Buying and renting tools used by cybercriminals to conduct attacks and steal credentials is becoming much easier for the average person. "For Rent" signs hang on botnets, automated hacking toolkits are sold at bargain prices, and the data reaped by the criminal activity is sold and traded in online forums on a daily basis.
To get security news and tips delivered to your inbox,
Researchers at networking giant Cisco Systems Inc. are warning of the increasingly sophisticated cybercriminal underground economy and how it could be attractive to those having trouble finding work or facing layoffs in a troubled global economy. Meanwhile, cybercriminals are borrowing some of the best strategies from legitimate companies and forming partnerships with one another to help make their illegal activities more lucrative, according to Cisco.
"There's a lot of business sophistication," said Patrick Peterson, Cisco fellow and chief security officer. "Cybercriminals are taking a lot of Harvard Business School approaches, making them very difficult to combat, and it really does increase their success rate and the impact they have on us."
The Cisco 2009 Midyear Security Report outlines several ways hackers are cashing in using sophisticated business models. The report outlines Conficker's rise and how those behind the quickly spreading worm attempted to monetize the botnet by spreading spam that offered software to read private SMS messages. Peterson said those behind Conficker partnered with the cybercriminal gang associated with the Waledac botnet worm, and instead of delivering SMS reading software, pushed out the worm. Conficker also was used to distribute a rogue antivirus product.
"They may have had a pay-per-install or just simply given the Conficker folks a cut of their profits," Peterson said.
Meanwhile, another group of cybercriminals hoping to cash in on Conficker implemented a spamdexing scheme. They got Google to index their rogue antivirus sites prominently in search results for protection against Conficker, Peterson said.
Cisco and Cisco IronPort researchers are also seeing lower-volume, but more frequent botnet attacks. Peterson said it's a sign cybercriminals are trying to stay under the radar. Researchers from the University of California, Santa Barbara, who studied the Torpig botnet, discovered that it had been operating for several years, stealing login credentials for hundreds of thousands of online bank accounts.
"These are certainly the most technically sophisticated botnet and malware we've ever seen, but there are certainly lots of people who are finding interesting ways to go to market and make money with little or no technical expertise themselves," Peterson said. "If they can work together with partners they don't need to do the whole solution and that makes them much more of a concern."
The report also highlights how smartphones and social networking websites are being increasingly targeted by cybercriminals, lured by the massive amount of personal data displayed over time on websites such as Twitter, MySpace and Facebook.
The increasing use of handheld mobile devices, such as Research in Motion's BlackBerry device and the Apple iPhone, are making them more lucrative for cybercriminals. Cisco has been tracking a rise in malicious SMS text messages, appearing from a trusted source prompting victims to call and reveal sensitive account information, Peterson said.
"It's really all about social engineering to trick users, and with the amount of data people place in the public eye, it's become easier to conduct these attacks," Peterson said.
The good news is that so far in 2009 threats and vulnerabilities represent a 25% decrease from 2008 activity levels, according to the Cisco report. Peterson said that while the quantity of threats and vulnerabilities is down significantly, threats are more targeted to allow cybercriminals to steal as much data as they can as quickly as possible.
"There are fewer vulnerabilities and the criminals are doing a smidge less diversity of things, but that doesn't actually translate into lower threat activity," Peterson said. "Conficker was a single threat, but it probably had as much threat activity generated as 50% of all of the relatively less important vulnerabilities."