Earlier this month, Spanish authorities and security researchers worked together to track down and capture three Spanish men behind the "Mariposa botnet," a network of almost 13 million computers across 190 countries.
Earlier this month, Spanish authorities and security researchers worked together to track down and capture three Spanish men behind the “Mariposa botnet,” a network of almost 13 million computers across 190 countries.
The breaches discovered were far-reaching. The botnet compromised systems across several Fortune 1000 companies and 40 financial institutions. At the time of his arrest, one of the botnet operators possessed sensitive information about approximately 800,000 victims.
The three men, authorities said, were no computer geniuses.
“These people didn’t have any advanced hacker skills,” said Sean-Paul Correll, researcher at Panda Security, one of the firms involved in the investigations. “They just had resources available to them online and were able to take advantage of them to build this network.”
Most Read Business Stories
- Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system | Times Watchdog
- Belltown penthouse is region’s priciest condo sale ever — and new owners won't even live there
- Amazon finds an alternative workforce through Northwest Center, a Seattle nonprofit helping people with disabilities
- Boeing defends 737 MAX's cockpit add-ons, begins new pilot information sessions
- Doomed jets lacked 2 key safety features that Boeing sold only as extras
Once the exclusive realm of highly technical geeks, the doors to the dark world of cybercrime have cracked wide open to individuals with basic computer skills, thanks to easy-to-use software that experts say has become widely available in the last three or four years and made hacking as simple as clicking on a checkbox.
Almost anyone can operate a botnet through simple commands on self-explanatory, Web-based programs. As a result, the number of amateur botmasters is on the rise.
Correll said Panda Security identified 25 million pieces of malicious code last year — compared with 15 million samples detected in the previous 19 years. Sixty-six percent of last year’s malware were data-stealing programs, most of which were produced with do-it-yourself hacking kits, he said.
According to a recent analysis by nonprofit research firm Team Cymru, the number of known Web-based botnets soared from about 800 in the first half of 2009 to 1,600 by the end of the year.
As a result, said Steve Santorelli, Team Cymru’s director of global outreach, graphical and user-friendly Web-based botnets have surpassed the number of complex Internet Relay Chat botnets — networks of infected computers controlled by hackers sending text instructions.
The method had been favored by online criminals since the 1990s.
“You need a modicum of understanding to run an IRC botnet,”Santorelli said. “If you can open an e-mail account, you’re technical enough to operate a Web-based botnet. Your grandmother can build a botnet.”
More fraud tools
At the same time, the market for fraud software has grown.
Hackers today compete to make the most effective and easy-to-use tools, said Cisco IronPort Systems’ senior security researcher Henry Stern.
Last July, for instance, six Web exploit vendors released new products at the same time, he said.
During a three-month project, Stern and other Cisco researchers studied the features of some of the most common tool kits a rookie hacker can employ.
With a copy of ZeuS, the most widespread data-stealing tool kit, criminals can generate millions of detailed reports on each Web site visited by the compromised computers in their botnet.
They can also use the program’s powerful search engine to browse through victims’ machines and find detailed information, such as which banks they use.
“You don’t need to have knowledge of programming or networking-protocol stacks. You just need to know who you want to target, click a couple of buttons and there you have it,”said Christopher Elisan, senior researcher at botnet-detection firm Damballa.
Cisco researchers also looked at Fragus, a state-of-the-art Web exploit kit that allows criminals to use simple on-screen checkboxes to choose the vulnerabilities — the holes used to plant malicious programs in users’ computers.
The program also generates colorful graphics detailing how many victims have been attacked and which operating systems and browsers they use. The program even offers 24-hour technical support.
Cisco researchers concluded that someone without technical skills wanting to engage in criminal activity could do so with an investment of $2,500 to buy software and computer capacity and hire hackers to help him. Older versions of these tool kits can be acquired free.
Criminals often find the investment reasonable considering the potential returns. The FBI recently reported that Internet fraud victims lost about $560 million last year, more than double the amount reported in 2008.
How they attack
Security experts said these cybercriminals usually make their money from distributing spam, crashing Web sites with a flood of traffic, or selling stolen credentials.
While some researchers argue that it requires technical skill to go after the more lucrative targets, others believe even rookies can pull the larger heists.
The trend is illustrative of cybercrime’s evolution from the realm of teenage computer whizzes to a profit-motivated criminal enterprise.
The lowering of the technical bar has allowed more criminals to engage in cyberfraud.