem to hear about nearly every day now.
Google pays bounties of $200,000 to hackers who find holes in its software, and payouts of $20,000 or more are said to be common. Companies like Google, Microsoft and others would rather pay this one-time bounty to the best of the hackers then risk the damages implicit in an exploit from ‘the bad guys.’
In 2016, a company called Zerodium boosted the rate they’ll pay for exploits that hack the iPhone from half a million to 1.5 million dollars. According to The Economist (5-20-17), mundane exploits for web browsers that a few years ago earned $5,000 now sell for many tens of thousands.
Oftentimes, today’s brokers will buy hacks themselves from freelance hackers who make it a profitable hobby. They then sell these to someone who can use them. Government agencies in the U.S. and Europe are eager customers.
On the other hand, messages on WikiLeaks show that at least one broker called ‘The Hacking Team’ sold exploits to Egypt, Russia, Sudan and UAE among others. It’s a complicated market.
As one can imagine, there’s a big demand in the shadow markets, where many customers are simply criminals. The infamous ransomware hack called WannaCry is said to have been exchanged in this way. Often, “someone will sell you an exploit,” notes The Economist, “so someone else will sell you a warning.”
A firm in Phoenix, AZ called CYR3CON produces reports of possible threats based on its online scraping of posts and blogs in 15 languages from hackers involved in the field.
In fact, just ahead of the WannaCry attack which froze data on Windows PCs around the world, CYR3CON’s software “picked up chatter about exploits designed for just that task.” It later noted that over 60,000 computers had had the exploit installed but not yet activated. Many were medical facilities that had previously paid up “without unnecessary conversations.” Those subscribing to CYR3CON’s services could take precautions. Others, The Economist’s editors point out, “were not so lucky.”
People increasingly seem to have a fundamental disregard for security, notes independent security expert Bruce Schneier, despite the fact that worms and other malware infections caused billions of dollars of damage in the previous decade. The defenses keep getting better but, it seems, so do the hacks.