Vulnerabilities / Threats
1/19/2011
03:36 PM
50%
50%

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

As profit-driven attack toolkits and their supporting botnets muscle up, organizations need more than technology to defend themselves.

Who uses attack toolkits? The graphics on the login page for the top-selling Crimepack attack toolkit -- reproduced in the recently released "Symantec Report on Attack Kits and Malicious Websites" -- provide a clue: The Crimepack name appears over a pair of brass knuckles. A futuristic-looking mobile device is the graphic backdrop for entering username and password. The surrounding surface is littered with a wallet, scattered $100 and €50 bills, a Colt .45, and white powder.

In other words, the attack toolkit's graphics strongly suggest a product being marketed to young, male criminals with a smattering of computer and networking knowledge and too many hours of Mafia Wars under their belt.

"It used to be that a lot of the cybercrime was computer guys who got into crime. They were really good at being computer guys, but not so good at crime," says Marc Fossi, executive editor of the Symantec report. "Now with the kits, you have guys who are good at being criminals, they know about things like money laundering and using money mules, and because of the kits, they can get into cybercrime." They're also better than the geeks at not getting caught.

Computer and networking savvy is no longer a prerequisite for launching online attacks, as today's toolkits do it all. "For the most part, they've become ridiculously simple to use -- as opposed to some of the attacks you can launch with them," says Fossi, who likens their evolution to Web pages.

Just as coding Web pages by hand in Notepad gave way to WYSIWYG applications, and Web sites today can launch an e-commerce capability with little more than the click of a button, today's attack toolkits automate previously time-consuming activities, such as hand-coding obfuscated iFrame code that will surreptitiously redirect a browser to a malicious Web site. "Obfuscating iFrame code is something that people can do, but it's very tedious to do it yourself, by hand," says Fossi. But he found that the Fragus toolkit will do it for you, buying criminals more time for launching attacks. In business terms, it's a win-win for crimeware vendors and their customers.

Successful attack toolkits likely earn their creators a lot of money, which gives them more incentive to innovate, creating easier-to-use software that can exploit the latest vulnerabilities and earn them even more money. Toolkits also sustain a complementary cybercrime ecosystem. This includes command-and-control botnets, malicious advertisements, spam campaigns that deliver attack code, and poisoning search engine results to redirect people to sites that install the attack kit malware via drive-by downloads. The better the ecosystem, the more effective the toolkit.

But that success can come at a price, as Fossi found on a forum where criminals sell stolen credit card data. "One funny thing we saw is that they'd banned all advertising for the Zeus kit, because it was attracting too much attention to their forum," he says. "Because obviously it's not just people who are buying the kits who are searching for it, but also law enforcement."

To be sure, some criminals are being caught. "In Operation Trident, they allegedly used Zeus to steal about $70 million over an 18-month period, so it's not like this is all small potatoes," says Fossi. But as with all lucrative criminal pursuits, a few arrests probably won't stop people who crave the profits.

What's a business to do? Interestingly, Iftach Ian Amit, VP of business development at security consulting firm Security Art, found that criminals even use toolkits for attacks aimed at stealing specific types of information. These attacks tend to target not a specific individual or device, but a small group of users. While attackers may tweak the attack code, oftentimes they don't have to.

Accordingly, study how today's attacks succeed to identify the best defense. "Just as the attacks usually include a social engineering element, the defense should focus on the weak link: people," Amit says. "Most organizations, however, are still looking for a technical panacea."

Instead, he recommends more frequent training and education for employees, to help them spot and defend themselves against the latest attacks, especially exploits with a social engineering component. In other words, be vigilant. And that means not relying on technology to save you.

SEE ALSO:

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Schwartz On Security: China's Internet Hijacking Misread

Schwartz On Security: Click 'Dislike' For Facebook Safety

Schwartz On Security: Reaching The M&A Tipping Point

Schwartz On Security: Remove Dangerous Sites From Internet

Schwartz On Security: Zombie Internet 'Kill Switch'

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.