Online fraud is now a well established business with hackers offering fraud as a service and custom hacking paid on a per use basis, according to Andrew Moloney, marketing director at RSA.
Speaking at InfoSecurity 2009 at Earls Court today, Moloney said, "We are seeing the commercialisation of hacking. Attackers can buy HTML injection attacks to target [customers of] specific banks."
An attacker can purchase a non-exclusive payload, which is attached with other attack code on a Trojan horse, for just $23 per 1000 infections. He said an exclusive payload is priced at between $130 and $270.
He said phishing attacks were on the increase. We are now seeing combined phishing and malware attacks where the user is sent to a web site which downloads a Trojan."
For would-be fraudsters, Moleney said malware was becoming much more affordable. A high- grade Trojan like Zeus costs $1000, but hackers can buy the Limbo Trojan kit for only $350.
Moloney said hackers are also offering fraud as a service, where a fraudster pays $299 per month to receive a certain volume of bank credentials. There are even phone services, where someone calls up the owner of the stolen credit card, claiming to be the credit card company, in order to obtain the three digit code on the back of the card.
"Internet fraud is cross border and so it is difficult to police," Moloney said. Due to the relatively small amounts stolen per individual, he said this type of fraud often falls beneath the radar of Soca, the Serious Organised Crime Agency.