Home | News Alerts | DIY Cybercrime ‘Kits’ Lead to Phishing Outbreak

DIY Cybercrime ‘Kits’ Lead to Phishing Outbreak

Software produces e-mails that unleash malware

January 25, 2010

The proliferation of do-it-yourself cybercrime kits in the second half of 2009 led to a sharp increase in phishing scams during that time, USA Today reports.

“DIY” kits, sold for a few hundred dollars, include software used to send out batches of fake e-mails meant to resemble legitimate notices from companies like UPS, FedEx, Vonage, Facebook or Microsoft, or government alerts from government agencies like the IRS or officials warning about the H1N1 virus.

These messages are designed to trick the user into clicking on a Web link that unleashes a banking Trojan horse, a malicious program that infects a PC and steals financial account login information. Or the program could turn the computer into a “bot” that is directed to send out even more phishing e-mail.

Internet security experts say phishing campaigns followed a predictable pattern early in 2009. But by October, as the kits became cheaper to produce and marketed more aggressively, the infections shot upward. The number of unique banking Trojans intercepted by the Spanish security company Panda totaled 343,151 for the year, up 77 percent from 194,233 in 2008.

“If you know how to download music or a movie, you have the necessary experience to begin using one of these kits,” says Gunter Ollman, senior researcher at security firm Damballa.

Fred Touchette, senior researcher at e-mail security firm App River, said he expected the kits — and the attacks — to continue, according to USA Today. “DIY kits make it too easy to get your malware out there,” he said, “and it's so hard to stop.”

Such attacks serve as a reminder to change passwords often, update antivirus software on your computer, and be suspicious of unusual e-mails. Don’t open anything that purports to be from the IRS or your bank. If they want to reach you that badly, they’ll send a letter via regular mail or call. Though in any case, be wary of any contact in which the sender requests your credit card or bank account information, your Social Security number or passwords.