The Winlock numbers, the Winlock laws

While Eugene’s busy taking bets (wonder how much he’s going to make?), I’ve been having a think about the Winlock case.

Russian law enforcement is estimating that the bad guys could have raked in as much as $1 billion. While it’s difficult to be certain about the exact amounts involved (obviously they spread their money across a lot of different accounts to avoid attracting attention), a little bit of simple math makes me think this figure isn’t as crazy as it might sound.

Our statistical analysis tells us there could be around a million people who’ve been infected. 10 cybercriminals, each getting a cut of a ransom between $10 and $30 – even though they were paying out $3 per infection to the people willing to spread this malware, the numbers add up pretty quickly.

Of course, the guys who’ve been arrested weren’t the only ones involved. The phone service providers and content providers are also heavily implicated: the first because they registered short numbers to content providers, and the second because they were the ones who sent the unlock codes. In return for these ‘services’, they took a chunk of the SMS fee: around 50% and 20% respectively.

This whole case really highlights some of the legislative issues that need to be addressed if cybercrime’s going to be taken seriously. Most of the victims are in former Soviet-bloc countries, where it’s very easy to register a premium pay number – you don’t need to show any ID or even sign a contract. No surprise that criminals are actively exploiting this, and it’s an area the phone service providers really need to address!

There’s also an issue around the content providers – these guys make it possible to get all sorts of stuff like music, games etc. by sending messages to premium numbers. Law enforcement is now scrutinizing their role in this case pretty heavily: it’s suspected that they might have covered up for the malware writers in return for – once again – a cut of the profits. But while the prosecutors may be sure the content providers are guilty, they’ll have to prove it. And this can only be done if someone confesses, turns state’s evidence, or if malware source code is found on the providers’ servers.

We’re hoping that serious penalties are going to be handed down in this case, but we’re not exactly bullish on the outcome. We’ll keep you posted.

In the meantime, I’m off to talk to Eugene about my cut of the bets 🙂