In the wee hours of the morning this past weekend, two young men broke into a suburban house down the road from me. One home invader straddled the 17-year-old resident, waking him and demanding his money. Saying he was getting the cash, the teen grabbed his pocketknife and fought off the two robbers who fled in a car chauffeured by a getaway driver. The trio, two of whom needed medical attention, were later captured a town over, to the relief of the teen, his parents, and the rest of our tightly knit community.
Waking up to see police cars and a CSI van parked among my neighbors' SUVs and minivans was a frightening experience, one that reminds me to set my alarm, ensure doors and windows are locked at night, and we don't broadcast our vacation plans on Facebook. Likewise, the recently released "Fraud-as-a-Service: A Look at the Fraud Business in 2012" report by RSA, the Security Division of EMC, should be a shocking cue to CSOs, CIOs, IT professionals, and solution providers.
In its report, RSA returns to a phrase it first coined in 2008, bringing readers into a world of cybercrime bazaars and online trading forums where criminals sell and exchange our private, personal information for their profit. Like any other as-a-service, fraud-as-a-service (FaaS) taps the flexibility of hosted software services and infrastructure services to go online, increase automation, and become less complex, according to the report. Ironically, purveyors of FaaS use security in the form of digital certificates and personalized access URLs to prevent law enforcement, security developers, and other unwanted users from entering these areas of the "deep Web," RSA writes.
Like any other retailers, sellers of stolen data vie with each other for valuable customers, the RSA report says.
A five-year retrospect on FaaS reveals that the type of services sold today have changed very little; the more noticeable changes came in the shape of scalability, service relevancy, higher availability, better deals, customer support and buyer guarantees.
Criminals sell an array of items, typically things that help to enable fraud. For phishing, for example, items may include scam pages, spamming services, email databases, junk traffic, email cracking tools, and SMS spoofers. In the world of bot-masters, items could be malware spam, Trojan kits, HTML injectors, malicious code, and encryption services, according to the report.
Often included: customer support via instant message, FAQ page, and Web form. One criminal enterprise, the team developing the Citadel Trojan, even has a mandatory CRM with a monthly, fixed-price membership, that's used to support, ticket, and advise members.
The Citadel has advertising space for criminals wishing to push their merchandise to that very targeted audience; it offers a meeting place where fraudsters can garner new partnerships and lets users provide ideas for the Trojan's next feature or plug-ins.
In other words, these guys are very serious about and dedicated to attracting and retaining their criminal customers.
And that means we must be extremely serious about building multiple levels and types of security around our data so it doesn't end up for sale on a cyber-bazaar one day.