Cybersecurity

Next thing to worry about: Cybercrime as a service

Placeholder Image for Article Template

You've heard of software as a service and infrastructure as a service. Now you need to pay close attention to cybercrime as a service, one of the more insidious -- and burgeoning -- forms of organized attack.

Many of the recent high-profile data breaches at retailers like Target, and Nieman-Marcus leveraged off-the-shelf Internet-based cybercrime kits, according to McAfee Labs' latest quarterly report. That increased simplicity and availability could mean dangers for federal agencies' networks and facilities.

"If cybercriminals could execute such large-scale attacks on retailers – particularly Target – they could attempt the same against government agencies," Patrick Flynn, McAfee’s director for homeland/national security, told FCW in an email. "The administrators of federal sites that are citizen-facing and store large amounts of personal information need to be especially vigilant. Ironically, attackers taking advantage of cybercrime as a service don’t need anywhere near the same expertise.”

Hacking for dummies, indeed.

Just as typical cloud--as-a-service and infrastructure-as-a-service capabilities bring operational efficiencies to more enterprises, cloud-based malware can bring more sophisticated attack skills within the reach of a larger pool of possibly less-talented hackers.

The attacks against major retailers exposed the data of hundreds of thousands of the store's customers to electronic thieves that hacked into its point-of-sale terminals. McAfee called the Target breach one of the biggest of all time.

The attacks, while enormous, weren't unprecedented. What made the latest round different was not only the size of the thefts, but that they were apparently done with pre-packaged tools tailored to the specific job.

"During the last few years we have seen a notable rise in the malware families POSCardStealer, Dexter, Alina, vSkimmer, ProjectHook, and others, many of which are available for purchase online," said the report.

McAfee said Target uses a custom-built POS application, which means that the attackers could not learn the system offline, via readily available leaks of commercial POS applications. McAfee said that although the malware that attacked Target was based on a known entity called BlackPOS, it had several customized capabilities that allowed it to behave in a certain way once inside Target's environment.

McAfee analysts said the attacks were "far from advanced," but noted that the off-the-shelf, family of BlackPOS malware shows that such packages can easily be modified and redistributed with little programming skill or knowledge of malware functionality. In the past, BlackPOS source code has also been incorporated into Zeus/Citadel, Gh0st, Poison Ivy, and many other kits, showing that almost anyone can employ, modify and use them for nefarious purposes.

“Cybercriminals don’t have to be technical experts to get the job done,” Flynn said. “In fact, they only need a credit card.”

About the Author

Mark Rockwell is a staff writer covering acquisition, procurement and homeland security. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Wed, Mar 12, 2014 IDTheftResearcher

Crime as a Service (CaaS) is nothing new; "murders for hire" arrangements are similar. An extreme example of cyber CaaS: 12 yr old Canadian hacker paid in video games. http://www.cnn.com/video/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn_freevideo+%28RSS%3A+Video%29#/video/bestoftv/2013/10/29/child-hacking-scheme-newday.cnn

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above