CNET también está disponible en español.

Ir a español

Don't show this again


The new battleground in cybercrime

Finjan CTO Yuval Ben-Itzhak writes that user data increasingly is driving "criminal-2-criminal" business.

In an age where "data equals money," fortune has replaced fame as hackers' key motivation. Criminals are willing to pay top dollar for personal, financial, and corporate data collected by Trojans and other "crimeware."

The evidence is out there. Price lists discovered on the black market reveal that criminals are willing to pay $5,000 for a financial report, $500 for a credit card with PIN, and $150 for a driver's license ID.

With do-it-yourself malicious software packages available for $200, cybercriminals need neither deep pockets nor programming skills to compromise a Web site or steal sensitive financial data from an infected PC. Indeed, Finjan's security research confirms that crimeware toolkits have become cybercriminals' favorite weapon. The new business model is criminal-2-criminal (C2C)--attackers selling malicious code and stolen data to other criminal elements that profit from it.

Most government offices, financial institutions, and large enterprises deploy signature-based antivirus tools and a network firewall to protect highly sensitive and private data. The fact is that cybercriminals know this, and they use new antiforensic techniques specifically designed to bypass these traditional security solutions.

The cybercrime equation is simple: the longer the crimeware remains undetected, the higher the profit for the attackers.

The MPack crimeware toolkit, which infected more than 500,000 users in June 2007, illustrates this point. Even several weeks after intensive media coverage, the crimeware downloaded by the MPack toolkit was still not detected by the majority of leading security products.

One particularly devious Trojan installed by the MPack toolkit steals bank account information (such as user name, password, credit card number, Social Security number, ATM, PIN). The Trojan silently waits on the victim's PC until he/she accesses an online banking site, then it springs into action, harvesting the sensitive information. The user's online experience is identical to that of his/her own bank, and the stolen data is sent to the criminal's server over an encrypted SSL connection.

According to Gartner, the Internet (and Internet applications) will be fertile territory for malware infections in the corporate world. Due to the proliferation of Web-based malicious code, safeguarding sensitive data from targeted crimeware attacks is not simple anymore. Creating signatures for every exploit of dozens of toolkits requires huge resources and in most cases is ineffective.

The cybercrime equation is simple: the longer the crimeware remains undetected, the higher the profit for the attackers.

Therefore, cybercriminals compromise legitimate Web sites to infect victim PCs, using dynamic payloads and obfuscation techniques and constantly changing hosting locations to evade detection. The result is that URL filtering, reputation services, and signature-based solutions are limited against this new evasive attack genre.

Innovative solutions to address these threats are available, and should be implemented in a layered manner on top of organizations' existing security infrastructure. However, until this happens on a wide scale, individuals should realize that their data may not be as safe as they think.

In the Web 1.0 scenario, even if your PC got infected by spyware, many solutions were able to detect and block the spyware when it "phoned home," or tried to connect to the malicious server.

In Web 2.0 and beyond, a stealthy Trojan on your PC will no longer need to send its stolen data to a malicious host server in the Third World. Rather, the Trojan will upload data to a MySpace page or another "trusted" Web 2.0 site that will not be blacklisted by URL filtering or reputation-based solutions. Once the data is downloaded from these sites, it is deleted. In essence, hackers could turn these sites into "safe harbors" for storing their stolen data.

The way to stop such a scenario is to understand exactly what is happening in the network. The financial damage from a security breach can cost millions of dollars. As C2C grows, corporate and government users will realize that their digital assets are increasingly at risk.