Vulnerabilities / Threats
1/19/2011
03:36 PM
50%
50%

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

As profit-driven attack toolkits and their supporting botnets muscle up, organizations need more than technology to defend themselves.

Who uses attack toolkits? The graphics on the login page for the top-selling Crimepack attack toolkit -- reproduced in the recently released "Symantec Report on Attack Kits and Malicious Websites" -- provide a clue: The Crimepack name appears over a pair of brass knuckles. A futuristic-looking mobile device is the graphic backdrop for entering username and password. The surrounding surface is littered with a wallet, scattered $100 and €50 bills, a Colt .45, and white powder.

In other words, the attack toolkit's graphics strongly suggest a product being marketed to young, male criminals with a smattering of computer and networking knowledge and too many hours of Mafia Wars under their belt.

"It used to be that a lot of the cybercrime was computer guys who got into crime. They were really good at being computer guys, but not so good at crime," says Marc Fossi, executive editor of the Symantec report. "Now with the kits, you have guys who are good at being criminals, they know about things like money laundering and using money mules, and because of the kits, they can get into cybercrime." They're also better than the geeks at not getting caught.

Computer and networking savvy is no longer a prerequisite for launching online attacks, as today's toolkits do it all. "For the most part, they've become ridiculously simple to use -- as opposed to some of the attacks you can launch with them," says Fossi, who likens their evolution to Web pages.

Just as coding Web pages by hand in Notepad gave way to WYSIWYG applications, and Web sites today can launch an e-commerce capability with little more than the click of a button, today's attack toolkits automate previously time-consuming activities, such as hand-coding obfuscated iFrame code that will surreptitiously redirect a browser to a malicious Web site. "Obfuscating iFrame code is something that people can do, but it's very tedious to do it yourself, by hand," says Fossi. But he found that the Fragus toolkit will do it for you, buying criminals more time for launching attacks. In business terms, it's a win-win for crimeware vendors and their customers.

Successful attack toolkits likely earn their creators a lot of money, which gives them more incentive to innovate, creating easier-to-use software that can exploit the latest vulnerabilities and earn them even more money. Toolkits also sustain a complementary cybercrime ecosystem. This includes command-and-control botnets, malicious advertisements, spam campaigns that deliver attack code, and poisoning search engine results to redirect people to sites that install the attack kit malware via drive-by downloads. The better the ecosystem, the more effective the toolkit.

But that success can come at a price, as Fossi found on a forum where criminals sell stolen credit card data. "One funny thing we saw is that they'd banned all advertising for the Zeus kit, because it was attracting too much attention to their forum," he says. "Because obviously it's not just people who are buying the kits who are searching for it, but also law enforcement."

To be sure, some criminals are being caught. "In Operation Trident, they allegedly used Zeus to steal about $70 million over an 18-month period, so it's not like this is all small potatoes," says Fossi. But as with all lucrative criminal pursuits, a few arrests probably won't stop people who crave the profits.

What's a business to do? Interestingly, Iftach Ian Amit, VP of business development at security consulting firm Security Art, found that criminals even use toolkits for attacks aimed at stealing specific types of information. These attacks tend to target not a specific individual or device, but a small group of users. While attackers may tweak the attack code, oftentimes they don't have to.

Accordingly, study how today's attacks succeed to identify the best defense. "Just as the attacks usually include a social engineering element, the defense should focus on the weak link: people," Amit says. "Most organizations, however, are still looking for a technical panacea."

Instead, he recommends more frequent training and education for employees, to help them spot and defend themselves against the latest attacks, especially exploits with a social engineering component. In other words, be vigilant. And that means not relying on technology to save you.

SEE ALSO:

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Schwartz On Security: China's Internet Hijacking Misread

Schwartz On Security: Click 'Dislike' For Facebook Safety

Schwartz On Security: Reaching The M&A Tipping Point

Schwartz On Security: Remove Dangerous Sites From Internet

Schwartz On Security: Zombie Internet 'Kill Switch'

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?