Cybercrime-As-a-Service Takes Off

pnorth writes "Malware writers that sell toolkits online for as little as $400 will now configure and host the attacks as a service for another $50, according to email offers cited by security experts. A technical account manager at authentication firm Vasco said that cyber crime is becoming so business-like that online offerings of malicious code often include support and maintenance services. He said 'it was inevitable that services would be sold to people who bought the malware toolkits but didn't know how to configure them. Not only can you buy configuration as a service now, you can have the malware operated for you, too.'"

You really know when its a business...

[Shivinski]

Once you see the toolkits cracked and pirated on torrent site's :P

Re:

[Hurricane78]

On torrent site's what?

Re:You really know when its a business...

[roblarky]

Stewie: "Uh, on torrent site's what, Brian? Over."

Re:You really know when its a business...

[clarkkent09]

apparently on torrent site's P drive

Re:

[eleuthero]

This only works if the writer of the original post has dyslexia, right? :P vs. P:? or does this windows user not know something basic about linux (are mount points typed in reverse?)

Re:You really know when its a business...

[timeOday]

I think your comment is more insightful than funny. The question is, can an unregulated blackmarket grow and thrive without law - no contract enforcement, courts, or police?

Some would point to the large sums of cash in the illicit drug trade as evidence that it can, but I point to the stratospheric markup on illicit drugs as evidence that the market is horribly inefficient. The markups show there's a shortage of suppliers - due in part to law enforcement, I'm sure, but being in the drug trade also means running the risk of being gunned down (or worse) by competitors. Personally I prefer a bit more regulation in my markets than that.

Re:

[zach_the_lizard]

The illicit drug trade is regulated, or do you not think that something being made totally illegal counts as a regulation?

It is because of that regulation (your business cannot exist) that drug dealers cannot seek any kind of arbitration, private or government.

Re:

[Impy the Impiuos Imp]

Interesting you should mention drugs. We know the War on Drugs is failing due to the decreasing cost and increasing quality of the drugs, which means more competition.

Looking at this development -- plug-and-play malware kits, and they'll now host it for a little more, and it's clear the same thing's happening here.

Re:You really know when its a business...

[zippthorne]

Totally not true. If there is enough money on the table, whole illicit governments will form to take care of the people's need for illicit arbitration and such.

That's the true nature of the "protection racket" and the danger to the legitimate government is that it can be supplanted by the illicit government.

The market exists. Whether free or not, open or not, the market has formed and exists. The best you can hope for as a government is to influence it in small amounts here and there to achieve your aims. Push too hard and you'll find that like a river delta, it routes around you or bypasses you entirely.

That is why prohibition is dangerous.

Re:

[ssintercept]

the illicit drug trade is completely regulated:

on the state level in illinois there is a $25 dollar tax per 1/4 oz sold. all weed sold must have said stamp.

and on the neighborhood level- if you dont bay back guido for that 1/2 lb of blow you were gonna flip for that killer gaming rig- vinnie and johnny "no nose" vespucci come over and regulate your ass.

~puts on tinfoil hat~
i left the feds out cuz i am still up in the air about the CIA sellin crack...[citation needed]
~removes tinfoil hat~

Re:

[Anachragnome]

Yeah, and with a little luck we'll start finding the heads of "legitmate business owner" hackers in ice chests left in a Mexican desert....

Re:

[Jurily]

The markups show there's a shortage of suppliers - due in part to law enforcement,

You haven't been to a lot of UK pubs lately, have you? The only shortage is in quality control.

Actually, the problem is the opposite.

[tjstork]

Freakonomics had a really good article about the drug business and in a way, it is efficient. There is ample supply, despite law enforcement. And, there are more than enough interested workers, who actually wind up making, on average, slightly less than minimum wage.

Basically, drug culture is an -illusion- of wealth, because while a few do get rich, its ultimately just terrible work for the vast majority of people that participate in it. It tends to thrive in impoverished areas, because, for those people, there's just no work at all.

Re:

[ultranova]

Basically, drug culture is an -illusion- of wealth, because while a few do get rich, its ultimately just terrible work for the vast majority of people that participate in it. It tends to thrive in impoverished areas, because, for those people, there's just no work at all.

So basically, it's like any other market?

Re:

[tjstork]

So basically, it's like any other market?

No, because other markets tend to have limited employment because of various barriers to entry for employees. There's technical skills, geographic considerations, and more that all drive up salaries in other professions. But in the drug world, there's no such skills required. Anyone can be a drug dealer, and they get paid as what they are - unskilled, uneducated labor.

Re:

[JThundley]

Not only does this market exist, but it thrives without the need for patents to protect one vendor from the other.

Re:

[DaFallus]

Most people stay out of the business because of the high risk of being caught or things turning violent. High risk = high prices = high reward.

Re:You really know when its a business...

[DNS-and-BIND]

Apostrophe's are for pural's, dude's

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[kribor]

Recession got you down? Pissed off because your job got outsourced to Bangalore so your boss could get a fat bonus? No jobs openings in your area?

We're here to tell you of the many new amazing opportunities here for you in the world of online criminal enterprise. For an investment of a mere $550, you can be on your way in the exciting and profitable world of cybercrime.

But wait, there's more. For the next 10 min. we're offering the WrongCo ATM Card skimmer attachment. Just attach one of these beauties to th

Honesty?

[LinuxGeek]

Will the sellers be honest enough to give you all the money they drain from bank accounts?

Re:

[broken_chaos]

Will they even be honest enough to give you the service or support you paid for? I wouldn't even trust them that far.

Re:Honesty?

[interkin3tic]

Will they even be honest enough to give you the service or support you paid for? I wouldn't even trust them that far.

I'm not very familiar with people who make malware, but I'd imagine/hope the "support" would look something like this:

Customer: Yes, I'm having problems with your product, the Malwarator 1000
Anonymous support: LOL FUCK YUO NOOB!!1

If it offends any malware writers to be stereotyped like that, particularly the guys behind antivirus 2009, give me your home address and I'll mail you an apology.

Re:

[interkin3tic]

I'll be the first to admit: I did not research that joke at all.

Re:

[Zironic]

The black market deals in trust, you know they'll deliver their service and support to you because they've delivered service and support to other people you know.

Obviously they might one day just pack up and leave with all your money but that's life in the black market for you.

Re:

[Anonymous Coward]

Criminals are actually quite honest when you're the customer rather than the victim. The underground economy is a dangerous place and reputation is everything.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Ethanol-fueled]

Wow, a private investigator who headlines his post with "Uhhhhhhh...MODS?"

Anyway, what he said certainly sounds plausible...in the underworld, there's a big difference between customers and victims. In the world of legitimate software, users are the victims!

Re:

[Architect_sasyr]

Not only is it plausable, we have a reference in the torrenting world. Look at some of the torrents you're currently downloading, odds are they will have a fairly common named one in there - why? Because these people are giving something away for free, but have a hell of a reputation to keep up, so they put out the quality equipment.

I see no reason why this should not, and can not, apply to the underground. That said, what do they mean "takes off" - there have been people willing to do this for *years*.

Re:

[Slashdot Suxxors]

Cocaine's a hell of a drug.

Re:

[nametaken]

I expect it's like any other kind of crime "service". You generally don't pay someone to just rob some random people for you and give you the money. You pay someone to kill a specific person, or help blackmail a specific person/company, threaten someone in particular or knock off a target you have specific requisite knowledge of. In any case, even if they could rip off their clients, they'd have a hard time marketing their "service" again.

I can't see it usually being people taking $450 to "just get some

Re:

[theKiyote]

Honestly? Yes. I think it's a matter of risk more than anything. A writer of a trojan could claim that it wasn't intended to be used for illegal purposes, he didn't mean for it to have any purpose but pen-testing and research, etc., that may help him avoid heavier prosecution than the person who is actually committing the act.

