User-friendly black hats debut Crimeware as a Service (CAAS)
'Instantly infect your favorite Fortune 500 company'
Security researchers have uncovered a new web-based service containing security credentials for more than 8,700 websites belonging to Fortune 500 companies and government agencies. It allows miscreants to infect some of the internet's most popular destinations with a few clicks of the mouse.
According to security provider Finjan, the service categorizes the list of available sites by a variety of characteristics, including the country where they're hosted and their popularity. After paying a fee, criminals can select the domain they want to compromise and then use it as a means to infect vulnerable machines that later visit the site.
The service provides a menu of malware titles that can be pushed to unwitting visitors. It also allows miscreants to upload custom exploits, according to Yuval Ben-Itzhak, chief technology officer at Finjan.
In a sense, this crimeware as a service (CAAS) was inevitable. According to an earlier report from Finjan, more than 51 percent of websites that pushed malicious content in the second half of 2007 were legitimate destinations that had been commandeered by bad guys. The service is evidence that there's money to be made in automating that process - and one more sign that cyber-crime has grown into a full-fledged business where no opportunity to turn a profit is passed up.
"You can imagine the magnitude of this marketplace now," he said in an interview. "They really commercialize everything in this eco-system."
About 10 of the compromised sites are among the 100 most popular internet destinations as measured by Alexa.com. Another 100 are ranked in the top 100 to 500. Sites include some of the world's more elite organizations, including companies in the financial services, manufacturing and technology industries. They also include government agencies, including at least one belonging to a superior court in the US. Most of the sites are located in the US. Other origins included the Russian Federation, Australia, Ukraine, the Czech Republic and the UK.
Ben-Itzhak declined to identify the sites by name. He said Finjan has so far alerted only about a dozen of the compromised sites. Companies that want to find out if they're on the list can contact a Finjan representative using this link.
The service is able to seamlessly infect the websites because it has a database containing file transfer protocol usernames, passwords and server addresses that are typically used by legitimate webmasters to add, change or delete pages. The credentials were most likely stolen by infecting the PCs of administrators with keyloggers, Ben-Itzhak said.
A site called meoryprof.info has been used to access the service. At te time of writing, it was inaccessible to us. As long as the FTP credentials remain valid, you can bet it's only a matter of time before the service pops up on another site. ®
How do you pay your fee?
Credit card? Who'd be stupid enough?
Security research or reporter
The definition of security research and reporting is a bit greay here. It reads to me that he paid some criminals to use there service so he could see what was on the menu and is now asking top companies to contact him to see if there on the list.
Now call me silly but thats not security research, thats marketing given alot of companies will contact as some MD or the like gets spooked reading the news etc.....
So it boils down to, find criminal service, pay criminals for service and then advitise said service as the next big dark scary thing and then thru the realms of non-disclosure of insecure sites etc force alot of top companies to contact him directly. Must say for securty work its poor show paying the criminals for there work, but given the marketing gains from this it does seem a rather cheap investment.
That said there are alot of idiots out there in IT who dont know what security is. But when security is down to the weakest chain of a temp with a flash-drive or a intern or a secratary who will print a document you need for a meeting with X,Y,Z in there offices later on. Lets face it there are people out there who click random pop-up's blindly and believe anything thats in a printed formated font of electricity.
But back to the main subject in sumary: It is akin to a Doctor telling you about the black death and how its out there now and contact me for a consultation so I can tell you if you are already dead.
Paris - because she could of very well done this job just as well.
How many people would try to hit Microsoft with that...
Hmm... If the site runs Windoze...
I could take over the CAAS site and get the money for myself!