Vulnerabilities / Threats
1/19/2011
03:36 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

As profit-driven attack toolkits and their supporting botnets muscle up, organizations need more than technology to defend themselves.

Who uses attack toolkits? The graphics on the login page for the top-selling Crimepack attack toolkit -- reproduced in the recently released "Symantec Report on Attack Kits and Malicious Websites" -- provide a clue: The Crimepack name appears over a pair of brass knuckles. A futuristic-looking mobile device is the graphic backdrop for entering username and password. The surrounding surface is littered with a wallet, scattered $100 and €50 bills, a Colt .45, and white powder.

In other words, the attack toolkit's graphics strongly suggest a product being marketed to young, male criminals with a smattering of computer and networking knowledge and too many hours of Mafia Wars under their belt.

"It used to be that a lot of the cybercrime was computer guys who got into crime. They were really good at being computer guys, but not so good at crime," says Marc Fossi, executive editor of the Symantec report. "Now with the kits, you have guys who are good at being criminals, they know about things like money laundering and using money mules, and because of the kits, they can get into cybercrime." They're also better than the geeks at not getting caught.

Computer and networking savvy is no longer a prerequisite for launching online attacks, as today's toolkits do it all. "For the most part, they've become ridiculously simple to use -- as opposed to some of the attacks you can launch with them," says Fossi, who likens their evolution to Web pages.

Just as coding Web pages by hand in Notepad gave way to WYSIWYG applications, and Web sites today can launch an e-commerce capability with little more than the click of a button, today's attack toolkits automate previously time-consuming activities, such as hand-coding obfuscated iFrame code that will surreptitiously redirect a browser to a malicious Web site. "Obfuscating iFrame code is something that people can do, but it's very tedious to do it yourself, by hand," says Fossi. But he found that the Fragus toolkit will do it for you, buying criminals more time for launching attacks. In business terms, it's a win-win for crimeware vendors and their customers.

Successful attack toolkits likely earn their creators a lot of money, which gives them more incentive to innovate, creating easier-to-use software that can exploit the latest vulnerabilities and earn them even more money. Toolkits also sustain a complementary cybercrime ecosystem. This includes command-and-control botnets, malicious advertisements, spam campaigns that deliver attack code, and poisoning search engine results to redirect people to sites that install the attack kit malware via drive-by downloads. The better the ecosystem, the more effective the toolkit.

But that success can come at a price, as Fossi found on a forum where criminals sell stolen credit card data. "One funny thing we saw is that they'd banned all advertising for the Zeus kit, because it was attracting too much attention to their forum," he says. "Because obviously it's not just people who are buying the kits who are searching for it, but also law enforcement."

To be sure, some criminals are being caught. "In Operation Trident, they allegedly used Zeus to steal about $70 million over an 18-month period, so it's not like this is all small potatoes," says Fossi. But as with all lucrative criminal pursuits, a few arrests probably won't stop people who crave the profits.

What's a business to do? Interestingly, Iftach Ian Amit, VP of business development at security consulting firm Security Art, found that criminals even use toolkits for attacks aimed at stealing specific types of information. These attacks tend to target not a specific individual or device, but a small group of users. While attackers may tweak the attack code, oftentimes they don't have to.

Accordingly, study how today's attacks succeed to identify the best defense. "Just as the attacks usually include a social engineering element, the defense should focus on the weak link: people," Amit says. "Most organizations, however, are still looking for a technical panacea."

Instead, he recommends more frequent training and education for employees, to help them spot and defend themselves against the latest attacks, especially exploits with a social engineering component. In other words, be vigilant. And that means not relying on technology to save you.

SEE ALSO:

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Schwartz On Security: China's Internet Hijacking Misread

Schwartz On Security: Click 'Dislike' For Facebook Safety

Schwartz On Security: Reaching The M&A Tipping Point

Schwartz On Security: Remove Dangerous Sites From Internet

Schwartz On Security: Zombie Internet 'Kill Switch'

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web