While cyber-criminals are becoming more organized in order to monetize their malware and online fraud efforts, researchers contend that technologically simple attacks remain just as effective for stealing information as newer, more sophisticated programs.
Criminals continue to steal millions of forms of identification using phishing schemes and spyware programs, and there is little evidence to suggest that the attackers need to adopt more advanced programming techniques to continue to carry out their work, according to Mark Harris, global director of SophosLabs, the researching arm of anti-virus specialist company Sophos, based in Abingdon, England.
Security experts have decried the creation of increasingly complex malware attacks, such as so-called polymorphic viruses that can change their signatures with each new infection to go undetected and continue to spread on their own. However, most personal information continues to be stolen using variants of well-known spyware and Trojan attacks.
Security software makers and internal IT departments are well-versed in finding and blocking such attacks, but the sheer volume of malware threats combined with continued lack of discretion on the part of users is allowing comparatively crude programs to continue to reap rewards for criminals, according to SophosLabs latest research.
Since enterprises are being slammed with so many threats, attackers can manipulate their programs very minimally and find a way to fly under the radar, Harris said. The fact that most attacks also propagate themselves or serve as a front door to other malware programs remains another significant obstacle to progress, he said.
“The sheer volume and frequency with which threats are changing, and the integrated, cascading nature of malware will keep things going strong,” Harris said. “The code writers are changing their techniques slightly every few hours, changing their domains once or twice a day, and that is enough to keep the stolen identities coming in. Malware is becoming like the spam problem in that the attacks are moving across a number of different sites very quickly, making them harder to stop even when you know what they are.”
Some experts maintain that there are large numbers of organized groups selling and distributing malware code for a profit and to aid their own criminal efforts, but Harris said that picture may be giving hackers too much credit. There may be a handful of groups such as the people behind the WebAttacker spyware kit, which sells for $20 and includes tools that allow someone using the program to measure its efficacy in infecting machines, along with a “customer support” program and software updates, but it is unlikely that many such organizations exist, Sophos contends.
The majority of attacks are coming from people who are simply re-using old threats that still work, and only a few truly organized malware shops likely exist today, Harris said. One of the primary ideas behind that argument is the notion that criminals still have so much success using basic programs that can be acquired for free that there is no need to upgrade.
“There are some instances of smart people, and its unclear how much of the older malware is being sold, versus how much is simply reused, but the vast volume of malware is low-tech,” Harris said. “Its fairly straightforward to create the attacks with the free tools that are available, even a fairly targeted banking Trojan, so why try to build anything more complex when the old stuff still works?”
The truly organized element of the malware industry is in the business of taking advantage of the stolen information. For the most part identity thieves are looking to sell their looted data to someone else relatively cheaply, because very few have the ability to turn using the data into a profitable criminal enterprise, Harris said.
Harris said the fact that most attacks are generated by smaller groups and individual code writers may make it easier for security software makers to isolate and defeat the threats, but it does not make it any more likely that researchers, businesses and law enforcement officials will be able to track down the criminals responsible for creating the malware.
While law enforcement agencies struggle to find the budget to fight online crimes and communicate more effectively amongst themselves, users such as banks, which are the target of many of todays threats, remain more concerned with long-running security issues such as traditional credit card fraud schemes, Harris said. The lack of a clear leader in fighting the problem is making it even harder to create the atmosphere that will be needed to bring malware writers to justice, he said.
And even when law enforcement groups can be convinced to hunt down the IT attackers, there will be always be someone new getting into the business as long as malware programs, especially low-tech threats, continue to dupe so many PC users, Harris said.
“There will need to be large numbers of people affected by a major attack for law enforcement to even take notice, and once someone is investigated in the United States, they can easily move their operations overseas,” Harris said. “Its essentially the same problem as controlling drugs; maybe there are only a few large cartels who are at the top of the food chain, but once you eliminate one, another takes its place. As long as malware is profitable, Im not sure that there is anything that [security] vendors or law enforcement agencies can do to stop it.”