Wednesday, January 20, 2010
DIY cybercrime kits power growth in Net phishing attacks
DIY kits have been a staple in the cyberunderground for some time. But now they've dropped in price and become more user-friendly.
"If you know how to download music or a movie you have the necessary experience to begin using one of these kits," says Gunter Ollman, senior researcher at security firm Damballa.
Indeed, newbie cybercrooks and veterans alike are using DIY kits to carry out phishing campaigns at an accelerated rate, security researchers say. They've been blasting out fake e-mail messages crafted to look like official notices from UPS (UPS), FedEx (FDX) or the IRS; or account updates from Vonage, Facebook or Microsoft Outlook (MSFT); or medical alerts about the H1N1 flu virus.
The faked messages invariably ask the recipient to click on a Web link; doing so infects the PC with a banking Trojan, a malicious program designed to steal financial account logons. Often, the PC also gets turned into a "bot": The attacker silently takes control and uses it to send out more phishing e-mail.
The rapid development and aggressive marketing of DIY cybercrime kits has emerged as a big business. "It's possible that the people creating and selling these kits may be the same groups already profiting from cybercrime, and they could see this as yet another revenue stream," says Marc Rossi, Symantec's (SYMC) manager of research and development. Generally sold for $400 to $700, the kits come with everything you need to begin infecting PCs. Selling software is legal; what you do with it can get you in trouble. usatoday