News Column

More thieves are opting for online crime

June 1, 2014

WASHINGTON: The FBI's recent crackdown on a sophisticated set of malware tools called Blackshade sheds light on a shadowy and surprisingly sophisticated world of cybercriminal activity. But you don't need to be a tech mastermind to use Blackshade.

The tool is part of a much larger trend toward user-friendly hacking tools, developed and distributed by corporate-like entities that are becoming like the Oracles or Microsofts of the malware world.

There's now a fully fledged |market for groups offering access to easy-to-use malware on a subscription basis, experts say.

And because the tools require little to no technical skill, the barrier to a life of cybercrime is much weaker than it was in the early years of the internet.

The result has been an explosion in criminal activity that has left consumers vulnerable to having their financial information used for fraudulent transactions or having their personal information sold.

"It's gone from being a couple of guys developing malicious software to actual organised crime groups" on the development side, said Tyler Shields of Forrester Research.

Malware groups often have a hierarchical leadership structure and pay for development of software as well as marketing and distribution, researchers and federal investigators say. In the big leagues of this underground economy, malware rings mirror the economic models of legitimate businesses.

But they're also widely distributed - with groups often having members all over the world, experts say. "You might have a developer in Ukraine or Russia, a distributor in the US or the UK, and leadership somewhere else entirely," Shields said. "We're talking hundreds of people across nations around the world working in concert."

That's an awful lot of co-ordination and managerial skills. "If you want to excel as a cyber-criminal," Shield said, "go get an MBA."

The reason for the explosion in the commercial malware market is simple, Shields said: There's money in hacking - through the sale of sensitive data or the tools that can enable breaches - and the market has moved to take advantage of the situation. Pursuing a life of crime online also can be safer than pursuing one in the physical world, said Raj Samani, vice-president and chief technical officer for McAfee EMEA. "You don't go to a shoddy neighbourhood to buy drugs - you go to an online black market. You don't walk into a bank to rob it, you go online."

Now, almost anyone can be a hacker. "There are a lot of them |who don't have technical skills, but just want to get into crime," Haley said. As a result, law enforcement officials say they are beginning to focus on those who develop the malware, not just the people who use it.

"We tackled this malware starting with those that put it in the hands of the users - the creators and those who helped make it readily available, the administrators," said George Venizelos, assistant director in charge of the FBI'sNew York field office about its Blackshades enforcement action.

Blackshades, the target of the recent FBI crackdown, is a part of a category of malware called Remote Access Tools (Rats), which allow criminals to have almost unlimited power over a breached computer. The FBI says the malware toolkit was available online for $40 (R418) and "purchased by thousands of people in more than 100 countries".

These types of tools are migrating to mobile devices, too. Symantec released a blog post about a similar threat facing Android mobile devices called iBanking last week.

Once the tool is installed, the user can do almost anything. And like Blackshades, it's easy to use.

"There's a nice user interface that allows the hacker to control not only that phone but multiple phones if they've infected them," he said.

Users are infected with the program through a social engineering hack that tricks them into thinking a bank or social network needs to install an app on their device with a pop up when the device is connected to a desktop already infected with malware.

As the groups behind malware become more organised, so must the law enforcement tactics used to fight them, experts say - as evidenced by the Blackshades action. "Law enforcement has had to change from tracking down individuals to more of the traditional organised crime levels of infiltration," Shields said.

Haley hopes the Blackshades crackdown is a wake-up call to those in the cybercrime business, reminding them that there's a risk to becoming involved in the industry.

But overall, experts say, software as a service has enabled a growth in the number of cybercriminals - and that growth leaves consumers and businesses at greater risk. Symantec's most recent annual threat report noted a 91 percent increase in targeted attack campaigns and a 62 percent increase in the number of breaches last year. That was only 253 total breaches, but eight of them exposed more than 10 million identities each.

"In total, over 552 million identities were breached in 2013, putting consumers' credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, e-mail addresses, log-ins, passwords and other personal information into the criminal underground," the company said. As bad guys become more organised and professional, their onslaughts are harder to defend against.

Retail firms also have been hit with credit card breaches in recent months - including Target, where a breach compromised up to 40 million customers' financial information as well as other personal data related to 70 million customers.

But hackers aren't always going for mega-chains, Symantec said. According to their research, medium-sized businesses with 251 to 2 500 employees were the target of 31 percent of the personalised phishing attacks it saw last year, up from 19 percent the previous year.

For consumers, personal computing use has become more risky - a bad link or attachment could mean the installation of the next Blackshades. But there's also more risk when you hand over data to third parties, Samani said.

Even if consumers are taking measures, anything they give to a third party puts them at the mercy of someone else's security measures, he said. And if those security measures are breached, the data is at the mercy of whoever gets their hands on it. - Washington Post

Weekend Argus

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Weekend Argus (South Africa)

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters