Among the forms of cyber crime popular today are various flavors of malicious software-enabled theft. A typical example is theft of funds and/or personal data via a banking trojan. Such trojan software can be spread from infected websites to victim PCs in homes and offices. The software surreptitiously enables remote control of these devices, opening up a range of abuses by the person at the controls. The “botmaster” in charge of this “botnet” of compromised computers might extract data and credentials pertaining to bank accounts and sell it to a third party, or he might use it to empty the accounts. It is quite likely that, in global terms, criminals are making millions of dollars a day doing this.
That's the reality of malware today, and as you can see it's a long way from disgruntled kids coding viruses in their bedrooms for fame or kicks. Of course, you may know that already, but were you aware that this is news to many people, including people who use computers at work, and their bosses? That means if you're the person responsible for information security at your organization, these “unaware” people could be the workforce you work with and the management to whom you report.
I am aware of this lack of awareness because I make a point of speaking to a group of “ordinary computer users” at least once a month. I usually ask the group, “How many people have heard of a botnet?” It is not unusual to find only one or two people out of 20 that have. And I don't mean that they can't quite remember the correct term for a coordinated collection of compromised computers, they have no conception of the scale of the industrialization that has transformed malware over the last five years. Furthermore, they don't realize that all the tools and ingredients one needs to get started are readily available and one doesn't need to be a computer expert to commit this type of crime (meaning cyber crime now draws from a very large pool of potential participants).
This lack of awareness obviously has serious consequences for society's ongoing efforts to secure data and prevent cyber crime. How can you take a threat seriously if you don't understand it and can't picture it? That's why I developed a short presentation that I call “Malware Incorporated” to graphically represent this new reality of organized, industrial-scale, malware production and exploitation. By using screen shots of real malware production and management tools – pieces of software that one can buy to build a malware empire, like the SpyEye dashboard shown here – I believe I have found a way to leave a lasting impression on people who see the presentation.
The slides are built around a fictitious – but all too real – criminal enterprise called Malware Incorporated. The mission statement of this enterprise: Turning your data into our dreams. In other words, your information is grist to the mill of Malware Inc. A range of techniques are used to acquire your data and well-developed machinery exists to process it into wealth, to be enjoyed by the owners and operators of Malware Inc. Indeed, today's malware production and exploitation industry bears all the hallmarks of a mature business model, including market-based pricing for ingredients and skillsets, the latter reflecting a high degree of specialization. That means criminals shifting from traditional crime to cyber crime don't need to do all the work themselves, they can just hire specialists.
I have made the Malware Incorporated slides available for anyone to download and use at their organization. When I have time, I will record my commentary on the slides as well. By more closely aligning perceptions with reality, it should become easier to get people to pay the appropriate amount of attention to the problem that industrialized malware poses and the crimes it enables.