It's a franchise business model

[earlymon]

And given that it's a franchise business model, I guess I'd like to know two things: are there delivery guarantees and does Uncle Enzo know about this?

Re:

[earlymon]

It'll cost you a few trillian, no biggy.

Thanks for the tip - at first, I was afraid that was in Kongbucks but if we're only talking bluebacks, it's practically free.

Re:

[Hordeking]

It'll cost you a few trillian, no biggy.

Note to self: Get a few copies of Trillian, burn them to CD, hand them over for mucho payback!

Re:

[Trent Hawkins]

The better question is: do you really want to hand over your credit card number to a bunch of hackers?

Re:

[fotbr]

Give them a number that was purchased for cash on the street.

Re:

[Slashdot Suxxors]

Just use Pay-Pal's plug-in, it lets you generate one time use CC numbers.

Re:

[b1ad3runn3r]

good reference!

My thoughts on this article.

[Anonymous Coward]

This whole article is based on some blog posting of an email that is offering a trojan toolkit and hosting for it.

We do not know if the email is legit or fake.

This was pimped at some security convention as proof that security online has somehow changed recently. Of course the people discussing it have a motive to make money of the folks who buy security services/software for their companies.

I find this article to be of little value, nothing revolutionary was mentioned, and on the whole barely worth posting

And even if it ISN'T fake.

[Ungrounded Lightning]

This whole article is based on some blog posting of an email ... We do not know if the email is legit or fake. ... This was pimped at some security convention ... Of course the people discussing it have a motive to make money ...

And even if they're being honest:

Any bets whether they found one of the law-enforcement "sting" operations?

Re:

[lxs]

It's obviously viral marketing for the sequel to Uplink [wikipedia.org]

Leet's all hack IP address 422.220.512.13 again.

Bastards

[Anonymous Coward]

Closed-source malware hurts the developer community!

I demand FOSS malware!

Malware Public License

[troll8901]

PREAMBLE
The MNU Malware Public License is a free, copyleft license for malware and other kinds of works...

Re:

[frenchbedroom]

You demand Free / Open Source Software malware ?

A package tour of another persons computer?

[AHuxley]

Old people go on low-budget package tours of countries.
If your a Mac, Linux or Windows user and all you have is instant messenger details. At very best a non-static IP thats days or weeks old?
To be able to skype a real business-like cyber crime expert and have them talk you thru entering another persons computer is so worth $400.
The thrill of reading the real name of the computer owner.
To see the desktop.
Looking deep into the directories, emails, draft letters.
Compressing and sending out all other chat logs.
Leaving malicious code behind so you can always stay in contact.
If there is a hardware upgrade or software problem, friendly help is a just call away.
All from the comfort of your own home.

Re:

[AHuxley]

No data was harmed, like the boats that go out to see the whales or a walk in a state park.
All you come back with is a copy of data.
In one case its pretty pictures of critters and landscapes, in the other its lots of reading.

Re:

[cstdenis]

Take only pictures. Leave only footprints.

Re:

[MindPhlux]

I have the hugest fucking hardon at this moment

Underground Revenue

[Anonymous Coward]

The FBI and CIA really need to do something about this. The revenue generated by spamming and malware could be going directly to funding terro... aww, who am I kiddin, the FBI and CIA already knows that terrorism gets all of its funding by pirating movies and music.

Re:

[Anonymous Coward]

Sadly, the majority of terrorist funding comes directly from the FBI and CIA.

Law enforcement

[Phroggy]

So, if they're selling support, presumably there's a way to contact them, and if there's a way to contact them, shouldn't it be possible to identify them?

Are these activities not illegal?

Re:

[joocemann]

Probably not illegal in Rwanda, lol.

Re:Law enforcement

[QuoteMstr]

Money laundering. Over at Wikileaks, there's a fascinating letter [wikileaks.org] written by a member of the child pornography community. The author goes into quite a bit of detail about the overall organization and operation of the black hat community. You should take the letter with a grain of salt, of course, but it's certainly very interesting.

Re:

[Anonymous Coward]

Wow. That letter gets a +10 insightful. It's a shame that the very people who most need to read (and more importantly THINK ABOUT) its contents never will. Even were the subject not the #1 taboo of the Western world, the fact that it's a small minority being targeted means that the average person simply won't care. After all, small minorities who indulge in far lesser taboos (like the canonical example of pot growing) are rotting in jail and the average person doesn't care.

Re:

[pipingguy]

I read bits of that link and wondered if the writer is a parent.

Sting operation?

[wfstanle]

I don't really know if it is possible to identify them but it might be a good starting point for a FBI sting operation. With time, a FBI plant might be able to worm his way into the operation.

Re:

[troll8901]

Darn, that's insightful.

An FBI Agent's 3 Years Undercover With Identity Thieves [slashdot.org] (Jan 22, 2009)

Re:

[GuldKalle]

You can be pretty anonymous when you check your hotmail through a couple of botnet proxys

Re:

[Renraku]

They're illegal, but the people are either proxied to hell and back so they could be about anyone.

In reality, they're probably in a country that doesn't give a damn and will refuse to let them be extradited anyway.

Yeah, but

[SpaceLifeForm]

does it run on Linux?

Not long now...

[The Raven]

... before we can visit the 'hacker dude' who lives in his apartment, never leaving, sure the government is after him, and who provides shady services for a steep price.

Just as has been predicted by nearly every sci-fi cyberpunk fiction in existence.

The difference being that there will be no plot-forwarding exposition in person... it'll be a credit transaction through a forum or website.

I wonder if evil hackers use credit? Who would trust them enough to give the info out? Do they Paypal? Who would trust any

Re:

[Anonymous Coward]

Actually, I think I'd be more willing to trust websites cybercriminals use for money transactions. After all, if they think it's secure enough to trust their revenue stream to it, it probably is.

Re:

[Anonymous Coward]

Do they Paypal?

Mainly they use e-payment brokers in .ru that are relatively anonymous, especially if you're using fake identities which they of course are.

Re:

[mevets]

| I wonder if evil hackers use credit...
I think they just take the money from your bank account.

It's true

[phantomfive]

A few months ago I was really getting sick of working support lines for Intel, with all the stupid users calling in and complaining about stupid things, and I could do nothing about it (I mean really, if your computer isn't plugged in, it's not my fault!!). So I heard about this new business, and applied for a job as a first-line support rep for a certain malwa^W ahem Alternative Software for the Dark Side company whose precise name I will not reveal for privacy reasons.

The hours aren't great, and the severance package is well, horrible, BUT it does have the advantage that I can send any cases over to the hitma^W ahem Planned Termination and Collections department. Customers are so much more respectful somehow. Maybe I should post this anonymously.

Slashvertisement

[joeflies]

Clicking the link on Vasco in the story just takes you to their home page, but it does not provide any additional content regarding the story on Malware toolkits.

That's pretty dystopian

[Dr. Spork]

There are many smart people who predict the waning importance of states in the new global order, and I'm sure they'll be very excited to hear this. Already, criminal gangs are formidable competitors to many states (for example: Afghanistan, Columbia and Mexico - but the full list would be far longer).

Open source methods of terrorism will mean that the state will probably no longer be the most effective source of personal security in the future, and global financial breakdowns might further encourage something like a new tribalism. In a situation like that, armed criminal gangs might in effect become the government in many regions. Witness, for example, that the Taliban just took over a huge swath of Pakistan and imposed their own crazy law. Pockets like these will be immune to reach of international diplomacy, and they'll probably host stuff like this (and maybe the next Pirate Bay, if they can make money doing it). It's gonna be a crazy future!

Re:

[Darkness404]

If effectively these organizations become the new state, does that make them terrorist organizations or simply another form of government? Government existed for centuries (and still does) on who has the best weapons and the biggest army. Theres a few reasons though why this won't happen so long as the constitution is protected. A) The ability for the public to arm themselves, a small gang can easily terrorize a neighborhood, however, if the neighborhood happens to be well armed, then the fact that the gang

Re:

[mevets]

| The only effective source of personal security is (surprise) individual persons.

