Cybersecurity

Next thing to worry about: Cybercrime as a service

Placeholder Image for Article Template

You've heard of software as a service and infrastructure as a service. Now you need to pay close attention to cybercrime as a service, one of the more insidious -- and burgeoning -- forms of organized attack.

Many of the recent high-profile data breaches at retailers like Target, and Nieman-Marcus leveraged off-the-shelf Internet-based cybercrime kits, according to McAfee Labs' latest quarterly report. That increased simplicity and availability could mean dangers for federal agencies' networks and facilities.

"If cybercriminals could execute such large-scale attacks on retailers – particularly Target – they could attempt the same against government agencies," Patrick Flynn, McAfee’s director for homeland/national security, told FCW in an email. "The administrators of federal sites that are citizen-facing and store large amounts of personal information need to be especially vigilant. Ironically, attackers taking advantage of cybercrime as a service don’t need anywhere near the same expertise.”

Hacking for dummies, indeed.

Just as typical cloud--as-a-service and infrastructure-as-a-service capabilities bring operational efficiencies to more enterprises, cloud-based malware can bring more sophisticated attack skills within the reach of a larger pool of possibly less-talented hackers.

The attacks against major retailers exposed the data of hundreds of thousands of the store's customers to electronic thieves that hacked into its point-of-sale terminals. McAfee called the Target breach one of the biggest of all time.

The attacks, while enormous, weren't unprecedented. What made the latest round different was not only the size of the thefts, but that they were apparently done with pre-packaged tools tailored to the specific job.

"During the last few years we have seen a notable rise in the malware families POSCardStealer, Dexter, Alina, vSkimmer, ProjectHook, and others, many of which are available for purchase online," said the report.

McAfee said Target uses a custom-built POS application, which means that the attackers could not learn the system offline, via readily available leaks of commercial POS applications. McAfee said that although the malware that attacked Target was based on a known entity called BlackPOS, it had several customized capabilities that allowed it to behave in a certain way once inside Target's environment.

McAfee analysts said the attacks were "far from advanced," but noted that the off-the-shelf, family of BlackPOS malware shows that such packages can easily be modified and redistributed with little programming skill or knowledge of malware functionality. In the past, BlackPOS source code has also been incorporated into Zeus/Citadel, Gh0st, Poison Ivy, and many other kits, showing that almost anyone can employ, modify and use them for nefarious purposes.

“Cybercriminals don’t have to be technical experts to get the job done,” Flynn said. “In fact, they only need a credit card.”

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Wed, Mar 12, 2014 IDTheftResearcher

Crime as a Service (CaaS) is nothing new; "murders for hire" arrangements are similar. An extreme example of cyber CaaS: 12 yr old Canadian hacker paid in video games. http://www.cnn.com/video/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn_freevideo+%28RSS%3A+Video%29#/video/bestoftv/2013/10/29/child-hacking-scheme-newday.cnn

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group