As third-party tools make hacking easier, experts warn of online risks4 min read . Updated: 16 Dec 2013, 12:48 AM IST
Computer hacking and electronic spamming used to be the realm of geeks proficient in writing code. That's no longer the case
New Delhi: Computer hacking and electronic spamming used to be the realm of geeks proficient in writing code and discovering security loopholes in computer operating systems and applications. That’s no longer the case.
Recent research by global security company McAfee Inc., a unit of Intel Corp., shows that there is a multitude of third-party services the would-be cyber criminal can tap online to target unwary corporate entities and individuals.
“What has changed is the ease with which anybody can be a cyber criminal. Today, this has been commercialized and you can buy these tools online," said Raj Samani, vice-president, EMEA (Europe, Middle East and Africa) and chief technology officer, McAfee.“What it means is today’s cybercriminal doesn’t require any technical knowledge."
Back in 2005, a programmer was paid to develop a malware known as the Zotob worm that cost companies whose computers were infected by it an estimated $97,000 to clean up.
Such services now have been extended to every element of cybercrime, which has become a multi-billion-dollar industry.
The McAfee research classifies these services under four categories—crimeware-as-a-service, cybercrime infrastructure-as-a-service, hacking-as-a-service and research-as-a-service.
They include selling and buying malware, spam services, hosting services, discovering system vulnerabilities, credit card information and distributed denial-of-service (DDoS) attacks, which makes a machine or network unavailable to the targeted user.
“The growth in the ‘as-a-service’ nature of cybercrime fuels its exponential growth, and its flexible business model allows cyber criminals to execute attacks at considerably less expense than ever before," says a McAfee research report.
These are illegal, professional-looking websites, which provide customer services like feedback email, service agreement and helpdesk numbers. Popular examples include Gwapo’s professional DDOS service and BlackMarket Reloaded.
“In the past, to bring down a website, you had to know certain people and certain circles. But you don’t need that now. You can go to websites where you can acquire these services. All you need is the URL (uniform resource locator) that you want to hit," said McAfee’s Samani.
“Outsourcing these activities to somebody you know has always been there but what is changing now is that you don’t need to have any prerequisite knowledge, or a person who knows this stuff. You just need to have access to a search engine and you just need to be pretty good at searching."
“That’s the biggest implication for any country," he said.
Though estimating the size of the industry is difficult, experts say the increasing malware and spam traffic on the Internet shows it’s ballooning.
According to McAfee, there are 60,000 new malwares hitting the Internet every day. In September this year, global spam volume reached around 4 trillion spam messages.
“We can’t really put one figure on it. According to one of our researches on virtual currency and electronic money platform, a recently closed down money platform was estimated to have laundered approximately $6 billion," said Samani. “That is just one strand of it."
India as a target
India, according to experts and industry veterans, has always been a soft target.
“Sixty five per cent of Indian users either do not have basic security softwares on their systems or they use free and pirated version, which are not effective against new malwares or botnets hitting online every day," said Jagannath Patnaik, director, channel sales (South Asia) at computer security firm Kaspersky Lab. “It makes India a very common target."
“Selling services like malwares or botnets or account information has become a multi-billion industry. There are now some state-sponsored services as well to carry out the attacks," he added.
A botnet, a word derived from robot and network, is a program used to send spam email or carry out DDOS attacks.
India was the sixth largest victim of botnet attacks globally in the last quarter, said McAfee.
Action to combat the growing menace has run up against jurisdiction issues.
“One of the reasons why cybercrimes have been able to take that digital leap is because you can basically go out and attack a business and you could track a person behind it, but the fact is the attacks could be coming from anywhere in the world and this is what makes it difficult," said Samani.
“Indian police has jurisdiction over India but if a person is using a service located in Europe, then the perpetrator is located well outside the local jurisdiction. In this case, Indian police will have to go out, which will make the process considerably difficult."
“Technology does not respect international boundaries or jurisdiction, whereas from a law enforcement perspective, it cannot do that. That is what is making it difficult, and that is why many people feel it safe to go out and use these services," he added.
Samani, who also serves as special adviser to the European Cybercrime Center, an arm of the European Union’s law enforcement agency Europol, said international collaborations are the way to go to fight the trend.
“We do have an international law enforcement collaboration ready to go out and combat cybercrime. When the crime that has happened is outside the purview of local jurisdiction, the bigger question we begin to ask the law enforcement society...is how do we bring about collaboration among multiple law enforcement (agencies) to face broader challenges," he said.