Price of cybercrime tools shrinks

SAN FRANCISCO--It's becoming cheaper and easier to get hold of the tools needed to launch a cybercrime attack, according to security company RSA.

Jens Hinrichsen, the company's product marketing manager for fraud auction, said Thursday that RSA has been monitoring the Web sites and ICQ channels where malicious hackers and cybercriminals interact. These sites allow participants to share feedback and even review one another's products.

Addressing an audience at the RSA Conference 2007 here, Hinrichsen showed several screengrabs to illustrate that the prices being asked for hacking tools have been dropping, with many participants embracing volume discounts and other incentives.

One example was a post offering a "Super Trojan," which could be used to install malicious code on a victim's PC, for $600.

"What's interesting is that this is actually a reviewed vendor, who actually had a lot of good transactions. He's offering this custom piece of crimeware for only $600," said Hinrichsen, who added that he "loved the term 'Super Trojan.'"

"So, when we talk about the ever-increasing ramp-up of more sophisticated tools," he said, "the prices are coming down."

Another example was someone selling e-mail address lists and log-in details for sites such as eBay.

"For one to 10 accounts, this guy would charge you five bucks per account. But they've got discounted rates--just like any other institution would offer their customers. So if you buy 10 to 50 accounts, he'll give it to you for $4.50 each. Fifty more accounts would be $3.50 each," Hinrichsen said.

Other examples shown included a list of 15,000 e-mail addresses, which had all apparently been verified as genuine, for sale for $1,500, a hacked root server for $100 to $150, and someone offering to host a financial scam on his Web site for $20 per day, or $80 for a week.

Graeme Wearden of ZDNet UK reported from San Francisco.

[wbenton]

Who said crime doesn't pay!

That's why it's proliferating so fast.

The public screams privacy when there is any talk of policing the internet, but unless you police it... these things will continue to expound. In the future, the prices will continue to drop... so expect more until the public stops screaming privacy which there isn't any of in the first place... at least on the internet!!!

Walt

[MD525]

Price of Security?

Startling news, but it brings to mind two thoughts. One is just basic, how many of the many to be scammers are actually being scammed by lures of low priced cybercrime tools.

Two, will companies and individuals start paying for security software besides anti virus programs and invest in learning? even if we give the government more freedom to conduct online searches I don't believe we will accomplish much unless the average user starts becoming more aware of threats.

[Schratboy]

Hack tool prices going down...solution prices must go up!

It's no surprise that RSA has become the goose-stepping purveyor of the gloom and doom hacking boom, of course, which they'll be happy to sell you solutions to correct.

Implicit in their warnings are with the lowering threshold of hacker cost, there will be a corresponding increase in activity, ergo RSA is here to save the day. Piffle, I say.

Rather than continuing to buy the industry and analyst-peddled solutions (Unified threats, all-in-one killer appliances and whatnot), attempting to fight off the never-ending onslaught of threats which now numbers in the millions, people have lost sight of a very important and beautifully simple answer: baseline and whitelist what's allowed on the network and zero-out everything else.

Identify all the necessary ports in and out of the network and not what applications/protocols are using them. What applications, content and communications tools are okay for use? Define what constitutes confidential information and how it should be treated. How many workstations and servers are in operations, and who are they talking with? What's acceptable entertainment? Since most businesses fail limit what people can do, they invariably fail in their reliance on Web filters. These aren't 100% efficient and do not constitute what is acceptable. Sure, they block 10,000,000 plus sites out of a billion plus, but are you going to let a Web filter company set your policy and operate your business? Those who do are grossly over-exposed.

If people would do the simple things really well, there would be modest requirements needed to operate and secure and productive network. Of course, you'll need the appropriate firewalls, filters and whatnot, but most importantly you'll need information that identifies if the equipment is performing effectively and if not, where additional input is needed.

Constantly reacting to unknown threats by throwing more and more technology at the problem is a dream-come-true for the likes of RSA, Symantec et al. For those who see the dream for what it is: a nightmare of escalating costs and insecure operations, take heart. Take care of the simple things and the bigger problems will take care of themselves.

[ml_ess]

Lower prices

Cybercrime tools aren't the only ones that are dropping in prices; low-cost security software is now available too. The question is when businesses and government organizations will start to research and invest in such solutions.
Here's a supplemental article from CPA Journal regarding security and SMBs: http://www.nysscpa.org/cpajournal/2006/706/essentials/p51.htm