Today, in the Wall Street Journal, an article told the story of a software product called blackshades that experts call a "rat" (Remote Access Trojan) which was commercially sold to cyber criminals who wanted to take over a victim's workstation to record their keystrokes, spy on them with their own camera and/or access files on their computer. It was sold at bshades.eu which is now closed but of course can be found at archive.org.
It's a great example of the fifth generation of cybercrime, (see this blog post) which has developed into a mature criminal underground market where elite hackers no longer hack into sites, but develop crime kits for other criminals. Remember who got really rich during several gold rush periods? Not the prospectors, but the people that sold them their equipment. Same thing here. There is a massive amount of money to be made in developing point-and-click attack software that non-sophisticated cyber criminals can buy "off the shelf".
Blackshades was recently taken over by the FBI, and anyone buying their software was visited by cops in both the US and Europe, with all their computer equipment taken away. However, that's the same as taking the drug pushers off the street but leaving the drug kingpins safe in their protected mansions to continue their deadly trade.
Tom Kellerman, Chief Cybersecurity Officer at Trend Micro said "The software is one of hundreds of hacking tools for sale in a 'robust arms bazaar,' the elite hackers of 2014 have evolved to become developers of crime kits as there is an economy of scale around the provision of cyberattack capabilities."
Today, it's easy to become a cyber criminal. You buy a stack of ready-made attack tools, starring with an exploit kit to compromise a legit website that is poorly (or not at all) defended, a mass phishing tool to send "social engineered" email the victim will click on, and then a ready-made malicious payload that will take over the victim's PC. This is the way botnets are being built which then can be profitably rented out.
If end-users (and consumers) are not sufficiently trained against social engineering attacks, workstations will inevitably be infected my increasingly sophisticated malware as the recent wave of ransomware shows. Kevin Mitnick Security Awareness Training is no luxury these days, it's a must. Any user that gets stepped through, will think -twice- before they click on a link or open a potentially infected attachment.
