Project Management

Crimeware-as-a-Service: The next great thing in malicious attacks

Crimeware-as-a-Service brings ease of use and outsourced infrastructure to any criminal, anywhere. While I am certain that is comforting to the crook, it sure doesn't bring peace of mind to the average man or woman whose details are being bought and sold on the open market.

We have all learned the hard ugly truth about malicious software and the proliferation of software available to do horrible things to our computers. But Crimeware-as-a Service?

I think that, secretly, many IT professionals give computer criminals very little thought. I, for one, have difficulty conjuring a sinister image. Instead, I tend to think of a pimply post-adolescent in Mom's basement, wreaking havoc on the cyber landscape one minute and apologizing to Mom for his dirty footprints across her clean floor the next. I have all the anti-malware tools I need, but tend to see the perpetrator of malicious electronic acts as somewhat laughable. I would be wrong in most cases.

At the RSA 2008 conference, Finjan, a leader in secure Web gateway products, released a report identifying and analyzing the latest trends in the commercialization of cybercrime.

From the report:

Criminals have started to use online cybercrime services instead of having to deal themselves with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites.

"Currently, we see the rise of the Crimeware-as-a-Service (CaaS) business model in the crimeware-toolkit market. Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised but only provides the infrastructure for it," said Yuval Ben-Itzhak, CTO of Finjan.

As with mainstream software providers, the creators and owners of these crimeware toolkits provide their customer base with update mechanisms while tooling them with sophisticated, anti-forensic attack techniques, as well as the ability to manage and monitor malicious code affiliation networks. It enables a new level of crimeware availability by supplying anyone willing to purchase an easy-to-use crimeware toolkit.

Okay, that's scary. And it's reality. Crimeware-as-a-Service? Crimeware toolkits? Whatever happened to disaffected script kiddies?

The fact is that there are code criminals everywhere. We just didn't happen to notice that they had become their own economy. Our collective bad.

From Dark Reading:

Researchers at Finjan, MarkMonitor, and Trend Micro are among those seeing a new cybercrime business model, where sophisticated cybercriminal organizations set up shop as service providers to other bad guys, offering them online, point and click criminal software as a service -- often with customer service guarantees. The trend is one of the key findings in Finjan's new Web Security Trends Report for the first quarter of this year, which the company released today.

"We are starting to see more sites like this, where criminals are going another step forward and turn out to be a service, a cybercrime as a service," says Yuval Ben-Itzhak, CTO at Finjan.

"With relatively less effort, they can get more money. Instead of collecting data and trying to sell it, which takes more time, they build a platform to do that, and can reach a wider audience that would like to commit these crimes," he says. This lets other criminals who don't want to install and update their own software or run their own malicious servers get their stolen information via a Web-based service that does the dirty work for them.

"This is another step forward for criminals to improve their market, the commercialization of stolen data," he says.

Given this level of sophistication, do we have any sense of the value of our information? I do, and it isn't hopeful. In fact, it doesn't make me wonder that there is a growing trend to market infrastructure to harvest this information. While it is precious to you and I, this report from FraudArena tells me how little my personal information is worth. I'll give you a high-level look, but check the site.

$1.50 credit card number, cvv2
$5-$50 stolen medical ID card
$6-$18 basic identity information
$6 British passport number and bank details
$7 hijacked PayPal account with credentials
$14-16 fulls" are a complete set of data identifiers, i.e. name, address social security number, bank account, and mothers maiden name
$30 Passwords and codes to access consumer credit reports
$30-$300 immigration papers with a social security card

Your personal identification is not terribly valuable (except to YOU) and can now be harvested by criminals with an infrastructure as sophisticated as the company you work for -- and, in some cases, more sophisticated. This should be at least a wake up call for anyone with a laissez-faire attitude about their personal security.

We have talked at length about personal security, why we need it, and how to get there. While I don't find a tin-foil hat a fashion statement, I think I will be reviewing how, when, and where my personal details are being used and managed.

How about you? Do you know where your private information is?

