Organised crime is gaining the upper hand over security vendors, as the traditional model of desktop ant-virus for securing endpoints, data, and people is no longer sufficient. This is the view of Rik Ferguson, senior security advisor for Trend Micro, speaking at this week’s ITWeb’s Security Summit, held at the Sandton Convention Centre.
He gave an outline of the underground cyber criminal movement and said new technologies and methodologies are needed to fight cyber criminals. “In 2004, the online connected population was just under 680 million people with three million unique infected files. It was only 18 months after that when we noticed a real change in criminal activity,” said Ferguson. “Fast-forward to today, and the number of connected users has tripled to 1.7 billion people and malware has exponentially increased to 30 million.”
Ferguson explained the underground economy is booming because more people are connected to the Internet. This increased number of inexperienced users is not aware of scams involving fake anti-viruses, botnets and phishing techniques used to steal information for financial gain.
According to Ferguson, organised crime works just like a business. Criminal groups offer niche services such as selling malware code as well as building botnet controllers that are in charge of thousands or even millions of compromised machines, which are rented out to distribute malware.
Ferguson demonstrated how an information-stealing Trojan can be sold on the black market for $80 and personal identification for as little as $10. Stolen information includes a victim’s name, cellphone number, address and bank PIN number.
Underground markets are organised in an eBay-type format comprising of forums with illicit buyers and sellers auctioning off valuable stolen information. “The cheapest credit cards on sale go for $3 a card because they’re easy to steal and defraud. And if you buy in bulk, the costs come down.”
According to Ferguson, the latest version of Zeus 1.4 built with all the FireFox and Jabber plug-ins can set a buyer back $10 000. “It collects online banking login details and also does form injection onto the bank Web site, such as a box for the PIN number.”
The Zeus botnet uses service-side polymorphism, meaning if it’s downloaded in two different machines, both files look completely different to one another even if it’s the same malware. This makes it difficult to detect. The people who sell this information do make a lot of money, but Ferguson said playing in the big league is a different game altogether.
“In an investigation we did, we discovered a criminal outfit made $180 million using three strategic pillars. The first way is by selling their victims malware. They look like entirely legitimate security applications under the names Spyware Protect, XP Antivirus, MS Antivirus. It is just a front-end of malware forcing you to pay for it to be downloaded onto the system,” explained Ferguson.
He added that the fake anti-virus products could be purchased for up to $140, and would also request the victim’s full banking details and credit card information. The criminals will recruit an army of affiliates who get a 30% kickback on each sale of fake anti-virus software. “Once you have it on your system, if you go to a legitimate-looking Web site, such as CNN, they swap out the legitimate advertisements and get paid for every impression of the replaced advertisement, usually depicting fake pharmaceuticals.
“The third pillar of income is telephonic tech support. A victim receiving all of the pop-ups from the fake-anti-virus program phones the fraudsters that operate a telephonic technical support. The fraudsters disable the pop-ups after the victim unknowingly pays $20 for the call.”
Ferguson said cyber criminals are constantly innovating scams and social engineering in different ways. According to Trend Micro, the top threat infection vector is the Web. Around 2 000 new threats surface per hour and Ferguson believes this trend will not slow down anytime soon. He pointed to security-as-a-service, a security model in the cloud that’s design to use intelligence collaboratively to prevent the end-user from exposing their system to malware in the first place.
“If we only focus on the infection layer, the problem will only get worse. The traditional approach to malware protection places the burden of storage and detection intelligence on the customer. It vastly increases endpoint resource usage and increases network bandwidth. “Traditional anti-virus updates are not fast enough anymore. The future approach to malware protection places the burden of storage and detection intelligence in the cloud.”