You don鈥檛 need advanced hacking expertise to steal people鈥檚 bank details any more. Thanks to downloadable attack kits, online theft is just a few clicks away. With just a small amount of technical know-how, attackers can use these simple software packages to install malware on a victim鈥檚 computer and make an easy profit.
Two security reports released this week reveal the rise of such kits in the past year. Computer security company suggests that attack kits played a role in creating over 286 million variants of malware last year, and computer hardware manufacturer that the kits鈥 ease of use, high success rates and ability to rake in illicit gains make them extremely popular.
Attack kit developers are also improving the quality of their software, says Mike Dausin, who manages advanced security intelligence for HP鈥檚 DVLabs division. 鈥淭hey put so much effort into streamlining it, just as a normal software development company might,鈥 he says. 鈥淭hey鈥檙e very professional, very focused on making money.鈥 It鈥檚 not an entirely unexpected development: last year, security researchers predicted the growth of the cybercrime service industry.
Advertisement
Digital airlock
I visited Symantec鈥檚 regional headquarters in Dublin, Ireland, to find out just how easy it is to use an attack kit. As I enter Symantec鈥檚 security response office, I鈥檓 asked to leave my laptop in a secure server room situated in a digital 鈥渁irlock鈥. It鈥檚 a necessary precaution, as any computer beyond the airlock doors might infect my machine with nasty malware.
Inside, I speak to threat intelligence officer Peter Coogan. Like everyone else in the office, he has two screens on his desk. The first is connected via a blue cable to the secure server room, where his main computer resides safe from infection. The other is connected to an infected desktop computer, wired into a separate network via a pink cable. The visual distinction helps stop infections spreading to Symantec鈥檚 wider network.
Coogan uses his infected machine to walk me through the installation of Zeus, a common attack kit. The latest versions are traded on cybercrime forums for anything from $500 to $4000, but older copies are freely available and easily found with a quick Google search 鈥 even malware developers suffer from software piracy, it seems. This hasn鈥檛 prevented sales of attack kits growing from 2 to 7 per cent of the criminal online economy, however.
This booming business has helped attack kits spread far further than before, explains Alen Puzic, a security researcher at HP DVLabs. 鈥淎 few years ago you pretty much had to know the author of one of these toolkits in order to get one, but these days there are resellers, forums and even online stores.鈥
Command and control
Once you鈥檝e downloaded the software, you upload it to a web server 鈥 either the attacker鈥檚 own or one that cannot be traced 鈥 and install it through your browser. The process is surprisingly similar to installing blogging software such as WordPress. 鈥淵ou don鈥檛 have to be some kind of expert,鈥 explains Coogan.
This online installation acts as a command-and-control centre for custom malware 鈥 and attackers can also create the malware with Zeus. Coogan showed me how someone with minor coding skills can choose from a list of options, such as the type of target or filename, to create their own unique malware.
We chose to target banking websites using pre-existing code included in Zeus that would insert extra form fields whenever an infected user logged onto their bank website and allow us to gather data such as their PIN. Savvy attackers can write code to target any site they choose, however.
After infecting a victim鈥檚 computer, attackers can then set up fake websites that download malware in the background. It鈥檚 much more effective, however, to compromise sites the victim uses regularly by using vulnerabilities to inject their own code. The method chosen depends on the skills of the attacker. 鈥淚t could be a site that you visit every day,鈥 says Coogan. For the demonstration, he used a fake website to infect his computer, and showed me how a mocked-up banking site was transformed to include extra fields that were impossible to distinguish from the genuine article.
What鈥檚 worse, a site hacked in this way appears completely legitimate. All the modifications take place on your own computer, not the bank鈥檚 servers, so there is very little the bank can do to stop this kind of attack. 鈥淵ou look at the URL, it鈥檚 the URL you always go to, you鈥檙e still on a secure site and everything looks absolutely perfect,鈥 says Coogan.
Spear phishing
That鈥檚 particularly worrying in light of the at online marketing firm Epsilon, which manages email advertising for companies such as Capital One and Disney. Now that spammers know which email addresses are linked to certain brands, they could use kits like Zeus to generate targeted malware and fool people into giving away more information than they should. An attack like this is known as 鈥渟pear phishing鈥, because the leaked details help attackers to focus their effort. 鈥淭hey can sharpen the tip of the spear,鈥 says Dausin, though he points out that Epsilon is not the first leak of its kind, so the increased risk is small.
So what can you do to avoid becoming a victim of an attack kit? 鈥淢ake sure you are patched,鈥 says Dausin. The kits take advantage of security holes in programs like web browsers PDF readers; developers try to plug them with software patches, but many people don鈥檛 apply the patches, leaving themselves at risk. 鈥淏eyond that, it鈥檚 probably best not to click on links and emails that you鈥檙e not expecting,鈥 he adds. In other words, think before you click 鈥 you never know what鈥檚 on the other end of that link.