More information:

Crimeware-as-a-Service taking off (InfoWorld)

Security firm warns of Crimeware-as-a-Service Toolkit Trend (PC World)

18 comments
LouCed
LouCed

one thing to depress all. Your personal data is only as safe as the weakest keeper of that data.

dcolbert
dcolbert

In a globalized economy where talented domestic workers cannot compete with workers from another nation with similar education and skills but a far lower pay-scale, those marginalized domestic workers abandoned by global corporations will still need to find a way to survive. Yes, my argument is that outsourcing fuels cybercrime growth and increases corporate costs across the enterprise. It is the whole idea of the underemployed Tech worker revisited. Funny that great minds like Andy Grove and Bill Gates who deplore the lack of domestic workers skilled in the sciences haven't thought about THIS aspect. Second off, I don't think legitimate business is necessarily that well organized or efficient at executing - especially in partnership with other legitimate external businesses. The idea that there are elaborate hacking and cybercrime networks filled with dark, exotic foreigners with m@d h@4k1nG $ki11Z is a bit far fetched. I'm sure there are some organizations out there that are very well networked and have solid partnerships - but those organizations are going to be very cautious by nature. That still leaves the VAST majority of potential compromises executed by the script kiddies. This article strikes me as sensationalist tech-journalism. It is worrying about Al Qaeda when you're far more likely to get your number called driving home from the data center on the Interstate in your Honda. I'm not trying to trivialize the threat, mind you. I think the whole concept of datacenter security is an illusion. If there ARE organizations like this, it is unlikely that most of the Fortune 500 shops I've worked with could REALLY stop them from getting in, if they wanted to. I worked for a major corporation among the most respected technology companies in the world, and the FunLove virus (among others) ran like fire through their datacenter and desktops despite world-class efforts at security. One rogue server is all it takes to compromise your network. The funny thing was that that little cluster of infections didn't have any actual data-integrity or compromise impact. The cost was simply in responding. All of my experience with these infections have been similar. My guess is that if you're experiencing a data compromise/leak, it is so quiet and back-door that you're not going to know about it for years.

BALTHOR
BALTHOR

There is only one computer on Earth that can write computer virus.This computer has to remain in one location and can never be moved otherwise it will loose the software writing log in and link.Nobody ever writes bad software.The virus are wired in after the software writer is finished writing the program.EULA and Demo are examples.The only way to enter a computer to hack is with virus.There are very few indeed that can actually write software.Uploading is done with the al-Qaeda network,these are suicide bombers.If it were a few teens the Government would stop them immediately.Stopping terrorists apparently takes longer.

JCitizen
JCitizen

it was just inevitable that crime services would follow. I'm not surprised at all; suspected it anyway.

DarkrShadeOfBlue
DarkrShadeOfBlue

Good article, a smack in the face by reality. I've heard in some forums working credit cards and other identity information are being sold in bulk, as many as 500 identities in a package for as little as $.40 per identity. Pretty scary, makes me think that perhaps my identity data has already probably been stolen at least once, just maybe not used yet.

Tig2
Tig2

I have a greater than normal awareness of the value of my personal information. My identity has been stolen and I am still dealing with the after-affects. The good news is that some institutions are getting better about managing the Non-Public Personal Information (NPI) that they have. The bad news is that criminals are getting smarter. Crimeware-as-a-Service means that the local criminal has access to infrastructure and tools that are generally hosted in a country that has different laws than the United States (as if the criminal cares about the law) and can access this infrastructure and these tools to wreak havoc on people who are already having a difficult time of it. Recession and unemployment, anyone? Obviously, it is up to us to manage our personal information. But sometimes it seems like we are playing a losing game.

wratholix
wratholix

al-qaeda doesnt know jack about hacking except with wood, they hire groups of people like described in the post to do it for them. also i just want to mention that any computer can be used to write viruses. You can even download the source files from the web. compile and go.. hacking into a computer is not only done by a virus, what happened to using a plain axe :P exploiting using buffer overflows in popular but vulnerable software are the most common targets. Writing a mad virus with some hacking skills through the use of self obtained or unreleased software exploits could possibly do the job for you by spreading itself. Still pull that off on a large scale you better be davinci in virus coding and last i checked there were not many davinci's.

dcolbert
dcolbert

I imagine that the reason the cost of personal information is so inexpensive and sold in bulk is because of accuracy and legitimacy - the same reason Warez lists and User ID/PW site lists are published free in bulk on the web... I bet a criminal would be happy if 1 out of 10000 was live.

Dr Dij
Dr Dij

they keep telling us: 'outsource your non-core operations' ! pretty soon they'll have crime.com and crimeinc.com, and dirty-deeds-done-dirt-cheap.com :) They could hire scummy C** personnel from large companies that have re-instated their losses in billions and gone bankrupt like Enron after committing huge frauds, or fraudulently complicated schemes to hide that they have no assets and are a ponzi scheme, like the large italian ag conglomerate a few years back that had billions of fake letters of credit assets.. These people already know how to commit crime on a large scale. Now it seems they could hire a few of these FAA inspectors who were paid off to ignore airline's inspection requirements, and threatened to fire anyone below them who squealed. and they could hire colombians and TJ residents for their experience in kidnapping. I wonder competing crime syndicates would target each other's C level execs? murderinc has already been shut down tho, so that biz model will have to wait. Need to knock out a competitor's web site? just log into crime-ddos.com at 1-800-zombie-bot! (humming a catchy jingle 1-800-zombie...that's the name, and away go competitors down the drain!) They can even have cutesy little jet black somethings that look cool, maybe scions, or nitros, with the logo 'wireless attack squad' similar to geek squad vw's, filled with scanning gear. 30 minutes to get them to park in your ocmpetitor's or retailer with unsecured WEP parking lot, or your next 1000 stolen credit-card #s are FREE!

meryllogue
meryllogue

I read the Tad Williams Otherland series. Way futuristic. I have been iTuning and listening to old CW (George Jones - Window Up Above, for example). Way "cone-bra." And between those two extremes, it seems we have, in one form or another in nearly every country of this world, lost some of the basics of humanity. The days of cone-bras brought us bigotry and hatred. Today we are less so that way, but we have traded it for amazing acts of violence to one another, INCLUDING this ability for massive assault on a virtual level. In both physical and virtual terms, it seems we have gone so far over and above what was considered "violence" when George Jones was singing of losing his love from the window up above. Where will it end? Or will it? Will it just keep spiraling upwards? I know for a fact that I have more personal freedom than I did when I was a teenager and 20-something. On the other hand, I know the possibility of dying a horrible, violent death is much higher than it was then. Do you remember New York's spectator death of the young woman on the sidewalk at night? Even that seems tame today, in light of 9/11, African genocides, creeps slicing women up because with each slice the smell of hot blood was intoxicating (yes... from the local newspaper in Eugene Oregon back in about 1994). Now I want to go back to bed. Holy moly. Is it a losing game, as Tigger observes in her last sentence?

JCitizen
JCitizen

Good one Doc! Very funny!

MarioAt
MarioAt

It's those damn internets! But seriously, and this is in no way meant to praise those who would steal my Mom's social security number, ruthless times make ruthless people. As the job market gets worse, as outsourcing and contracting drives IT salaries and rates right to the legal minimum and under, as more and more IT pros face foreclosure and bankruptcy, you're going to have more and more people decide to compromise their values just this once...for a few mortgage payments, or a new car or home theater, what's that cash job you did that one time? Others will get in deeper following the allure of the fast lane, and help the Mafia as they modernize, streamline and go paperless - just like any modern business does. So what's the solution? Well, public education - teaching the online shopping minions what https is and why it is important. Other common sense education too, like why the lowest price items are cheaper than everyone else. As to personal values, when oneself is hurt or one's loved ones are hurt by criminals, your attitude changes. Maybe if we launched a counter-strike! Well, it's a dream, but sometimes dreams are all we have to get through the workday.

JCitizen
JCitizen

I don't see the comparison between violent crime and the white-collar type of cyber-crook. The lack of morality is so; however. Cone-bras? Wow! Maybe I have slept somewhere for twenty; like Ichabod Crane. I thought they were just a silly '90s sort of thing.

JCitizen
JCitizen

with her '90s frontal dunce caps; nothing new under the sun! After I got rid of my satellite dish I killed my TV; I will miss the Science and History Channel however. :p

meryllogue
meryllogue

lol. '50s, '60s. Thanks to Seanferd for the name of Kitty Genovese. I just recently read an article on that. It was considered a new high in societal breakdown at the time. It pales by today's standards, unfortunately. It seems like today we have an overload of violent input, and it affects how we view our place and role in society. I have been at friends' houses when they had the TV on a show that was so violent and disturbing that I had to go sit with my back to the TV, but the kids (2 1/2 and 5) sat on the sofa, glued to the scenes. What does that do to their little brains that are still being hardwired at that age? Nothing good, I am sure. (Kill your TV; live longer.) Anyway, yeah, go watch a movie or two from the late '50s and early '60s. Cone-bra all the way. They all got torched in NYC by 1975 or so. :-)

boxfiddler
boxfiddler

Hell - you gave a pretty big hint there. Because 'we'* choose to be. Not yet. *The apparent societal choice for things over people, convenience over difficulty, being friends with our kids and not parents, returning the same selfish, ugly and corrupted people to political power year after interminable year... I think you probably get my drift.

Editor's Picks