'Credit card theft? There's an app for that'

"INTERESTED in credit card theft? There's an app for that." So says Gunter Ollmann, a security researcher at Damballa, a company based in Atlanta, Georgia. He and others are warning of a burgeoning cybercrime service industry, one which lets people with next to no programming skills steal a fortune in cash or get hold of sensitive government documents.

Would-be hackers have long been able to buy rudimentary software packages that can be used to build malware, such as code that can steal online banking passwords. Now these hacking tools are being supported with a range of services, some with a money-back guarantee, that makes it easier than ever to create and spread malware.

"There used to be only a small number of clever criminals who could pull off these attacks," says Patrick Peterson of online security company Cisco in San Bruno, California. "Now there is a much lower barrier to entry."

One such software kit, known as Zeus, epitomises the commercialisation of the malware services industry. Like other malicious software, Zeus can easily be bought online, in this case for between $400 and $700. Detailed instructions on how to use it are readily available, too.

What sets Zeus apart is that it enables someone with minimal computer skills to create sophisticated malware that can be used to steal online banking credentials or sensitive documents. "It represents a sea change in innovation, beyond anything we've seen before," says Peterson.

As an example of what is possible using Zeus, one recent attack netted sensitive US government documents, reports Nart Villeneuve, a security researcher at the Munk Centre for International Studies at the University of Toronto, Canada. The attack began in February with a series of emails sent to senior officials in the US military, the Federal Aviation Administration and other government agencies, purporting to contains links to vital security information.

In reality, clicking on the links resulted in malware built with Zeus being installed on the user's machine. The attack was sophisticated enough to dupe some of its targets, and as a result 81 machines were compromised. Villeneuve was able to identify 1533 documents from the compromised machines that ended up on a computer in Belarus, including defence contracts, documents relating to biological and chemical terrorism and the security plan for a US airport. The identity of the person who siphoned off the documents is unknown.

The ease with which Zeus can be used has been enhanced by the support services, including customised hacking tools, that have grown up around it, Ollmann says. If, for example, criminals know that the computer they are targeting is in Spain, they can plug in additional software designed to mount attacks on Spanish banks. Plug-ins like this are available online for around $30, Ollmann says.

The key to successful malware lies in tricking users into unwittingly installing it. And now even dilettante hackers can spread their malware by paying more technically adept criminals to do it for them.

Peterson cites the example of Fragus, a sophisticated piece of software he first observed last summer. Fragus is deployed initially by skilled hackers, who break into web servers and install it. Once in place, it searches for vulnerabilities in the browsers used by visitors to these websites. If it finds a way in, Fragus can be programmed to covertly send a piece of Zeus-created malware to the visitor's computer. This allows hackers to sell malware installation as a service to less skilled criminals.

 www.newscientist.com