If history is any guide, it is "other individual persons", the more, the better.

Re:

[Kjella]

There are many smart people who predict the waning importance of states in the new global order, and I'm sure they'll be very excited to hear this. Already, criminal gangs are formidable competitors to many states (for example: Afghanistan, Columbia and Mexico - but the full list would be far longer). In a situation like that, armed criminal gangs might in effect become the government in many regions.

Not disputing that organized crime is plenty powerful, but in a historical perspective I really doubt the current incarnations are worse than Al Capone, the Mob, various creepy dictators and genocides all over the world. In fact I'd say it's getting tougher and tougher to get away with shit because people have cameras and satellite connections and mass media which means that the kind fo mass exterminations that Pol Pot did wouldn't go so "unnoticed" anymore. The more quiet "don't mess with our business, and

Re:

[Dr. Spork]

No, don't picture this like the Mob. Think of it more like a big Hezbollah, who already perform many municipal services in places ravaged by combat or neglected by the state.

Re:

[AHuxley]

That would harm the only growth area of the US computer ecosystem. The home computer security developers.

Re:

[HTH NE1]

Max Landsberger: Since the 1984 oil discovery in New Guinea, we have sold the Bu!kais hill tribesmen 20 of our S-24 fighters. At $21 million per unit, that's $252 million. This has started a local arms race between the Bu!kais, and their local neighbors the Kla!klalas. Now the Kla!klalas also happen to be sitting an a large amount of oil. And now the Kla!klalas want to buy 20 of our new Slash X-Ray Ultra Pursuit fighters for a total of $480 million.
Pete Helmes: What are the chances of war between them?
Bob N

Don't rush in, give it 18 months ...

[w0mprat]

Pay services start out expensive, proprietary and monopolised. So starts the three stages of business in the information age.

Eventually they become affordable and ubiquitous with competition driving down the market rate.

Finally it becomes difficult to charge for services at all, and micro payment schemes become a stop gap before it becomes unprofitable.

So wait a while and there will be ad-supported crime services!

I expect the major vendors to give it a try first

[Narnie]

*ker-plink*
"It looks like you're trying to herd a botnet. Would you like me to automatically setup your command and control algorithm?"

Yes | No

Do they support Linux?

[erroneus]

I suppose this is yet another "Windows Only" type of thing. It's not all bad being excluded I guess.

It has to be said...

[Fishbulb]

Now that it's a push-button operation:

Announcer: Oh how long can trusty Cadet Stimpy hold out? How can he possibly resist the diabolical urge to push button that could erase his very existence? Will his tortured mind give into its uncontrollable desires? Can he withstand the temptation to push the button that even now beckons him ever closer? Will he succumb to the maddening urge to eradicate history with the mere push of a single button? The beautiful SHINY button. The jolly CANDY-like button. WILL he hold

Sounds like Uplink

[CrystalX]

Oddly, this reminds me of the game Uplink - in which the player is hired to do various attacks on computer systems for a fee.

http://www.introversion.co.uk/uplink/ [introversion.co.uk]

Old News

[clickclickdrone]

I saw another article on this about 18-24 months ago that had a link to a site which looked just looked like Amazon or any other eCommerce site. You got to choose from a variety of attacks, how many attacking PCs you wanted in your botnet, pick a target then enter a credit card and the job was done. Heck, it even looked 'cheery' - all bright colours and all. It was bizarre scrolling down the list looking at the options available.

Re:

[phantomfive]

Telling the true story and being trolled for it, on a forum like this really is the only way I can think of to do ANYTHING about this BS.

Then you are not being creative enough. Here is a much better place to complain about it. [complaints.com] Basically, all TV providers will give you trouble. Just do what I do and stop watching TV. :)

Re:

[Anonymous Coward]

Yo, dawg! I herd you liek being rooted so I put a computer in your computer so you can be rooted while your rooted!