Cybercriminals employ toolkits in rising numbers to steal data

By Robert Westervelt, News Editor 06 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Cybercriminals need less technical expertise to conduct attacks to steal credit card numbers and other sensitive information thanks to a rising number of software packaged toolkits that automate most of the technical work.

It's really very active as hackers update their tools for the criminals, and it looks like any other professional tool. Yuval Ben-Itzhak, chief technology officer, Finjan Software Inc.

Once purchased for only a few hundred dollars, the toolkit can be installed on a server to begin harvesting data. A software program produces reports that show attack successes and failures, how many users are infected and the location of the most lucrative targets. It also automatically receives exploit updates on new vulnerabilities that hackers are finding, said Yuval Ben-Itzhak, chief technology officer of San Jose, Calif.-based security vendor, Finjan.

"Once someone was smart enough to pack this type of primer and make it as a toolkit as a software package … on the technical side, the criminals don't need to have any experience," Ben-Itzhak said. "Now that it's commercialized, you don't need to have this kind of experience and they're managing to reach more people that are willing to do this crime."

According to the latest threat report issued by Finjan, the crimeware toolkit list continued its steady growth in August. The list includes some standard names, such as MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit toolkits, as well as new toolkits such as random.js, vipcrypt, makemelaugh and dycrypt. Finjan identified the toolkit trend in May and since then the new versions are helping criminals avoid detection by traditional signature-based security products, Ben-Itzhak said.

Malware, attack techniques: Most malware at home on U.S. servers: A report from Finjan says more malware is hosted on local servers in the U.S. and Britain than in countries with less developed e-crime law enforcement policies. New hacking technique shields attackers: Attackers are using IP addresses to mask a malicious Web page and avoid detection.

"They're getting almost a daily update," he said. "It's really very active as hackers update their tools for the criminals, and it looks like any other professional tool."

Security vendor Finjan has also identified dozens of active criminals using the toolkits. In July, 58 criminals were detected using the MPack toolkit to successfully infect over 500,000 unique users in a single month.

"Sometimes, because these types of criminals are not experts, they are not even securing their own servers," Ben-Itzhak said.

Among the latest discoveries by Finjan's new SecureBrowsing tool was the IcePack toolkit, responsible for compromising the Bank of India Web site. Much like McAfee's SiteAdvisor browser plug-in, Finjan's SecureBrowsing adds safety ratings to URLs of search results, but also scans a site for a lurking crimeware toolkit.

In addition to crimeware toolkits, Finjan also identified six active affiliation programs that pay Web site owners for infecting their visitors with crimeware. Web site owners use an "iframe" method to merge content from two different servers in a way that it looks like one page to a site visitor. They are using the method to inject content from a remote site, which is downloading Trojans and crimeware to an end user's machine.

"As long as there is a business there and the site owner will make money off of it, we expect this technique to continue," Ben-Itzhak said. "People are moving forward and improving their technique, because at the end of the day they will see cash in their bank."

August Spam increases, but PDF spam declines
The month of August also saw a steady increase in spam, according to Symantec Corp., which recently released its monthly report on the topic. The Cupertino, Calif.-based antivirus giant said overall spam activity increased by 3% to just under 70% of all email traffic.

PDF spam, which emerged in June, rose dramatically in August, accounting for nearly 20% of all spam, but the PDF images then declined, closing out at less than 1% of total spam for the month, Symantec said.

"Antispam vendors' success with blocking PDF spam to date illustrates how the lifespan of new spam attacks correlates with how much effort is required by spammers in order to circumvent antispam filters," Symantec said in its report.

Tags: Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware The world's top 5 riskiest domains New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Emerging Information Security Threats Best practices for (small) botnets Cybersecurity grant to fund research into critical infrastructure threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers US-CERT warns of BlackBerry snooping software Researchers find thousands of flawed embedded devices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary