Malware as a service: the industrialisation of phishing
Imperva has discovered a new phishing kit. Phishing kits have been around for some time; but this one is a bit different: it illustrates the evolution of crimeware and the development of cybercrime.
“It started a couple of weeks ago,” explains Amichai Shulman, Imperva’s CTO. “We noticed a new phishing campaign against PayPal. We don’t examine all phishing campaigns – they’re not uncommon – but this one seemed a bit different, and was growing very fast. We decided, OK, let’s take a deeper look into it.”
And when they did, they found that it really was a bit different. This one leverages the cloud to maximise business. “When we examined this campaign we found the drop server used to collect the phished credentials was not one of the servers that was holding the phishing campaign itself.” This gives a persistence to the campaign infrastructure. Usually, when the main phishing server gets taken down, the campaign is also shut down. But with this approach, since the data collection is separate to the phishing site, the hackers only need to re-post the web front end in a new location to be back in business.
“We tried to access the drop server where the stolen credentials were being stored and it looked like there was some protection around it. So we used the phishing campaigns themselves to inject code into the drop server. This allowed us to track access to the stolen data and to dig deeper into the drop server.”
What Imperva discovered was nothing less than the industrialisation of cybercrime. The drop server hosted the phishing kit software. This is given away free to multiple wannabee hackers. Each participating hacker got the kit and a private storage area on the drop server. What isn’t clear is whether these wannabees knew that the kit developer – let’s call him the master hacker – had his own access to all the different storage areas.
“We found,” explains Shulman, “that the whole hacking scenario is becoming industrialised. There was this master hacker, and he was a software distributor – that’s what he did – he supplied back-end services for phishing campaigns; malware as a service if you like.” And the software is quite good. “It has a really nice GUI, a very intuitive GUI, that allows the subsidiaries to generate and register phishing campaigns with that master server. Once they register and generate the new campaign, they get a user name and password, and all the files required to create a site that looks like their target. The software supports a number of different targets: PayPal, Hotmail, Yahoo, and so on – so any subsidiary can download, register a new campaign, generate the files, and put those files on the server.”
It’s a clever business model. The master hacker is not involved in the phishing activity; he doesn’t have to worry about costs, such as the cost of sending out the spam that does the phishing. “We saw a number of different campaigns launched through this infrastructure a couple of weeks ago,” said Shulman. “I’d say probably in the hundreds. Considering that every campaign would yield a few dozen stolen credentials, we know that this is not a bad earning for the master hacker.”
So what does this tell us? It tells us that businessmen are moving into cybercrime. Imperva’s analysis of the phishing kit suggests that this master hacker is not one of the world’s elite technical hackers. The technology is not that advanced. But the business model is new, and it is well executed. The master hacker recruits an army of petty thieves from the bottom of the criminal food chain to do the donkey work and pay the costs; and he just sits back and reaps the rewards. It is the entrepreneurial side of cybercrime: malware as a service delivered in the cloud.