Feeds

Viruses, phishing, and trojans for profit

Malware is big money

Beginner's guide to SSL certificates

Customised trojans, for a price

If there's one thing we've learned, just about anything is available for a price.

Dmitri Alperovitch from CipherTrust gave an excellent presentation at Virus Bulletin on "phishing trojan creation toolkits". His talk was about how it's now possible to go out and purchase a fully customised Trojan horse for phishing purposes, one that can inject new fields into a legitimate web page.

In other words, the average Joe Criminal can go out and purchase a toolkit that can create a targeted, fully customised trojan horse capable of evading the detection of anti-virus software, and then use it to steal money from innocent people. There's still the issue of getting this trojan in the right place, but let's take this one step at a time.

The example Alperovitch showed was quite advanced, capable of numerous features like support for encryption and two-factor authentication that allows a less sophisticated cyber criminal to make just the right kind of trojan. Set up the required features and click the button that says compile.

I found it all quite shocking, to be honest - I did not know how far these trojan toolkits have come, or how much it can lower the bar. One of the greatest security fears of any organisation is (or should be) targeted trojans, because of their capability to steal virtually any information inside an organisation and remain undetected for some time. I won't take the liberty of mentioning some of the toolkits here, which range from $100 to $5500.

What can these trojans help steal? Money, for starters. Phishing works because most people can't identify a fake website. Let's also consider another use for them. It's easy to imagine a targeted trojan running on a payroll manager's computer inside a Fortune 500 company, logging keystrokes, taking screenshots, and responding to commands from someone on the other side of the world – or someone just next door. Add me to your payroll, please. A bit far-fetched? Hopefully your organisation has the proper policies and procedures in place to prevent this.

When the early reports of hackers teaming up with organised crime first surfaced, I'll admit I was skeptical. I found it hard to imagine a geek, albeit a criminal one, meeting up with the mob in a dark alley somewhere and plotting their next attack. But we're talking big money now, millions and tens of millions of dollars in some of the trojan-phishing-botnet-spam scams. Maybe much more.

The link to organised crime and traditional low-tech criminals for cyber criminals is more likely one of pure necessity – converting "virtual money" stolen from individuals and companies still has to be converted to real money, and that's where traditional crime rings and money laundering come into play.

Law enforcement is pretty good at investigating the low-tech end result of high-tech crime, and that's where they should continue to focus. Rather than turn police officers into hackers, they should continue to work with (and pay) security people to unravel the technical capabilities. Let me put some emphasis on paying security folks for their hard work.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.