Vulnerabilities / Threats
1/19/2011
03:36 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

As profit-driven attack toolkits and their supporting botnets muscle up, organizations need more than technology to defend themselves.

Who uses attack toolkits? The graphics on the login page for the top-selling Crimepack attack toolkit -- reproduced in the recently released "Symantec Report on Attack Kits and Malicious Websites" -- provide a clue: The Crimepack name appears over a pair of brass knuckles. A futuristic-looking mobile device is the graphic backdrop for entering username and password. The surrounding surface is littered with a wallet, scattered $100 and €50 bills, a Colt .45, and white powder.

In other words, the attack toolkit's graphics strongly suggest a product being marketed to young, male criminals with a smattering of computer and networking knowledge and too many hours of Mafia Wars under their belt.

"It used to be that a lot of the cybercrime was computer guys who got into crime. They were really good at being computer guys, but not so good at crime," says Marc Fossi, executive editor of the Symantec report. "Now with the kits, you have guys who are good at being criminals, they know about things like money laundering and using money mules, and because of the kits, they can get into cybercrime." They're also better than the geeks at not getting caught.

Computer and networking savvy is no longer a prerequisite for launching online attacks, as today's toolkits do it all. "For the most part, they've become ridiculously simple to use -- as opposed to some of the attacks you can launch with them," says Fossi, who likens their evolution to Web pages.

Just as coding Web pages by hand in Notepad gave way to WYSIWYG applications, and Web sites today can launch an e-commerce capability with little more than the click of a button, today's attack toolkits automate previously time-consuming activities, such as hand-coding obfuscated iFrame code that will surreptitiously redirect a browser to a malicious Web site. "Obfuscating iFrame code is something that people can do, but it's very tedious to do it yourself, by hand," says Fossi. But he found that the Fragus toolkit will do it for you, buying criminals more time for launching attacks. In business terms, it's a win-win for crimeware vendors and their customers.

Successful attack toolkits likely earn their creators a lot of money, which gives them more incentive to innovate, creating easier-to-use software that can exploit the latest vulnerabilities and earn them even more money. Toolkits also sustain a complementary cybercrime ecosystem. This includes command-and-control botnets, malicious advertisements, spam campaigns that deliver attack code, and poisoning search engine results to redirect people to sites that install the attack kit malware via drive-by downloads. The better the ecosystem, the more effective the toolkit.

But that success can come at a price, as Fossi found on a forum where criminals sell stolen credit card data. "One funny thing we saw is that they'd banned all advertising for the Zeus kit, because it was attracting too much attention to their forum," he says. "Because obviously it's not just people who are buying the kits who are searching for it, but also law enforcement."

To be sure, some criminals are being caught. "In Operation Trident, they allegedly used Zeus to steal about $70 million over an 18-month period, so it's not like this is all small potatoes," says Fossi. But as with all lucrative criminal pursuits, a few arrests probably won't stop people who crave the profits.

What's a business to do? Interestingly, Iftach Ian Amit, VP of business development at security consulting firm Security Art, found that criminals even use toolkits for attacks aimed at stealing specific types of information. These attacks tend to target not a specific individual or device, but a small group of users. While attackers may tweak the attack code, oftentimes they don't have to.

Accordingly, study how today's attacks succeed to identify the best defense. "Just as the attacks usually include a social engineering element, the defense should focus on the weak link: people," Amit says. "Most organizations, however, are still looking for a technical panacea."

Instead, he recommends more frequent training and education for employees, to help them spot and defend themselves against the latest attacks, especially exploits with a social engineering component. In other words, be vigilant. And that means not relying on technology to save you.

SEE ALSO:

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Schwartz On Security: China's Internet Hijacking Misread

Schwartz On Security: Click 'Dislike' For Facebook Safety

Schwartz On Security: Reaching The M&A Tipping Point

Schwartz On Security: Remove Dangerous Sites From Internet

Schwartz On Security: Zombie Internet 'Kill Switch'

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio