Online fraud is now a well established business with hackers
offering fraud as a service and custom hacking paid on a per use
basis, according to Andrew Moloney, marketing director at RSA.
Speaking at InfoSecurity 2009 at Earls Court today, Moloney
said, "We are seeing the commercialisation of hacking. Attackers
can buy HTML injection attacks to target [customers of] specific
banks."
An attacker can purchase a non-exclusive payload, which is
attached with other attack code on a Trojan horse, for just $23 per
1000 infections. He said an exclusive payload is priced at between
$130 and $270.
He said phishing attacks were on the increase. We are now seeing
combined phishing and malware attacks where the user is sent to a
web site which downloads a Trojan."
For would-be fraudsters, Moleney said malware was becoming much
more affordable. A high- grade Trojan like Zeus costs $1000, but
hackers can buy the Limbo Trojan kit for only $350.
Moloney said hackers are also offering fraud as a service, where
a fraudster pays $299 per month to receive a certain volume of bank
credentials. There are even phone services, where someone calls up
the owner of the stolen credit card, claiming to be the credit card
company, in order to obtain the three digit code on the back of the
card.
"Internet fraud is cross border and so it is difficult to
police," Moloney said. Due to the relatively small amounts stolen
per individual, he said this type of fraud often falls beneath the
radar of Soca, the Serious Organised Crime Agency.