FaaS: Fraud as a Service

"The next sea change is upon us", wrote Bill Gates in an internal Microsoft memo in 2005, relating to the growing phenomenon of Internet-based software applications and services.

This memo paved the way to the latest buzz in the IT world - SaaS: Software as a Service. All the big guys are playing. Microsoft, Google, the major security companies – you name it.

Software-as-a-service provides a cost-effective alternative to traditional applications. Simply put, rather than buying software and installing it, the software is delivered to you as an online service.

We've recently spotted a trend which, in my mind, has no better name than FaaS: Fraud as a Service.

Traditionally, fraudsters wishing to use financial Trojans had to go through the same process enterprises go through when they buy software applications. You first have to buy the software – say, a Trojan kit. That's not a big deal; today these kits costs hundreds of dollars, and come with excellent documentation and customer support. The fraud forums frequently review new Trojans, so you can have an intelligent choice.

The next phase is finding a suitable server. You don't want to host the Trojan in a botnet – these are not very stable, and you need your Trojan drop zone and administration control to stay in one place for long. Some Trojans go undetected for months, or even years, in victim's computers – but if the server hosting your Trojan goes down, your investment in it goes down the drain. So you must hire a good, "bulletproof" hosting.

Then comes installation on the server, which may prove tricky to the less tech-savvy fraudsters. That's why good documentation and customer service are important.

What next? Oh, yes. Infection.

Today's fraud ecosystem includes fantastic infection services. They use various exploits, including zero-day vulnerabilities, and have all sorts of tricks to maximize exposure and traffic into the infection points. Lets not spend too much time discussing this phase; it's actually worth a separate blog entry.

But all of this may soon belong to the past.

Because buying the Trojan software, finding a steady server, installing the Trojan and keeping it up-to-date, and spreading it via infection points, is all very tedious.

And why do all this tedious work, when you can get fraud as a service?

Just have a peak at the RSA Online Fraud Report from April 2008 (http://www.rsa.com/solutions/consumer_authentication/intelreport/FRARPT_DS_0408.pdf).

That's Fraud as a Service at its best.

And here's a prediction to conclude: by end 2009, we'll see at least 50% of Trojan attacks launched from FaaS platforms. It's going to become a mainstream deployment method and take malware distribution to the next level.