Slashdot Mirror
SpyEye Botnet Nets Fraudster $3.2M In Six Months
wiredmikey writes "The SpyEye Trojan has a well-earned place of respect in the cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research provides yet another reminder of why. According to security researchers, a hacker in his early 20s known by the alias 'Soldier' led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits. Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies."
Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.
This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.
If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.
35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
In a world where picture frames come preinstalled with malware, in a world where simply visiting the wrong website can infect you if Flash has an unpatched vulnerability, that's too simplistic.
I blame people for running Trojans, I blame people for not doing updates (but come on, what other industry would tolerate having a recall on the second Tuesday of every month), but this is still a world in which drive-by downloads are possible. I run Noscript, of course, but don't expect anyone else to live with the problems it causes.
"Personal responsibility means taking reasonable steps to make sure you don't harm others"
Yes, and people DON'T DO THAT. I've seen people get spyware, right in front of my eyes. They absolutely do not take reasonable steps to avoid so doing. They'll cheerfully run ANYTHING. That is not a reasonable behavior, on what is fundamentally a Turing machine.
So yes, let's hold them responsible when they don't take reasonable steps towards safe computing.
Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
Sorry, but no. You may have 35 years under your belt, but my 80+ year old Mom doesn't, and the vast majority of mere users out there are a lot like her. When even highly educated users like doctors and lawyers are stupid around computers, how can you expect my Mom to do any better?
Case in point: she's on a Mac using Safari, and it drives her up the wall when the history pane doesn't show her favourite sites. I've told her that's not how it's supposed to be used and to use bookmarks instead. She wants to use the history window instead and can't understand why she shouldn't.
A friend of mine was using Windows and got it infected. I built him a Linux box and showed him how to use it. Problem solved? No, because he kept going back to using his infected Windows box, wondering why his ISP cut him off every time he used it (because his ISP determined his machine was infected).
I've seen just as stupid !@#$ from doctors and lawyers.
What you want is for your politicians to write a law that forces all computer users to get a driver's license before being allowed on the net, and that isn't going to happen since the vast majority of politicians are lawyers who're just as stupid around computers as is my Mom. For most users out there, computing is still magic to them and I doubt that's going to change anytime soon. They see no need and are quite capable of blaming something/anything else for their ignorance.
Besides, it'd be a lot simpler to force ISPs to police their users. They have the expertise and at least some are doing it already. What's wrong with the rest of them?
"Tongue tied and twisted, just an Earth bound misfit
A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.
But the brakes in a car generally don't fail because someone put the wrong CD in or tuned to the wrong radio station.
I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.
+1 truth
I'm sick and tired of people who defend the unnecessary use of things like javascript by putting all of the blame for the accompanying reduction in security on the user.
The car analogy is that it is like demanding that people not wear seat-belts and when they get hurt in a wreck then blaming them for not having the latest air-bag system.
When information is power, privacy is freedom.
"A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines."
But running malware and trojans is not "using a computer in a reasonable manner".
A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...
It's the same system that was designed when there were 1,000 computers on ARPANET.
Sometime after that, Netscape decided that HTML would make mail look pretty. The rest is history.
I remember being on some mailing list when this started. The admins put instructions to disable HTML in the FAQ, and admonished posters who had it enabled. Alas, the windmills won.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?