SANTA CLARA, Calif. — Apparently, there are some real career paths available in the online fraud business. One can become an identity harvester, a software developer who builds botnets, a delivery middleman, a salesperson–the list is long and resembles legitimate businesses in many ways.
At an analysts’ briefing Sept. 25 at EMC’s Silicon Valley offices, RSA Security head of new technologies Uri Rivner told attendees that the Internet fraud business has grown so large and enmeshed in legitimate online activities that it is becoming increasingly difficult to tell who’s good and who’s bad.
Rivner pointed out two recent trends: a) Fraudsters using SAAS (software as a service) models to sell their services to customers for a monthly fee, and b) the appearance of new super-Trojans that hijack legitimate bank Web sites and fool people into entering personal financial information–such as ATM account numbers and personal identification numbers–into the phony Web site.
In describing the hosted fraud model, Rivner said that if a willing participant knows where to go, he or she can simply order a phishing or other criminal business service online and pay a fee per month to participate as an investor in order to share in the “profits.”
“This fee at one of these services is $299 per month,” Rivner said. “This puts you into the food chain of [identity] harvesters, phony ATM card makers, delivery specialists–a whole infrastructure of criminals.
“There looks to be quite a career path in there for some people. Everybody’s a specialist in this realm, and reputation is paramount.”
Of course, trusting any of these anonymous folks online is another issue that an “investor” or “customer” has to solve.
The second trend, involving the new Trojans–which can get installed on an unsuspecting computer owner’s machine through either opening an executable file or by a browse-by Web site, which is fairly rare–is also a growing problem, Rivner said.
“In this scenario, with the Trojan on the client and working, the user goes to his or her bank’s Web site to make a transaction. The Trojan is alerted to this when the site is brought up. When it does show up, it waits for the user to log on, then brings up the false site, which looks very similar to the legitimate one,” Rivner said.
“Except there’s one difference: The false site has two more lines of information it asks for: an ATM account number and the user’s PIN. Once the fraudster gets that info, the account is soon drained,” Rivner said.
Rivner advised online bank users never to take the sites they use for granted.
“Keep a close eye out for changes in the site. Make sure that your connection is a secure one,” he said. “If anything looks a bit different than usual, that should be a red flag. It’s probably a ruse.”
Most banks do not ask for account numbers and PINs, he said. That would be the first clue that something’s amiss.
Most of these online crooks use IRC (Internet relay chat) to communicate–most often in code–and, naturally, aliases. They build their reputations within the network by getting credit for helping facilitate large fraud deals involving banks, savings and loans, hedge funds and other financial institutions.
More news in the online security sector surfaced Sept. 25, when reports revealed that Neosploit, a black-market hacker exploit kit that many security experts believed had been shut down months ago, has reappeared on the scene and is responsible for an increase in attacks.
Ian Amit, director of security research at Aladdin Knowledge Systems, said that rumors of the kit’s “retirement” last summer were off base.
RSA, one of the most well-established software security companies in the world, has shut down about 100,000 online fraud schemes in the last several years, Rivner said.
“But there are still plenty more to get, and there are new ones popping up every day,” he said.
Home Cybersecurity