Having acquired the infected machines, the group then hires them out at a hefty markup to anyone who wants to use them or plant their own malware on them.
Its origins are still uncertain – though most evidence points to it being based in Russia – and the individuals behind it are unknown. What is certain is that it poses a major threat to all PCs, whether at home or in companies, in the public or private sector.
Full details are presented in Finjan's latest Cybercrime Intelligence Report. "The Golden Cash network is far more than an average affiliation network operated by cybercriminals," it says. "Our research showed that there is something really major behind this one – an entire trading platform of malware infected PCs. It also provides an exploit toolkit with obfuscated code and an attack toolkit to distribute malware."
When it comes to selling, prices are considerably higher. Infected Australian PCs go at $500 per 1000, while their British counterparts cost $250. If you want something cheaper, then pay $120 per 1000 U.S. machines, or just $20 for a batch of 1000 Japanese machines.
Golden Cash provides its customers with all the tools they need to go out and infect computers, plus a simple means of getting paid for their efforts. The attack begins with an injection of IFrames into a legitimate website, which redirects users to a malicious website containing an exploit toolkit that infects other visitors.
One such toolkit detailed in the report makes use of obfuscated code, which is designed to get past traditional anti-malware defences and exploit an unpatched vulnerability.
Some of the malware discovered was also designed to collect FTP credentials of legitimate websites from infected PCs. 'These credentials are later being used to enable its partners to insert their IFrames with malicious code into the websites' pages. This creates a highly profitable loop," Finjan's research concludes.
The report adds that researchers found stolen FTP-credentials for around 100,000 Internet domains, including corporate domains from all parts of the world.
Ophir Shalitin, Finjan's marketing manager, described the discovery of Golden Cash as a "milestone, because it automates the cybercrime process. It really lowers the barrier for new cybercriminals. It makes it easy for them. It is a one-stop shop."
Howard Schmidt, president of the Information Security Forum, a user group representing more than 300 large corporations, said the development was symptomatic of a general arms race between the criminal and the security industry.
He said technology alone would never be able to prevent users from acting irresponsibly and getting infected, but it can help. "There will always be people who will say 'Continue' because they want to go ahead despite any warning," he said. "But look at how phishing emails have developed. You have to work really hard to be a victim of a phishing email these days, because of filters that have been built into browsers and email systems. We need to do the same kind of thing at the Web server to prevent infection, although that is a lot more difficult."