Hackers Are Security VARs’ New Competitors

Hackers, malware writers and online criminal elements have operated like businesses for some time. Now, according to research by Kaspersky Lab, these black hat organisations are expanding to include technical support and customer service for their victims. In a way, they’re beginning to mimic security solution providers.

Kaspersky Lab researchers report monitoring criminal syndicates that are offering people who have downloaded viruses and other forms of malware email, live chat and telephone support for installing and uninstalling their malicious wares. In most cases, these services are a ploy to trick computers users into installing more malicious software. However, a growing number of criminal organisations are offering legitimate support to gain the trust and confidence of their victims. It’s all part of an elaborate network of deceit and social engineering.

Business operations

These hacker-sponsored support services are not fly-by-night operations. At a presentation held in New York City yesterday, Kaspersky senior researcher Nico Brulez described testing the support services of several malicious sites that intended to trick users into installing “scareware,” or faux security software that PC users are tricked into paying for but does nothing. He says the networks he tested were using real people to staff live chat sessions and telephone support. Some even provided 24/7 services, multi-language support and refunds.

In the background of these hacker efforts are metrics-driven business operations. These criminal elements are setting goals, structuring organisations, managing operations and measuring performance. Kaspersky researcher David Emm says that many of syndicates are carefully measuring the traffic across their botnets, counting the number of machines infected, and tallying the booty collected from their scareware sales and data-stealing malware. It’s classic total quality management that would have made W. Edwards Deming proud.

Mimicking or impersonating legitimate IT services organisations isn’t a new trick. Recently, British officials uncovered rogue Microsoft partners targeting home and small business PC users with bogus subscriptions for remediation and prevention services. Scareware, a favorite tool of criminal groups, is designed to look and act just like legitimate software, but solely for the purpose of tricking PC users into paying for software they don’t want or need. And malware leverages legitimate error processes and warnings embedded in operating systems to trick users into taking actions that open their machines for further exploitation.

Kaspersky’s researchers say digital certificates used to sign software and updates is increasingly less effective as a means for discerning legitimate and illegitimate applications. Hackers are stealing and counterfeiting certificates for their scareware. Even poorly crafted counterfeits will likely pass muster as Kaspersky has discovered that Microsoft Windows will only tell a user when a certificate is good; it does nothing to warn of bad certificates. Kaspersky researcher Roel Schouwenberg calls this Windows process “suboptimal.”

Social engineering

Devising schemes for tricking users into clicking on links, visiting compromised websites and giving up their personal and financial information is called “social engineering” in the hacker world. As these criminal elements take on more of a business structure, this process could just as easily be called “marketing and communications.” Kaspersky talks of how these organisations are devising new and sophisticated methods for hooking unsuspecting PC users into aiding and abetting in their own exploitation.

Evolving criminal organisations are looking more like legitimate security solution providers and software companies for a reason: trust. They need the trust of their victims to carry out their malicious and deceptive activities. Acting as a legitimate source of software tools and services, providing detailed technical advice and executing high quality customer service is a means for mirroring the perceived and often assumed trust of professional IT services companies.

Several attempts have been made to create a standard of trust for security services. CompTIA has its Security Trustmark credential, and several security vendors have issued web seals to mark the legitimacy of their partner’s websites. But even credentialing solution providers won’t do much good, as hackers will have no problem compromising the trust brand as they did in the Microsoft case.

As Kaspersky describes it, this trend could mean that legitimate security solution providers could find themselves in competitive situations with rogue and criminal elements with as good or better offerings – at least at the outset.