Cybercriminals employ toolkits in rising numbers to steal data

By Robert Westervelt, News Editor 06 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Cybercriminals need less technical expertise to conduct attacks to steal credit card numbers and other sensitive information thanks to a rising number of software packaged toolkits that automate most of the technical work.

It's really very active as hackers update their tools for the criminals, and it looks like any other professional tool. Yuval Ben-Itzhak, chief technology officer, Finjan Software Inc.

Once purchased for only a few hundred dollars, the toolkit can be installed on a server to begin harvesting data. A software program produces reports that show attack successes and failures, how many users are infected and the location of the most lucrative targets. It also automatically receives exploit updates on new vulnerabilities that hackers are finding, said Yuval Ben-Itzhak, chief technology officer of San Jose, Calif.-based security vendor, Finjan.

"Once someone was smart enough to pack this type of primer and make it as a toolkit as a software package … on the technical side, the criminals don't need to have any experience," Ben-Itzhak said. "Now that it's commercialized, you don't need to have this kind of experience and they're managing to reach more people that are willing to do this crime."

According to the latest threat report issued by Finjan, the crimeware toolkit list continued its steady growth in August. The list includes some standard names, such as MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit toolkits, as well as new toolkits such as random.js, vipcrypt, makemelaugh and dycrypt. Finjan identified the toolkit trend in May and since then the new versions are helping criminals avoid detection by traditional signature-based security products, Ben-Itzhak said.

Malware, attack techniques: Most malware at home on U.S. servers: A report from Finjan says more malware is hosted on local servers in the U.S. and Britain than in countries with less developed e-crime law enforcement policies. New hacking technique shields attackers: Attackers are using IP addresses to mask a malicious Web page and avoid detection.

"They're getting almost a daily update," he said. "It's really very active as hackers update their tools for the criminals, and it looks like any other professional tool."

Security vendor Finjan has also identified dozens of active criminals using the toolkits. In July, 58 criminals were detected using the MPack toolkit to successfully infect over 500,000 unique users in a single month.

"Sometimes, because these types of criminals are not experts, they are not even securing their own servers," Ben-Itzhak said.

Among the latest discoveries by Finjan's new SecureBrowsing tool was the IcePack toolkit, responsible for compromising the Bank of India Web site. Much like McAfee's SiteAdvisor browser plug-in, Finjan's SecureBrowsing adds safety ratings to URLs of search results, but also scans a site for a lurking crimeware toolkit.

In addition to crimeware toolkits, Finjan also identified six active affiliation programs that pay Web site owners for infecting their visitors with crimeware. Web site owners use an "iframe" method to merge content from two different servers in a way that it looks like one page to a site visitor. They are using the method to inject content from a remote site, which is downloading Trojans and crimeware to an end user's machine.

"As long as there is a business there and the site owner will make money off of it, we expect this technique to continue," Ben-Itzhak said. "People are moving forward and improving their technique, because at the end of the day they will see cash in their bank."

August Spam increases, but PDF spam declines
The month of August also saw a steady increase in spam, according to Symantec Corp., which recently released its monthly report on the topic. The Cupertino, Calif.-based antivirus giant said overall spam activity increased by 3% to just under 70% of all email traffic.

PDF spam, which emerged in June, rose dramatically in August, accounting for nearly 20% of all spam, but the PDF images then declined, closing out at less than 1% of total spam for the month, Symantec said.

"Antispam vendors' success with blocking PDF spam to date illustrates how the lifespan of new spam attacks correlates with how much effort is required by spammers in order to circumvent antispam filters," Symantec said in its report.

Tags: Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Hacker attack techniques and tactics: Understanding hacking strategies Rootkit Hunter demo: Detect and remove Linux rootkits Botnet threats and countermeasures Conficker worm much smaller than feared Application Attacks (Buffer Overflows, Cross-Site Scripting) PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary