Like their counterparts at major universities, criminal professors are teaching the next generation of cyber criminals via Skype, online courses, and individual tutorials. They're also offering hosted, cloud-based fraud services that enable less sophisticated criminals to wreak havoc from afar.
These illicit classes are part of a growing fraud-as-a-service (FaaS) trend that should be striking fear in corporate IT and security professionals, law enforcement, and consumers around the world. Modeled on other as-a-service initiatives, one ultimate goal of FaaS is to place "graduates" with the increasingly powerful organized criminal groups behind many of today's data breaches. Indeed, some teachers go so far as to advocate for their students, vouching for those who display talent in cracking systems, reported RSA in its recently released report, "Now Registering for Classes at Cybercrime U."
Just like some professors you may have had when you studied for your Bachelor's degree, these teachers of cybercrime can be strict. Some, for example, mandate at least two hours advance warning if a student cannot attend class, and fine those who fail to fulfill this obligation up to half the fee, RSA wrote. Students who don't pay absentee fees lose their entire deposit, the report said. Depending on the class, RSA cited prices ranging from about $25 per hour to $120 -- a frighteningly high return on investment, especially considering the small percentage of cyber criminals that ever end up in jail.
Classes themselves include a beginner's course that covers topics such as the business of fraud, legal aspects, building your business, and transaction security. Card fraud courses focus on drops, advertising, accomplices, chat rules, and conventions, dealing with law enforcement, what can be collected as evidence, and who is accountable for crime in organized groups, developing top service and acquiring customers, as well as patterns of rippers and ripping, how to identify scams, and how to use escrow services.
Courses in anonymity address the various tools available, such as chat channels like Skype, Jabber, and ICQ; plus firewalls, virtual keyboards, and VPNs. There are also courses on mules, which criminals use to carry and drop items. Carding -- or how criminals can use different payment cards in fraud -- is a popular topic, RSA said. Topics include working BINs, websites for consumer items, tips and tricks, and tested sites.
In addition, ambitious criminals can take one-on-one courses on banking and credit cards, debit cards, registering and using shell corporations, legal liability issues, and setting up anonymity, RSA said.
Building further on the as-a-service model, lawbreakers can buy Trojan FaaS kits that include a Trojan such as Zeus, SpyEye, Ice IX, or Citadel, RSA reported earlier this year. FaaS deals typically include "bulletproof hosting at a discount, free set-up services, hands-on tutoring, and malware-campaign help wrapped into affordable combos," the security firm wrote. So now cyber criminals don't even need to know how to hack. They can hire an illicit form of managed service provider to do their dirty work for them.
Whereas these criminal services were once advertised solely on underworld networks, some are now brazenly promoting their wares on Facebook. RSA found a customized botnet panel programmed to work with the Zeus Trojan up for sale, apparently by an Indonesian-speaking malware developer, the company wrote. The malware developer promoted its criminal wares on a Facebook page that included frequent updates and information about botnets, RSA said.
So with little money, felonious-minded individuals are easily armed for financial warfare on the targets of their choice. They are banding together to attack financial institutions, publishers, repositories of consumer and corporate data, military bases, and anyone else they want -- or are paid to -- take down or steal from.
It's always easy to accuse security firms of fear mongering. Remember the early days of PCs, when some muttered that anti-virus developers actually wrote the viruses they protected against? But everything in RSA's report makes sense, from hackers' organizational model to their expansion into social media, from their educational initiatives to their use of videoconferencing. Add insight into terrorists' use of hacking and the model's accuracy becomes even more apparent.
Law enforcement must proactively work with social media sites to track down and close pages openly selling malware and FaaS. They must work together across borders to prosecute offenders and break up these networks. And organizations must never let down their guard or reduce their security resources. There's too much to lose.
— Alison Diana , ThinkerNet Editor, Internet Evolution