The next big thing? Crimeware-as-a-service

Finjan says Crimeware-as-a-Service (CaaS) is becoming an increasing problem and the ability of law enforcement to track malicious hackers will become increasingly hampered.

On Monday, Finjan's Malicious Code Research Center (MCRC) released its first quarter Web security trends report (registration required) and highlighted CaaS. finjan's release is timed for the RSA security conference in San Francisco.

The gist: "Criminals have started to use online cybercrime services instead of having to deal themselves with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites," says Finjan. In other words, it's point, click and hack.

What makes CaaS a big problem is that the service operators don't necessarily attack anything. These CaaS operators are basically arms dealers that provide customers with anti-forensic attack techniques and the ability to manage cod networks. Finjan has highlighted this trend before, but its report puts a little more meat on its research.

Finjan argues that CaaS is the latest phase in the commercialization of malicious hacking. Next up: A service for getting stolen data that tailors victims to criminal intent. Here's how Finjan sees the commericalization of information security crime developing.

Finjan in its report notes:

(Cybercrime commercialization) is no longer just the trading of data as we have seen in the past,where criminals would offer sensitive business data to the highest bidder, but providing a service that encapsulates the entire attack and infection process, and provides a distilled feed of data that is being harvested as part of the attack. It not only detaches the criminals from the actual work of exploiting and controlling the attacks, but also allows a bigger “market share” in the business of criminal activities on the web.

And here's a possible crimeware data trading scheme:

Finjan paints a glum law enforcement picture.

A service like this will also be the next logical step in terms of the technical development of Crimeware toolkits. Initially we have seen a simple aggregation of exploits, followed by some reporting capabilities. Next came automatic updates, support, and enhancements (such as integration of code-obfuscation and evasive anti-forensics techniques). Currently, we see the rise of the Crimeware-as-a-Service (CaaS) model in the Crimeware-toolkit market. It enables such a toolkit to gather the data from the victims and sort it according to some rough criteria for the users, since all the data and networking is already built-in and available for the criminals and attackers.

This development will further distant the criminals from the techies – a trend that we have seen evolving over the past couple of years. This trend will get a further boost with the catching on of the CaaS model. Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the Crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised. Although in theory such an operator could be prosecuted for hosting and operating malicious code (depending on the penal code in the respective country in which it is being prosecuted) the impact that the data itself could have on such a prosecution makes it quite academic.

Comforting eh?