The tool is part of a much larger trend toward user-friendly hacking tools, developed and distributed by corporate-like entities that are becoming like the Oracles or Microsofts of the malware world.
There’s now a full-fledged market for groups offering access to easy-to-use malware on a subscription basis, experts say. And because the tools require little to no technical skill, the barrier to a life of cybercrime is much weaker than it was in the early years of the Internet.
The result has been an explosion in criminal activity that has left consumers vulnerable to having their financial information used for fraudulent transactions or having their personal information sold online.
“It’s gone from being a couple of guys developing malicious software to actual organized crime groups” on the development side, said Tyler Shields, an analyst at Forrester Research.
“If you want to excel as a cyber criminal, go get an MBA.”
Malware groups often have a hierarchical leadership structure and pay for development of malicious software, as well as marketing and distribution, researchers and federal investigators say. In the big leagues of this underground economy, malware rings mirror the economic models of legitimate businesses.
But they’re also widely distributed — with groups often having members all over the world, experts say. “You might have a developer in Ukraine or Russia, a distributor in the U.S. or the U.K., and leadership somewhere else entirely,” Shields said. “We’re talking hundreds of people across nations around the world working in concert.”
That’s an awful lot of coordination and managerial skills. “If you want to excel as a cyber criminal,” Shield said, “go get an MBA.”
The reason for the explosion in the commercial malware market is simple, Shields said: There’s money in hacking — through the sale of sensitive data or the tools that can enable breaches — and the market has moved to take advantage of the situation. Pursuing a life of crime online also can be safer than pursuing one in the physical world, said Raj Samani, vice president and chief technical officer for McAfee EMEA. “You don’t go to a shoddy neighborhood to buy drugs — you go to an online black market. You don’t walk into a bank to rob it — you go online,” he said.
Now, most anyone can be a hacker.
“There are a lot of them who don’t have the technical skills, but just want to get into crime,” Haley said.
As a result, law enforcement officials say they are beginning to focus on those who develop the malware, not just the people who use it.
“In total, over 552 million identities were breached in 2013″
“We tackled this malware starting with those that put it in the hands of the users — the creators and those who helped make it readily available, the administrators,” George Venizelos, assistant director in charge of the FBI’s New York field office, said in a news release about its Blackshades enforcement action.
Blackshades, the target of the recent FBI crackdown, is a part of a category of malware called Remote Access Tools (RATs), which allow criminals to have almost unlimited power over a breached computer. The FBI says the malware toolkit was available online for $40 and “purchased by thousands of people in more than 100 countries.”
These types of tools are migrating to mobile devices, too. Symantec released a blog post about a similar threat facing Android mobile devices called iBanking last week.
Once the tool is installed, the user can do almost anything. And like Blackshades, it’s easy to use. “There’s a nice user interface on the back end that allows the hacker to control not only that phone but multiple phones if they’ve infected them,” he said.
Users are infected with the program through a social engineering hack that tricks them into thinking a bank or social network needs to install an app on their device with a pop up when the device is connected to a desktop already infected with malware.
As the groups behind malware become more organized, so must the law enforcement tactics used to fight them, experts say — as evidenced by the Blackshades action. “Law enforcement has had to change from tracking down individuals to more of the traditional organized crime levels of infiltration,” Shields said.
Haley hopes the Blackshades crackdown was a wake up-call to those in the cybercrime business, reminding them that there’s a risk to becoming involved in the industry.
But overall, experts say, software as a service has enabled a growth in the number of cybercriminals — and that growth leaves consumers and businesses at greater risk. Symantec’s most recent annual threat report noted a 91 percent increase in targeted attack campaigns and a 62 percent increase in the number of breaches in 2013. That was only 253 total breaches, but eight of them exposed more than 10 million identities each.
“In total, over 552 million identities were breached in 2013, putting consumers’ credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, log-ins, passwords and other personal information into the criminal underground,” the company reported. As bad guys become more organized and professional, their onslaughts are harder to defend against.
Retail firms also have been hit with credit card breaches in recent months — including Target, where a breach compromised up to 40 million customers’ financial information as well as other personal data related to as many as 70 million customers.
But hackers aren’t always going for mega-chains, Symantec said. According to their research, medium-sized businesses with 251 to 2,500 employees were the target of 31 percent of the personalized phishing attacks it saw in 2013 — up from 19 percent the previous year.
For consumers, personal computing use has become more risky — a bad link or attachment could mean the installation of the next Blackshades. But there’s also more risk when you hand over data to third parties, Samani said.
Even if consumers are taking significant personal measures, anything they give to a third party puts them at the mercy of someone else’s security measures, he said. And if those security measures are breached, the data is at the mercy of whoever gets their hands on it.