Cybercriminals employ toolkits in rising numbers to steal data

The market is increasing for crimeware toolkits that help cybercriminals avoid detection and exploit flaws, according to new research from security vendor, Finjan.

Cybercriminals need less technical expertise to conduct attacks to steal credit card numbers and other sensitive information thanks to a rising number of software packaged toolkits that automate most of the technical work.

It's really very active as hackers update their tools for the criminals, and it looks like any other professional tool.
Yuval Ben-Itzhak,
chief technology officerFinjan Software

Once purchased for only a few hundred dollars, the toolkit can be installed on a server to begin harvesting data. A software program produces reports that show attack successes and failures, how many users are infected and the location of the most lucrative targets. It also automatically receives exploit updates on new vulnerabilities that hackers are finding, said Yuval Ben-Itzhak, chief technology officer of security vendor, Finjan.

"Once someone was smart enough to pack this type of primer and make it as a toolkit as a software package … on the technical side, the criminals don't need to have any experience," Ben-Itzhak said. "Now that it's commercialised, you don't need to have this kind of experience and they're managing to reach more people that are willing to do this crime."

According to the latest threat report issued by Finjan, the crimeware toolkit list continued its steady growth in August. The list includes some standard names, such as MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit toolkits, as well as new toolkits such as random.js, vipcrypt, makemelaugh and dycrypt. Finjan identified the toolkit trend in May and since then the new versions are helping criminals avoid detection by traditional signature-based security products, Ben-Itzhak said.

Malware, attack techniques:
Most malware at home on U.S. servers: A report from Finjan says more malware is hosted on local servers in the U.S. and Britain than in countries with less developed e-crime law enforcement policies.

New hacking technique shields attackers: Attackers are using IP addresses to mask a malicious Web page and avoid detection.

"They're getting almost a daily update," he said. "It's really very active as hackers update their tools for the criminals, and it looks like any other professional tool."

Security vendor Finjan has also identified dozens of active criminals using the toolkits. In July, 58 criminals were detected using the MPack toolkit to successfully infect over 500,000 unique users in a single month.

"Sometimes, because these types of criminals are not experts, they are not even securing their own servers," Ben-Itzhak said.

Among the latest discoveries by Finjan's new SecureBrowsing tool was the IcePack toolkit, responsible for compromising the Bank of India Web site. Much like McAfee's SiteAdvisor browser plug-in, Finjan's SecureBrowsing adds safety ratings to URLs of search results, but also scans a site for a lurking crimeware toolkit.

In addition to crimeware toolkits, Finjan also identified six active affiliation programs that pay Web site owners for infecting their visitors with crimeware. Web site owners use an "iframe" method to merge content from two different servers in a way that it looks like one page to a site visitor. They are using the method to inject content from a remote site, which is downloading Trojans and crimeware to an end user's machine.

"As long as there is a business there and the site owner will make money off of it, we expect this technique to continue," Ben-Itzhak said. "People are moving forward and improving their technique, because at the end of the day they will see cash in their bank."

August Spam increases, but PDF spam declines
The month of August also saw a steady increase in spam, according to Symantec, which recently released its monthly report on the topic. The antivirus company said overall spam activity increased by 3% to just under 70% of all email traffic.

PDF spam, which emerged in June, rose dramatically in August, accounting for nearly 20% of all spam, but the PDF images then declined, closing out at less than 1% of total spam for the month, Symantec said.

"Antispam vendors' success with blocking PDF spam to date illustrates how the lifespan of new spam attacks correlates with how much effort is required by spammers in order to circumvent antispam filters," Symantec said in its report.

Read more on IT risk management