Feeds

Viruses, phishing, and trojans for profit

Malware is big money

SANS - Survey on application security programs

Customised trojans, for a price

If there's one thing we've learned, just about anything is available for a price.

Dmitri Alperovitch from CipherTrust gave an excellent presentation at Virus Bulletin on "phishing trojan creation toolkits". His talk was about how it's now possible to go out and purchase a fully customised Trojan horse for phishing purposes, one that can inject new fields into a legitimate web page.

In other words, the average Joe Criminal can go out and purchase a toolkit that can create a targeted, fully customised trojan horse capable of evading the detection of anti-virus software, and then use it to steal money from innocent people. There's still the issue of getting this trojan in the right place, but let's take this one step at a time.

The example Alperovitch showed was quite advanced, capable of numerous features like support for encryption and two-factor authentication that allows a less sophisticated cyber criminal to make just the right kind of trojan. Set up the required features and click the button that says compile.

I found it all quite shocking, to be honest - I did not know how far these trojan toolkits have come, or how much it can lower the bar. One of the greatest security fears of any organisation is (or should be) targeted trojans, because of their capability to steal virtually any information inside an organisation and remain undetected for some time. I won't take the liberty of mentioning some of the toolkits here, which range from $100 to $5500.

What can these trojans help steal? Money, for starters. Phishing works because most people can't identify a fake website. Let's also consider another use for them. It's easy to imagine a targeted trojan running on a payroll manager's computer inside a Fortune 500 company, logging keystrokes, taking screenshots, and responding to commands from someone on the other side of the world – or someone just next door. Add me to your payroll, please. A bit far-fetched? Hopefully your organisation has the proper policies and procedures in place to prevent this.

When the early reports of hackers teaming up with organised crime first surfaced, I'll admit I was skeptical. I found it hard to imagine a geek, albeit a criminal one, meeting up with the mob in a dark alley somewhere and plotting their next attack. But we're talking big money now, millions and tens of millions of dollars in some of the trojan-phishing-botnet-spam scams. Maybe much more.

The link to organised crime and traditional low-tech criminals for cyber criminals is more likely one of pure necessity – converting "virtual money" stolen from individuals and companies still has to be converted to real money, and that's where traditional crime rings and money laundering come into play.

Law enforcement is pretty good at investigating the low-tech end result of high-tech crime, and that's where they should continue to focus. Rather than turn police officers into hackers, they should continue to work with (and pay) security people to unravel the technical capabilities. Let me put some emphasis on paying security folks for their hard work.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.