Recorded Future analyzed current data from the Recorded Future® Platform, as well as dark web and open-source intelligence (OSINT) sources, to review botnets (“not-auto buy” botnets) that facilitate nefarious activities by threat actors. This report expands upon findings outlined in “The Business of Fraud: An Overview of How Cybercrime Gets Monetized”. It will be of most interest to anti-fraud and network defenders, security researchers, and executives charged with security and fraud risk management and mitigation.

Executive Summary

Botnets are networks of computers infected by malware (such as computer viruses, keyloggers, and other malicious software) that are controlled remotely by online threat actors to garner financial gain or to launch attacks on websites or networks. When a computer is infected by a botnet, it communicates and receives instructions from command-and-control (C2) computers located around the globe. Many botnets are designed to harvest data, such as passwords or phrases, Social Security numbers (SSNs), credit card numbers, addresses, telephone numbers, and other personally identifiable information (PII). The data is then used for nefarious purposes, such as identity theft, credit card fraud, spamming or phishing, website attacks, and malware distribution.

Key Judgments

• While IcedID has surged in spam volume, TrickBot and QakBot have shown much more consistency in the volume of spam and infection traffic pertaining to fraud purposes since Emotet’s takedown.
• Financially motivated threat actors, nation-state actors, and APTs in various international regions will continue to use botnets for fraudulent purposes to attack targets.
• Underground forum courses on how to best use botnets will remain popular among threat actors for the foreseeable future, particularly as the world becomes increasingly digitized.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.