Pierluigi Paganini April 25, 2013

Public offer of Zeus FaaS service on Facebook

My readers know very well the dynamic of cybercrime enterprise and in particular of the growing interest in monetization malicious codes such as malware, ransomware and more in general botnets.

One of the most targeted sector is banking, the evolution of banking services, their introduction on mobile platforms made attractive targets for cyber criminals, one of the success stories in the cybercrime industry is the Zeus malware case. Zeus is one of the oldest and most prolific malware that has changed over time to meet the numerous demands of the criminal world, let’s remind that it is dated 2007 and officially sanctioned the introduction into the criminal system of this cyber threat to attack the Banking.

An interesting phenomenon is growth in the last year, the trend to offer in the underground all necessary to organize a large scale fraud, criminals offers malware or entire botnets for renting including bulletproof hosting, complete kits that in many cases include also information to use during the attacks against specific targets. The business is impressive the model described, known also as a Fraud-as-a-Service has been a great success for obvious reasons, malicious code such as Zeus, SpyEye, Ice IX, or even Citadel have benefited of the sales model, cyber criminals with few hundred dollars are able to design their criminal operation,

The efficient sales model has remained confined to the underground since now, the access to the offer of cybercrime was possible only through selected channels, such black market forums, Deep Web sites or IRC communities. Remaining hidden the economy has grown “undisturbed” but it seems to be ready for a great step forward, the exploitation of new channels such as social networks that could give a devastating boost to the Fraud-as-a-Service model.

RSA researchers have published an interesting article on the topic evidencing how the criminal offer has gone on popular Social Network proposing a customized botnet panel for Zeus Trojan.

The malicious application appears to be developed by Indonesian-speaking development team that has improved previous version of the popular Zeus Trojan kit, confirming the propensity commercial the developer designed a demo website for would-be buyers public visible, but what is very surprising it that they have also created a dedicated Facebook page with frequent updates and information about botnets, exploits, cybercrime, and their own product (Zeus v 1.2.10.1) …. as saying:

Do you want to become a cybercriminal? Follow us and we’ll tell you how.

The fact that a group of cyber criminals develops its variant of Trojan or similar malware is not new, this is possible because the source code of principal cyber threat is easily available on the black market, Zeus code was leaked in mid-2011 and many versions have been detected by principal security firms, but seeing someone marketing a Zeus v1 kit is very singular.

A so explicit market campaign is something new, in my opinion a dangerous signal to worldwide security community, cybercrime doesn’t fear countermeasures and law enforcement operations probably because it is based in those countries where institutions are not efficient against criminals.

Global crisis and sensible increase of cyber crimes let security experts to believe that similar events will become more frequent, criminals are starting to publicly offer and acquire malicious codes and rent services for malicious campaign following the analysis proposed by RSA

“The cybercrime underground may have lost most of the access it had to the major commercial Trojans after Zeus, SpyEye, Ice IX and Citadel’s developers all decided to quit vending their malware freely, but it seems that FaaS is definitely keeping things alive in the crime world.”

The main problem today is difficult of a globally recognized law framework to address cyber criminal organizations, law enforcement urge the establishment of severe penalties and shared effort to fight a battle against an invisible enemy that hasn’t a specific geographical connotation.

Until cybercriminals will have the opportunity to hide themselves in a country whose government will not properly persecute them it’s impossible  to stop cybercriminal wave.

Stop cybercrime is a global urgency!

Pierluigi Paganini

(Security Affairs – Cybercrime)