Project Management

Crimeware-as-a-Service: The next great thing in malicious attacks

Crimeware-as-a-Service brings ease of use and outsourced infrastructure to any criminal, anywhere. While I am certain that is comforting to the crook, it sure doesn't bring peace of mind to the average man or woman whose details are being bought and sold on the open market.

We have all learned the hard ugly truth about malicious software and the proliferation of software available to do horrible things to our computers. But Crimeware-as-a Service?

I think that, secretly, many IT professionals give computer criminals very little thought. I, for one, have difficulty conjuring a sinister image. Instead, I tend to think of a pimply post-adolescent in Mom's basement, wreaking havoc on the cyber landscape one minute and apologizing to Mom for his dirty footprints across her clean floor the next. I have all the anti-malware tools I need, but tend to see the perpetrator of malicious electronic acts as somewhat laughable. I would be wrong in most cases.

At the RSA 2008 conference, Finjan, a leader in secure Web gateway products, released a report identifying and analyzing the latest trends in the commercialization of cybercrime.

From the report:

Criminals have started to use online cybercrime services instead of having to deal themselves with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites.

"Currently, we see the rise of the Crimeware-as-a-Service (CaaS) business model in the crimeware-toolkit market. Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised but only provides the infrastructure for it," said Yuval Ben-Itzhak, CTO of Finjan.

As with mainstream software providers, the creators and owners of these crimeware toolkits provide their customer base with update mechanisms while tooling them with sophisticated, anti-forensic attack techniques, as well as the ability to manage and monitor malicious code affiliation networks. It enables a new level of crimeware availability by supplying anyone willing to purchase an easy-to-use crimeware toolkit.

Okay, that's scary. And it's reality. Crimeware-as-a-Service? Crimeware toolkits? Whatever happened to disaffected script kiddies?

The fact is that there are code criminals everywhere. We just didn't happen to notice that they had become their own economy. Our collective bad.

From Dark Reading:

Researchers at Finjan, MarkMonitor, and Trend Micro are among those seeing a new cybercrime business model, where sophisticated cybercriminal organizations set up shop as service providers to other bad guys, offering them online, point and click criminal software as a service — often with customer service guarantees. The trend is one of the key findings in Finjan's new Web Security Trends Report for the first quarter of this year, which the company released today.

"We are starting to see more sites like this, where criminals are going another step forward and turn out to be a service, a cybercrime as a service," says Yuval Ben-Itzhak, CTO at Finjan.

"With relatively less effort, they can get more money. Instead of collecting data and trying to sell it, which takes more time, they build a platform to do that, and can reach a wider audience that would like to commit these crimes," he says. This lets other criminals who don't want to install and update their own software or run their own malicious servers get their stolen information via a Web-based service that does the dirty work for them.

"This is another step forward for criminals to improve their market, the commercialization of stolen data," he says.

Given this level of sophistication, do we have any sense of the value of our information? I do, and it isn't hopeful. In fact, it doesn't make me wonder that there is a growing trend to market infrastructure to harvest this information. While it is precious to you and I, this report from FraudArena tells me how little my personal information is worth. I'll give you a high-level look, but check the site.

$1.50 credit card number, cvv2
$5-$50 stolen medical ID card
$6-$18 basic identity information
$6 British passport number and bank details
$7 hijacked PayPal account with credentials
$14-16 fulls" are a complete set of data identifiers, i.e. name, address social security number, bank account, and mothers maiden name
$30 Passwords and codes to access consumer credit reports
$30-$300 immigration papers with a social security card

Your personal identification is not terribly valuable (except to YOU) and can now be harvested by criminals with an infrastructure as sophisticated as the company you work for — and, in some cases, more sophisticated. This should be at least a wake up call for anyone with a laissez-faire attitude about their personal security.

We have talked at length about personal security, why we need it, and how to get there. While I don't find a tin-foil hat a fashion statement, I think I will be reviewing how, when, and where my personal details are being used and managed.

How about you? Do you know where your private information is?

More information:

Crimeware-as-a-Service taking off (InfoWorld)

Security firm warns of Crimeware-as-a-Service Toolkit Trend (PC World)

Editor's Picks

Free Newsletters, In your Inbox