A blog posting by renowned security researcher Brian Krebs – warning that the elite of the coding world are being lured by carefully-worded job advert – has been confirmed.
Krebs’ assertion that the employment outlook for criminally-inclined programmers has never been so bright is spot on, but the lines between white and black hat coding are more blurred that most industry professionals might realise.
As I said last November when vendors started offering lucrative cash-for-bugs bounty schemes, there is a danger that a bidding war may develop – with cybercriminal gangs paying more than the software houses for the best bugs – since the criminals are the ones with the money.
Since then, a number of other security vendors have realised this trend, and now Brian Krebs has confirmed the fact – which is fairly obvious when you think about it, as the cybercriminal organisations don’t have to pay taxes as legitimate companies do. This is what gives them the financial edge in luring the elite coders.
With malware coding now being allied with spear phishing and other advanced credential-stealing attack vectors, there is a danger that the cream of the coding industry may be attracted by `job adverts’ offering even bigger money.
The big question is whether the clever techniques in luring advanced coders into responding to what appear to be lucrative work-from-home job adverts will pay off in the longer term.
The problem facing the cybercriminals is that once the coding job applicant has reached the stage of talking to their potential employer – either face-to-face, or more likely, via a webcam interview – they will have to eventually reveal what the job entails.
Having said that, with the economy being in the state it is in, there will be a sizeable minority of coders who will just shrug their shoulders and sign up to the cybercriminal gang’s programming operations, reasoning that their chances of getting caught are minimal and that the rewards are excellent.
And they would be correct on both counts. Cybercriminal coders are a highly valued part of the black hat virtual corporation operations. They are so far divorced from the sharp end of the frauds, that they rarely appear on prosecutor’s radar.
My observations suggest that, until the coders-for-hire behind a cybercriminal operation like Zeus or SpyEye are brought to justice, then the brain drain on the programming front between the legitimate software business and the black hat world will continue.
As Brian Krebs reports, with black hat coders being offered as much as $5,000 a month to code up injects to Zeus and SpyEye, it’s difficult to argue against the financial lures that cybercriminals now offer.