Cyber Crimes Tool Kits for Sale on Internet with 70,000 Versions

Tech gear used for years by savvy cyber criminals has been mainstreamed and packaged for wide dispersion  across the Internet at inexpensive price. These cyber crime tool kits make possible automated fraud, and the top hacking tools are now being sold for prices ranging from less than $100 up to $1,000. The most advanced models are sold with detailed customer service, offering up to 12 months of technical support to ensures the kits stay up to date on the  latest web vulnerabilities.

Yuval Ben-Itzhak, CTO of Finjan security has released an IT risk report in which he discusses this new criminal innovation, saying: “Currently, we see the rise of the Crimeware-as-a-Service (CaaS) business model in the Crimeware-toolkit market. Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the Crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised but only provides the infrastructure for it.”

The business  model is not so different from the largest legal software makers, offering personalized products to make sure the market they are trying to crack has the proper tools localized for it. Finjan claims the next plateau of cyber crimes tools will connect the thieves to the stolen-information markets looking for the same exact kind of purloined data. Such a development could mean the entire process becomes automated, and therefore is that much less risky to the criminals

Ben-Itzhak feels police agencies should be aggressive tracking the perpetrators, saying “The trends described in this report confirm that the security industry and law enforcement agencies should take an innovative approach in handling these Crimeware commercialization threats. Cybercriminals continue to adapt legitimate technologies and business models to support their criminal activities.”

These new tools are already becoming common, according to IT security experts. Tim Eades of security company Sana, says "They are starting to pop up left and right. It's the classic verticalisation of a market as it starts to mature." Eades claims these new services that are offering “boutique virus writing services” will produce malicious codes that even advanced security software will not spot. Such an individualized malicious programs will cost under $30. The state of the art is the notorious MPack , which has proved very popular with criminals, and in late June 2007 was used by one person to attack and compromise over 10,000 websites in a single assault. 

The MPack toolkit will swipe bank account information, like user names, passwords, credit card numbers, Social Security numbers, ATM and PIN numbers. It goes out as a Trojan virus that lies in wait on the victim's PC until he or she goes to their online banking site, and accesses their account. It then springs to life and begins stealing all the users sensitive financial information. The stolen data is then sent to the criminal's server via an encrypted SSL connection, and the victim never even knows their security was compromised.

Analyst Paul Henry, VP of technology evangelism at Secure Computing, claims the overall number of downloadable hacking tools is multiplying fast. Henry claims there were more than 68,000 downloadable hacking tools available. At the same time, the technical difficulty of these tools is lessening daily, with the kits Mpack, Shark 2, Nuclear, WebAttacker, and IcePack being especially easy for novices to successfully employ. Henry claims that another problem is that so many systems vulnerabilities have been discovered by the designers, whereas the bugs were taking a long to be patched. Henry says, "MPack used more than 12 different vulnerabilities that were launched against any web browser that visited any compromised site.”

Another worry is the relative ease with which new kits can be created, and the creators have little to worry about in terms of personal risk, or being punished in any way. The kits contain a disclaimer that they are “distributed for educational purposes and the user accepts any responsibility for any misuse." In fact, only risk faced by most hacker groups creating professional, mass-produced hacking tools is having someone else steal them and sell them at a lower price.