Report: Hackers Making Contracts for Spam

Sept. 17, 2007
Thieves selling their code to middlemen who spread phishing and pharming attacks

SAN JOSE, Calif. -- Online crooks are quickly enlarging an already vast sales and distribution network to propagate spam and send malicious software in hopes of infecting millions of computers worldwide, according to a new report.

In a report to be released Monday, security software maker Symantec Corp. says sophisticated thieves sell code to criminal middlemen for as much as $1,000 per program. The middlemen then push the code to consumers, who may be duped into participating in a scam, or who may have their passwords, financial data and other personal data stolen and used by identity theft rings.

The savviest hackers lock middlemen into long-term service contracts so they can automatically push the newest exploits on unwitting consumers and compensate for patches developed by legitimate programmers.

The agreements - not unlike contracts between software powerhouses such as Oracle Corp. or Microsoft Corp. and their corporate clients - leave a trail of code that, in principal, makes it easier for authorities to catch both the hacker and the person who's buying the program. But researchers who worked on Symantec's newest Internet Security Threat Report said the amount of money to be made from computer attacks still outweighs the danger.

"These people are taking a huge risk, and either they're stupid - which we don't believe is the case - or they're making big money," said Alfred Huger, vice president of Symantec Security Response.

Symantec's new report covers the first six months of 2007 and draws on attack data gathered from more than 120 million computers running Symantec antivirus software and more than 2 million decoy e-mail accounts designed to attract spam and other shady messages from around the world.

Among the findings:

- The sale of stolen personal information online continues to grow. The United States is the top country for so-called underground economy servers, home to 64 percent of the computers known to Symantec to be places where thieves barter over the sale over verified credit card numbers, government-issued identification numbers and other data. Germany was second and Sweden ranked third.

- China had the most computers infected by Web robots, or bots - software that performs automated tasks online, such as propagating spam, often without the knowledge or consent of the computer's owner. China had one-third the world's computers conscripted by "bot herders."

- The number of threats caused by malicious code has ballooned. In the first six months of the year, 212,101 new malicious code threats were reported to Symantec, an increase of 185 percent over the previous six months.

But researchers agreed that professional-grade service agreements between cyber criminals and their agents was the most alarming trend.

A small number of malicious "toolkits" - bundles of exploits that allow criminals to customize their own scams and attacks - is responsible for a growing number of attacks.

Only three toolkits were responsible for 42 percent of the 2.3 million so-called 'phishing' messages spotted and blocked by Symantec during the first six months of the year. Crooks use phishing messages to try and steal personal and financial information by tricking people into entering private information into bogus Web sites that look like the sites of legitimate brands such as banks or popular retailers.

Such toolkits cost $300 to $800.

Another widely available toolkit in early 2007 - called MPack - sold online for $1,000 and allowed users to launch attacks in Web browsers against people who surf on malicious or compromised sites. In some cases it appeared to come with a support pack from its authors, Symantec said.

"The reliability and robustness of MPack implies that it benefited from professional development," researchers wrote.

Other researchers discovered more hopeful signs.

According to a report expected Monday from IBM Corp.'s Internet Security Systems X-Force researchers, the number of computer vulnerabilities either publicly disclosed by companies or discovered by threat researchers declined during the first half of the year.

IBM tallied 3,273 vulnerabilities - down 3.3 percent from the first half of last year. IBM said it was the first time the vulnerability numbers fell during the first half of the year since X-Force began cataloging them in 1997, when there were 106 known vulnerabilities.

Copyright 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.