Clik here to view.
Image may be NSFW.
Clik here to view.
For years now, if you knew where to shop on the shady side of the Internet cloud, you could pick up a botnet for cheap. But it was so much work to log in to IRC and pay with egold that a busy cybercriminal just couldn’t be bothered.
That’s not a problem anymore, thanks to Robopak. Applying the latest cloud provisioning and marketing analytics technologies, they’ve created an entirely new type of cloud service, Exploits as a Service, or EaaS. Robopak’s EaaS lets you pay as little as $30 per day to access Java, PDF, and IE exploits and roll them out to build your cybercrime empire with elastic capacity.
Sitting somewhere between PaaS and SaaS, the new EaaS takes things that were once only script-kiddie-simple and makes them marketing-guy-simple. It uses obfuscated Javascript that has to be decrypted in two separate parts in order to work. Pretty slick.
More seriously, this shows how easy it is to take IaaS cloud technologies and use them to quickly roll out multitenant versions of just about any app you can think of. PaaS-like payment APIs help to make it easier to get paid too.
I’m particularly impressed with how Robopak uses metrics similar to what you’d find on a marketing campaign to track effectiveness and show that you’re getting your hacker-dollar’s worth. How long before this gets build into Google Analytics? Image may be NSFW.
Clik here to view.
The increase in threats lately is worrisome, especially given this past week’s Epsilon breach (http://www.washingtonpost.com/blogs/faster-forward/post/epsilon-mail-marketing-firm-exposes-millions-of-names-addresses/2011/04/04/AFEPbabC_blog.html) that put 100 million email addresses in the hands of spammers sending malware.
My personal machine is relatively locked down and I follow best practices like using SSH with a proxy, virtual machines, keeping my Trend Micro Titanium software up to date, and not falling for lame phishing attempts. Even though I work at Trend Micro, I have no problem using software from whichever security vendor has the highest detection rate…which is why I choose to use our stuff.
The problem is that my wife has my passwords for a few finance sites (she needs them so she can give me my allowance…) and I am genuinely concerned that she’ll fall for a scam. Her machine is up to date on all the latest security software, but human error is always a factor.
I’ve got to think that if I’m concerned about this, the average consumer is either a) oblivious or b) ready to turn off their online banking.
If we don’t do more to track down cloud-based threats, we are going to see a significant reduction in people’s willingness to conduct financial transactions online. In a world like that, the winners are large sites like Amazon.com and Best Buy, where people will assume their data is safe (despite the new breach), but the losers will be the tens of thousands of small businesses which make sales online every day.
[Ed. note: Trend Micro would like to know what you think about this. We enthusiastically invite your comments and we will read every one of them. For very detailed information:
Discover Cloud Security and Virtualization for the Enterprise
Discover Cloud Security for Small Business & Home
The post New type of cloud emerges: Exploits as a Service (EaaS) appeared first on .
