Who uses attack toolkits? The graphics on the login page for the top-selling Crimepack attack toolkit -- reproduced in the recently released "Symantec Report on Attack Kits and Malicious Websites" -- provide a clue: The Crimepack name appears over a pair of brass knuckles. A futuristic-looking mobile device is the graphic backdrop for entering username and password. The surrounding surface is littered with a wallet, scattered $100 and €50 bills, a Colt .45, and white powder.
In other words, the attack toolkit's graphics strongly suggest a product being marketed to young, male criminals with a smattering of computer and networking knowledge and too many hours of Mafia Wars under their belt.
"It used to be that a lot of the cybercrime was computer guys who got into crime. They were really good at being computer guys, but not so good at crime," says Marc Fossi, executive editor of the Symantec report. "Now with the kits, you have guys who are good at being criminals, they know about things like money laundering and using money mules, and because of the kits, they can get into cybercrime." They're also better than the geeks at not getting caught.
Computer and networking savvy is no longer a prerequisite for launching online attacks, as today's toolkits do it all. "For the most part, they've become ridiculously simple to use -- as opposed to some of the attacks you can launch with them," says Fossi, who likens their evolution to Web pages.
Just as coding Web pages by hand in Notepad gave way to WYSIWYG applications, and Web sites today can launch an e-commerce capability with little more than the click of a button, today's attack toolkits automate previously time-consuming activities, such as hand-coding obfuscated iFrame code that will surreptitiously redirect a browser to a malicious Web site. "Obfuscating iFrame code is something that people can do, but it's very tedious to do it yourself, by hand," says Fossi. But he found that the Fragus toolkit will do it for you, buying criminals more time for launching attacks. In business terms, it's a win-win for crimeware vendors and their customers.
Successful attack toolkits likely earn their creators a lot of money, which gives them more incentive to innovate, creating easier-to-use software that can exploit the latest vulnerabilities and earn them even more money. Toolkits also sustain a complementary cybercrime ecosystem. This includes command-and-control botnets, malicious advertisements, spam campaigns that deliver attack code, and poisoning search engine results to redirect people to sites that install the attack kit malware via drive-by downloads. The better the ecosystem, the more effective the toolkit.
But that success can come at a price, as Fossi found on a forum where criminals sell stolen credit card data. "One funny thing we saw is that they'd banned all advertising for the Zeus kit, because it was attracting too much attention to their forum," he says. "Because obviously it's not just people who are buying the kits who are searching for it, but also law enforcement."
To be sure, some criminals are being caught. "In Operation Trident, they allegedly used Zeus to steal about $70 million over an 18-month period, so it's not like this is all small potatoes," says Fossi. But as with all lucrative criminal pursuits, a few arrests probably won't stop people who crave the profits.
What's a business to do? Interestingly, Iftach Ian Amit, VP of business development at security consulting firm Security Art, found that criminals even use toolkits for attacks aimed at stealing specific types of information. These attacks tend to target not a specific individual or device, but a small group of users. While attackers may tweak the attack code, oftentimes they don't have to.
Accordingly, study how today's attacks succeed to identify the best defense. "Just as the attacks usually include a social engineering element, the defense should focus on the weak link: people," Amit says. "Most organizations, however, are still looking for a technical panacea."
Instead, he recommends more frequent training and education for employees, to help them spot and defend themselves against the latest attacks, especially exploits with a social engineering component. In other words, be vigilant. And that means not relying on technology to save you.