[johntiror]

The team say that distributed denial-of-service attacks using a network of 30,000 bots can generate around $26,000 a month. Spam advertising with 10,000 bots generates around $300,000 a month, and bank fraud with 30,000 bots can generate over $18 million per month. But the most profitable undertaking is click fraud, which generates well over $20 million a month of profit.

Does anyone know how those hacks can generate revenues? I mean how can a DDOS generate revenue? What kind of bank fraud can a botnet do? How can click fraud generate profit (I guess if you suddenly receive $20 million on your adsense account google will immediately ban you)?

[bostik]

> I mean how can a DDOS generate revenue?

You rent out the capacity. Few hours of N Gbps flooding, courtesy of 20-30 thousand compromised home systems and IoT shitware units: tens to maybe low hundreds of dollars.

Now assume that's only a couple of percent of the total capacity under the botnet's control. Also, there are 24 hours in a day - once the current blaster's rental time expires, you have another one lined up already.

I recall seeing numbers in some fairly old Krebs article, but can't find it right now.

[graystevens]

Spot on - they’re often referred to as ‘stressers’ or ‘booters’, and can make a nice chunk of money. There’s always someone looking to knock someone off of Xbox Live or PSN, or even chance it and try to take down a popular website. Depending on the technique used and the size of the botnet, you can cause some sysadmins or SOCs a headache.

I’m sure anyone else in the ISP industry will tell you that anytime kids are off school (summer holidays or half term here in the UK) the DDoS alerts go up a notch or two.

[krageon]

A bit more than two notches I'd say. The correlation between those is pretty enormous.

[kankroc]

It's funny how a small industry is built around this. I remember a few years ago you could pay a monthly fee and they would have tiers and live support.

It wasn't very pricy for small attacks, sometimes even free for anything under 300 seconds.

[Retric]

I suspect getting ~10k from ~2 thousand accounts spread across several advertising networks probably is much easier to hide.

Alternatively splitting an extra 200k/month with a few large websites under the table probably works very well as there is less to distinguish bots from the overall noise. Another apraoch is probably setting up the equivalent of advertising re-sellers where you spend X$ advertising and get slightly more than X$ in revenue and then boost those results with click fraud.

[dalore]

I've heard that online gambling companies often get hit with DDOS attacks and then the attacker asks for a ransom/blackmail to stop DDOS. Since the online gambling company is losing money for every minute they are offline, they usually pay (and do so quietly of course).