The Federal Bureau of Investigations announced last Monday an international crackdown leading to the arrest of nearly 100 people tied to a sophisticated set of malware tools called Blackshades. The program allowed cybercriminals to remotely take over computers — including their webcams.
But you didn't need to be a mastermind to use the program. Instead, the tool is part of a much larger trend towards user-friendly hacking tools, developed and distributed by corporate-like entities that are becoming like the Oracles or Microsofts of the malware world.
There's now a fully-fledged market for groups offering access to easy-to-use malware on a subscription basis, experts say. And since the tools require little to no technical skill, the barrier to entry to a life of cybercrime is much lower than it was in the early years of the Internet. The result has been an explosion in criminal activity that has left consumers vulnerable to having their financial information used for fraudulent transactions or having their personal information sold to the highest bidder online.
"It's gone from being a couple of guys developing malicious software to actual organized crime groups" on the development side, said Tyler Shields, an analyst at Forrester Research.
"In general, people used to write tools for themselves so the number of people involved would actually be limited because you needed the technical skills to do this type of thing," said Kevin Haley, director of security response at cybersecurity firm Symantec. And some of the malicious applications from the Internet's early days may have wreaked havoc, but not all were designed with specific financial incentives.
Now cybercrime rings are much more organized, running in a sort of digital shadow economy online.
"If you want to excel as a cyber criminal, go get an MBA"
Malware groups often have a hierarchical leaderships structure and pay for development of malicious software as well as marketing and distribution, researchers and federal investigators say. In the big leagues of this underground economy, malware rings mirror the economic models of legitimate businesses.
But they're also very widely distributed — with groups often having members all over the world, experts say. Some meeting online may not even know each other face-to-face. "You might have a developer in Ukraine or Russia, a distributor in the U.S. or the U.K., and leadership somewhere else entirely," Shields said. "We're talking hundreds of people across nations around the world working in concert."
That's an awful lot of coordination and managerial skills. "If you want to excel as a cyber criminal," Shield said, "go get an MBA."
The reason for the explosion in the commercial malware market is simple, Shields said: There's money in hacking — through the sale of sensitive data or the tools that can enable breaches, and the market has moved to take advantage of the situation. And pursuing a life of crime online can be safer than pursuing one in the physical world, said Raj Samani, vice president and chief technical officer for McAfee EMEA. "You don't go to a shoddy neighborhood to buy drugs, you go to an online black market — you don't walk into a bank to rob it, you go online," he said.
"Crime is evolving," added Samani, and "hacking as a service is now fully fledged and available." So now, most anyone can be a hacker.
"There are a lot of them who don't have the technical skills, but just want to get into crime," Haley said. Conveniently for the criminally inclined, "a marketplace offering cybercrime tools and services provides would-be criminals with an arsenal that can either be used as a component of a cyberattack or a handy way of outsourcing the process entirely," according to a McAfee white paper co-authored by Samani last year.
The Blackshades and iBanking
Law enforcement officials say they are beginning to focus on those who develop the malware, not just the people who use it.
"We tackled this malware starting with those that put it in the hands of the users — the creators and those who helped make it readily available, the administrators," said George Venizelos, assistant director-in-charge of the FBI New York Field Office in a news release about its Blackshades enforcement action.
Blackshades, the target of the recent FBI crackdown, is a part of a category of malware called Remote Access Tools, or RATs, which allow adversaries to have almost unlimited power over a breached computer. The FBI says the malware toolkit was available online for $40 and "purchased by thousands of people in more than 100 countries."
And these types of tools are migrating to mobile devices, too. Symantec released a blog post on a similar threat facing Android mobile devices called iBanking last week.
"It's a toolkit, in many ways similar to the RAT Blackshades," Haley said. Once it is installed on a user's machine, you can do almost anything. And like Blackshades, it's easy to use. "There's a nice user interface on the back end that allows the hacker to control not only that phone but multiple phones if they've infected them," he said.
"Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to US$5,000," according to Symantec — even though the source code to the tool was leaked online this year. ("There's no honor among thieves," joked Haley.)
There's been an uptick in activity since, but Symantec believes some larger cybercrime gangs will continue to pay for the "official" version — which includes patches for vulnerabilities in the hacking software and is likely to be updated as new exploits are discovered so it remains more effective as older issues get fixed.
According to Symantec, Russian gangs have particularly favored the toolset lately. Users are infected with the program through a social engineering hack: Tricking users into thinking a bank or social network needs to install an app on their device with a pop up when the device is connected to a desktop already infected with a type of malware that siphons financial data.
The future of enforcement
As the groups behind malware become more organized, so must the law enforcement tactics used to fight them, experts say — as evidenced by the Blackshades action. "Law enforcement has had to change from tracking down individuals to more of the traditional organized crime levels of infiltration," Shields said.
Haley hopes the Blackshades crackdown was a wake up call to those currently in the cybercrime business, reminding them there's a risk to becoming involved in this particular industry.
But overall, experts say, software as a service has enabled a growth in the number of cybercriminals — and that growth leaves consumers and businesses at greater risk. Symantec's most recent annual threat report noted a 91 percent increase in targeted attack campaigns and a 62 percent increase in the number of breaches in 2013. That was only 253 total breaches, but eight of them exposed more than 10 million identities each.
"In total, over 552 million identities were breached in 2013, putting consumer’s credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, login, passwords, and other personal information into the criminal underground," the company reported. As bad guys become more organized and professional, their onslaughts are harder to defend against.
A string of retail firms have also been hit with credit card breaches in recent months — including Target, where a breach compromised up to 40 million people's financial information as well as other personal data related to as many as 70 million customers.
But hackers aren't always going for megachains, Symantec said. According to their research, medium-sized businesses with 251 to 2,500 employees were the target of 31 percent of the personalized phishing attacks it saw in 2013 — up from 19 percent the previous year.
For consumers, personal computing use has become more risky — a bad link or attachment could mean the installation of the next Blackshades. But there's also more risk when you hand over data to third parties, Samani said.
Even if consumers are taking significant personal measures, anything they give to a third party puts them at the mercy of someone else's security measures, he said. And if those security measures get breached, the data is at the mercy of whoever gets their hands on it.