There is a common-sense rule that says: to make a substantial amount of money in a market where the conversion rate is small, you have to increase your target audience and find as many ways possible to reach potential customers.
You want a mass market.
Cyber-criminals seek the same thing. With increasing numbers of computer types, tablets, smart phones, etc., the pool of potential customers (or victims) is greatly expanding.
Until recently, Mac OS users were lulled into believing they were immune from malware and other cyber attacks. But they, too, have become potential victims for the same old fake AV tricks that fool people into downloading and installing a malicious executable. Macs have also become targets for clickjacking, where web pages are redirected to a different URL based on the victim’s IP address (a user believes he’s clicking on a legit site then suddenly finds himself on a page advertising that famous blue pill, for example). Many other examples can also be found.
These behaviors are the result of a TDS: Traffic Distribution System. This isn’t some brand new technology that recently popped up in the wild it’s been out there for some time now. There are several TDS software packages available, e.g., Sutra, Kallisto, Simple TDS, etc., that pretty much do the same things (with varying degrees of complexity and parameterization levels):
- Filtering HTTP traffic and redirecting a user based on his IP, HTTP origin, geo-localization, etc.
- Having load-balancing scripting capabilities
- Gathering statistics on visits, individual IPs, etc.
- Password protection
- Protecting against crawlers to avoid discovery, and so on
And these little beasts are being used more frequently as the core technology behind evil acts like the recently reported Black Hat SEO, impacting a greater number of sites. They are also behind the marked increase in Mac OS-based malware, thanks to Apple’s expanding customer base.
The trick is that one never hears about these things. Because of the diversification of the victim’s origins (computers, tablets, etc.), they have become very attractive to anyone wanting to specifically tailor certain behaviors based on a victim’s profile.
A funny anecdote: A few weeks ago, I was browsing some sites where developers searching for contracts and potential clients meet. Those sites typically involve auctions where clients post their contract offers and developers bid for the offers. The bids are typically very low for a substantial amount of work (which makes me wonder about the quality of the work, but that’s another story). I was glancing over the offers when one caught my attention: after quickly analyzing what was being asked, I realized that the client was looking to hire someone to make an exact replica of Sutra TDS with improvements (the Sutra feature list matched the ‘software requirements’ description without any further explanation). The improvements listed related mostly to better filtering options, more statistics, more resilience (failover URLs), anti-bot features, etc.
I was amused by that, but it also made me realize that if I could find one TDS example that was about to be developed, then there must be several more on the same path.
Someone will eventually get that contract (it was listed at $400 with a schedule of 20 days, by the way) and build something that will make the TDS ecosystem grow larger. The quality will most likely be so-so, but those improvements will themselves trigger other improvements, and so on, thereby greatly increasing the overall complexity and adaptability of these tools. Because ultimately that’s the goal: a tool that can be scripted, tailored and easily morphed into something else: this is the core feature of any ‘surviving’ piece of technology.