E-crime has evolved into a booming business. Viruses, malware and online crime have moved from hacking vandalism into a major shadow economy that closely mimics the real business world, including profit-driven organised cybercrime, writes Yuval Ben-Itzhak, CTO at Finjan.
Money is driving the growth of targeted attacks against financial institutions, enterprises and governmental agencies. The financial damages from security breaches will keep on running into millions of pounds.
Cybercriminals use the web as a highly effective attack vector for a wide range of illegitimate and malicious activities, including identity theft through keylogging, financial fraud, espionage, and intelligence gathering. Their operations function as international organised crime networks which makes it hard to catch them, let alone to prosecute.
In 2008, we have seen the continued development of sophisticated criminal-to-criminal (C2C) business models. These mature business models operate on two levels. Crimeware developers are supplying "crimeware toolkits" to other criminal elements to be used for attacks. These "how to" packages instruct users step-by-step in how to infect a system and then retrieve data for financial gain. But criminals can also go the old-fashioned way: purchasing data collected by Trojans, keyloggers and other types of crimeware. These crime pros use robust and scalable crimeware that gives them maximum flexibility in terms of command and control.
One of the main reasons why e-crime remains so profitable is the success rate of Trojan technologies, using web 2.0 as the main attack vector. By using silent installations and drive-by downloads, PCs and networks have successfully been infected.
These "Trojan 2.0" attacks combine various web services to heighten their infection ratio. At the same time, they substantially reduced their chance of being detected. They use legitimate websites and domains for distributing instructions to botnets, which makes it look like regular web traffic. To make things even more complicated, evasive techniques (such as the use of obfuscated codes) is deployed to bypass security applications. In short, any organisation, company, enterprise or business with Internet access is a potential and prime target - regardless of its size or location.
It is clear that traditional security solutions, such as anti-virus, URL filtering or reputation services, will become more and more limited in their ability to handle the latest and highly complicated cybercrime attacks. Traditional security technologies are not equipped to deal with, let alone prevent, these threats. To meet the growing demand for more effective protection, the security industry must close the gap between these new attack techniques and the conventional defence strategies.
The optimal way to do this is concentrating on real-time code inspection technologies. These can effectively protect networks against such attacks, since they analyse every piece of content regardless of its source. They are therefore able to detect malicious codes without using signature updates or databases of classified URLs.
With the use of active real-time code inspection, entities can be sure that no malicious content will enter their corporate networks, even if the origin is a highly respectable and trusted website.
This was first published in April 2008