Next thing to worry about: Cybercrime as a service
- By Mark Rockwell
- Mar 11, 2014
You've heard of software as a service and infrastructure as a service. Now you need to pay close attention to cybercrime as a service, one of the more insidious -- and burgeoning -- forms of organized attack.
Many of the recent high-profile data breaches at retailers like Target, and Nieman-Marcus leveraged off-the-shelf Internet-based cybercrime kits, according to McAfee Labs' latest quarterly report. That increased simplicity and availability could mean dangers for federal agencies' networks and facilities.
"If cybercriminals could execute such large-scale attacks on retailers – particularly Target – they could attempt the same against government agencies," Patrick Flynn, McAfee’s director for homeland/national security, told FCW in an email. "The administrators of federal sites that are citizen-facing and store large amounts of personal information need to be especially vigilant. Ironically, attackers taking advantage of cybercrime as a service don’t need anywhere near the same expertise.”
Hacking for dummies, indeed.
Just as typical cloud--as-a-service and infrastructure-as-a-service capabilities bring operational efficiencies to more enterprises, cloud-based malware can bring more sophisticated attack skills within the reach of a larger pool of possibly less-talented hackers.
The attacks against major retailers exposed the data of hundreds of thousands of the store's customers to electronic thieves that hacked into its point-of-sale terminals. McAfee called the Target breach one of the biggest of all time.
The attacks, while enormous, weren't unprecedented. What made the latest round different was not only the size of the thefts, but that they were apparently done with pre-packaged tools tailored to the specific job.
"During the last few years we have seen a notable rise in the malware families POSCardStealer, Dexter, Alina, vSkimmer, ProjectHook, and others, many of which are available for purchase online," said the report.
McAfee said Target uses a custom-built POS application, which means that the attackers could not learn the system offline, via readily available leaks of commercial POS applications. McAfee said that although the malware that attacked Target was based on a known entity called BlackPOS, it had several customized capabilities that allowed it to behave in a certain way once inside Target's environment.
McAfee analysts said the attacks were "far from advanced," but noted that the off-the-shelf, family of BlackPOS malware shows that such packages can easily be modified and redistributed with little programming skill or knowledge of malware functionality. In the past, BlackPOS source code has also been incorporated into Zeus/Citadel, Gh0st, Poison Ivy, and many other kits, showing that almost anyone can employ, modify and use them for nefarious purposes.
“Cybercriminals don’t have to be technical experts to get the job done,” Flynn said. “In fact, they only need a credit card.”
Mark Rockwell is a staff writer covering acquisition, procurement and homeland security. Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.