Security x.0

The increasing number of online banking attacks from phishing to trojans has been largely driven by a high Return on Investement (ROI): buy a toolkit, rent a botnet and get access to a high numbers of compromised accounts. It is all about the Economy of Scale - a single piece of malware can infect millions of computers and attack hundreds of banks.

The malware technology has been rapidly evolving, yet it is a known fact that some tasks are still better done by humans than a machine. Resolving CAPTCHAs is one of them, hence they are often used to circumvent automated mass scale attacks (e.g. blogs comments spam), hitting e-crime where it hurts - its ROI.

Unfortunately, these measures are no longer effective – E-crime crowd-sourcing has arrived! The screenshot on the left advertises "Easy money here!" and offers a job of "re-typing text from pictures". Required skills: "knowledge of English letters" and "medium proficiency in English keyboard layout". Paid for every correctly recognised picture, the site promises rates up to 3 dollars/hour with daily payouts.

Wondered why would anyone need this? Have a look at this in-depth analysis of Koobface - the Facebook virus that needs to resolve CAPTCHAs in order to propagate itself.

"Every time Koobface runs into CAPTCHA protection at Facebook, it transfers that image to its command-and-control server. From there, the image is relayed to an army of CAPTCHA resolvers, who work day and night ready to pick up a new image from their profile, solve it, submit an answer, and get paid something like 0.5 cent for the answer."

ThreatExpert Blog

Now, apply the same concept to the Man-in-the-Browser attack on online banking and it becomes Hu(Man)-in-the-Browser – a real-time Trojan+Human attack. These attacks, already seen in the wild, indicate a shift from the basic "spray and pray" approach to maximising the return value of each compromised account - a human can assess the account balance, overdraft limit, payments patterns (e.g. when does your salary arrive) in a matter of seconds allowing then to choose the optimal amount and time for the attack.

With the required technology infrastructure in place: Compromised Computer – Command & Control centre – Human Operator, it is only a matter of time, before the virtual gold digging sweatshops switch to a more lucrative revenue stream.