Security Watch | Matt Hines » Crimeware-as-a-service taking off

April 08, 2008 | Comments: (0)

Crimeware-as-a-service taking off

TAGS: Security

Online malware threats have taken the next step in their evolution from piecemeal creations to commercialized products, with security researchers charting the arrival of a growing number of hosted data theft services.

In recent years, the level of expertise needed to create highly-targeted threats has dropped dramatically as the marketing of so-called malware toolkits has made it possible for less technical schemers to build and launch attacks using commercialized exploit authoring tools.

Some of the more mature iterations of the toolkits have even offered ongoing automated product updates and customer support capabilities, allowing data thieves to successfully ply their trade with less coding skill necessary than ever before.

However, with the emergence of a newer, hosted "crimeware-as-a-service" model, aspiring cyber-criminals need only an idea of whom they would like to target, or what type of data they seek to steal, as an additional layer of automation has arrived.

Researchers with security appliance maker Finjan said that they have observed a series of the hosted crimeware services being advertised on underground message boards and black hat hacker chat rooms since the beginning of 2008.

Having infiltrated several of the operations, it has become clear that the services have matured quickly in the last four months alone, said Yuval Ben-Itzhak, chief technology officer of Israel-based Finjan.

Customers of the services are able to select a particular type of data they would like to acquire, then merely sit back and wait for the stolen information to pile up, he said.

"Basically we're talking about services where at the click of a button, everything is being done for you, it's taking the toolkit model and turning it into a full-blown hosted service," he said. "You don't need to know how to compromise the server, what type of Trojan to use, or even where the server is; you simply select what type of data you want to get, pay the fee, and then wait for your data to arrive in several days."

Delivered in a manner similar to software-as-a-service (SaaS) business applications popularized by companies like Salesforce.com, the hosted data theft services allow anyone with an Internet connection and an access code to utilize their capabilities, according to the expert.

The services are priced based on the type of content a user desires to steal, and how much of it, said Betan-Itzak, with stolen credit card account details priced at anywhere from $5-$60.

The information being targeted and served-up over the services isn't limited to such widely sought-after consumer data however, the sites are also being used to steal specific types of intellectual property, including engineering drawings and product plans. And much of that data is being taken from large, well-known businesses, according to the expert.

Finjan reports that of the services it has been able to infiltrate thus far, a vast majority of the personal credit account data being transmitted to users has still been valid, with one of the sites promising the ability to create replicas of the original stolen cards for an additional fee.

Traffic on the data theft services that the company has observed has been high, with thousands of users per week in some cases. The physical location of the servers being used to host the services have been distributed throughout locales including China, Eastern Europe, Malaysia and Russia, with users logging on from around the globe, Finjan reported.

"This is emblematic of the continued commercialization of cyber-crime, it has rapidly gone from finding and hacking exploits, to making toolkits to sell to other hackers, to full services for non-technical users," said Betan-Itzhak. "As long as the people behind this are making a lot of money, they can afford to hire top developers, just like the security companies, and the attacks will only accelerate."

Finjan is predicting that the next evolutionary step in the malware distribution community will be similar hosted services that offer users the ability to target specific companies and even specific computers or individuals within those organizations.

One of the most interesting aspects of the hosted data theft service model is that it combines a number of skills that are typically thought to exist among disparate groups of attackers -- including vulnerability research, exploit creation, threat delivery and the actual data theft.

"It's a consolidation of the malware model with the service as the front end, showing their shop and combining the skills of a group of different people to run a business and collect money -- versus trying to do it separately," said Betan-Itzhak. "It's absolutely a business model, one that is moving forward and improving all the time, and one clearly being driven forward by a lot of competition."

Posted by Matt Hines on April 8, 2008 08:33 AM

RATE THIS ARTICLE: