For years now, if you knew where to shop on the shady side of the Internet cloud, you could pick up a botnet for cheap. But it was so much work to log in to IRC and pay with egold that a busy cybercriminal just couldn’t be bothered.
That’s not a problem anymore, thanks to Robopak. Applying the latest cloud provisioning and marketing analytics technologies, they’ve created an entirely new type of cloud service, Exploits as a Service, or EaaS. Robopak’s EaaS lets you pay as little as $30 per day to access Java, PDF, and IE exploits and roll them out to build your cybercrime empire with elastic capacity.
More seriously, this shows how easy it is to take IaaS cloud technologies and use them to quickly roll out multitenant versions of just about any app you can think of. PaaS-like payment APIs help to make it easier to get paid too.
I’m particularly impressed with how Robopak uses metrics similar to what you’d find on a marketing campaign to track effectiveness and show that you’re getting your hacker-dollar’s worth. How long before this gets build into Google Analytics?
The increase in threats lately is worrisome, especially given this past week’s Epsilon breach (http://www.washingtonpost.com/blogs/faster-forward/post/epsilon-mail-marketing-firm-exposes-millions-of-names-addresses/2011/04/04/AFEPbabC_blog.html) that put 100 million email addresses in the hands of spammers sending malware.
My personal machine is relatively locked down and I follow best practices like using SSH with a proxy, virtual machines, keeping my Trend Micro Titanium software up to date, and not falling for lame phishing attempts. Even though I work at Trend Micro, I have no problem using software from whichever security vendor has the highest detection rate…which is why I choose to use our stuff.
The problem is that my wife has my passwords for a few finance sites (she needs them so she can give me my allowance…) and I am genuinely concerned that she’ll fall for a scam. Her machine is up to date on all the latest security software, but human error is always a factor.
I’ve got to think that if I’m concerned about this, the average consumer is either a) oblivious or b) ready to turn off their online banking.
If we don’t do more to track down cloud-based threats, we are going to see a significant reduction in people’s willingness to conduct financial transactions online. In a world like that, the winners are large sites like Amazon.com and Best Buy, where people will assume their data is safe (despite the new breach), but the losers will be the tens of thousands of small businesses which make sales online every day.
[Ed. note: Trend Micro would like to know what you think about this. We enthusiastically invite your comments and we will read every one of them. For very detailed information: