Embracing the enterprise computing ideas of outsourcing, online collaboration and software-as-a-service, criminal gangs are now offering each other what has been dubbed "crime-as-a-service".

Malicious programmers can be very good at creating Trojans such as Zeus and Clampi that penetrate users' systems, log keystrokes and hijack online banking sessions. But few have the mechanisms in place to send out the spam messages, run the botnets and hack the websites necessary to infect large numbers of PCs with these Trojans.

Similarly, few spammers have the skills to launder the money obtained from the hijacks, and money launderers are rarely skilled in software development. Now these different groups are bringing together their specialist skills through online collaboration hubs where they can sell their services to each other to create an entire criminal ecosystem.

Enterprises as well as their customers are being targeted by such gangs. Rodney Joffe, director of security advice centre the Conficker Working Group, says that in the US alone, one known gang is currently extracting an average of $200,000 from five to six enterprises each day using a version of Zeus bought from an online affiliate. A school in New York was recently targeted in a similar fashion and $4 million stolen from its bank accounts.

Defending against such an orchestrated attack is hard, with even up-to-date anti-virus (AV) software finding it difficult to spot the ever-mutating Trojans. Joffe recommends using at least two different kinds of AV software that employ heuristic functions rather than file signatures to spot Trojan-like behaviour.

Network monitoring tools can also spot suspicious activity online. However, even with the best monitoring software in place, infections are still possible - and even likely. CIOs should therefore look not just at prevention, but how they will quarantine and disinfect when the inevitable happens.

For a round-up of some of the latest figures on cyber crime, log in to our Members' Area to see our Data Feed.