The cybercrime underground black market is doing big business these days with its Cybercrime-as-a-Service (CaaS) delivery model driving the global impact and scope of criminal activities in the digital world. The disturbing trend is rising as crime syndicates adopt the service model to enhance profitability in the market fueled by consumerization of crimeware. Everyone from government agencies to seasoned criminals are renting hacking services made available even for the technically untrained.
Cybercrime has emerged as a disturbing side-effect of otherwise well-appreciated and profitable technology trends such as cloud computing, BYOD and social networking providing hackers with access to confidential business and consumer information. And with several attack avenues available, hackers are now able to offer rentable cybercrime services customized to fulfil each customer’s individual criminal intent.
Cybercrime as a Service can be divided into four major categories according to a recent McAfee report:
Research as a Service
This service offers information about previously discovered vulnerabilities within targeted systems (zero-day exploits). Hackers identifying new zero-day exploits sell the information for monetary compensation or publicity to underground black markets instead of reporting the issues to concerned manufacturers.
Willing buyers are mostly hackers planning on exploiting zero-day exploits in personal hacking campaigns. However, these services are not entirely illegal as the cybercrime marketplace openly advertises to government agencies willing to leverage the information for positive outcomes.
Nevertheless, most of the customers use these services for malicious purposes most effectively when accurate information about the targets is available. Buyers willing to conduct spearphishing and social engineering campaigns can acquire an email list of specific groups or individuals for a few hundred dollars. For example, 10 million email addresses of Florida residents costs less than $900 and 700,000 email addresses of U.S. based doctors cost less than $150. Services include access to back-end infrastructure for distributing spam emails.
Crimeware as a Service
Along with the identification of exploits, a variety of hacking tools are available under this service tier for supporting different aspects of cyber-attacks. For example, customers can purchase bots and keyloggers for attacking purposes as well as cryptographic security protection mechanism for hiding from security defenses and cyber-police.
The service is best suited for cybercriminals lacking the high-end technical expertise necessary for developing malware that exploit specific vulnerabilities. This particular service model is not new as cybercriminals have always been purchasing standard malware on demand such as Trojan horses and ransomware – Zotob virus is one example from 2005 when affected companies lost nearly $100,000. These days, the popular CritX tool capable of causing significant damages is available to rent for $150 per day.
Among other malware variants for sale are rootkits (malware concealed within legitimate files), spammer tools such as XRumer as well as ransomware. The available malware are also tested against antivirus programs to determine the effectiveness of sold products under different attack situations to guarantee high returns on crimeware investments.
Infrastructure as a Service
With this service tier, infrastructure level services are available for supporting entire hacking operations such as DDoS attacks and spearphishing. While individual hackers can develop exploits and malware themselves, delivering attacks to intended victims requires a network of computers or infrastructure for hosting the malicious content.
Global cybercrime rings operating in the marketplace have access to these botnets that can be used for propagating malware, launching DDoS attacks and sending spam to targeted systems.
However, infrastructure alone is not sufficient for supporting sophisticated cybercrime practices such as unsolicited email spam campaigns that require specific email ID lists as well as systems in place to continue attacks for long periods. Unless customers have all the tools available, they will have to seek Research-as-a-Service and malware hosting services to carry out attacks, all of which makes it a complex task altogether.
Hacking as a Service
This is the most expensive but the easiest approach for conducting cybercrime. Professional cybercriminals are hired to oversee the entire cybercrime campaign. The service is particularly well-suited for customers with minimal technical expertise such as government agencies involved in state-sponsored attacks, activists involved in defacing websites and getting their messages across as well as for businesses involved in bringing down their competitors with DDoS attacks.
Common services utilized include retrieving login credentials and launching DDoS attacks. The latter seems sophisticated – as the media tells us – but professional DDoS services are available for as low as $2 per hour and credit card information is available for as low as $15.
Saving the Sinking Ship
The McAfee research portrays a grim picture of the cybercrime underground black market. Turning the tide against the issue depends on effective global participation of governments and businesses in fighting cybercrime and cracking down criminals responsible for providing hacking services. Law enforcement agencies will have to attack the Achilles heel of cybercrime underground: drying up the cash flow that funds black-hat hackers.
The marketplace is growing faster than the rate at which cyber-police are arresting cybercriminals. While the cybercrime industry continues to operate globally, business organizations at the end of cyber-attacks can greatly reduce the threats by employing highly-layered security strategies to proactively prevent successful intrusions. Deploying sophisticated security solutions, training employees, enforcing aggressive security policies, performing regular assessment of the organization’s security situation and working closely with security experts is necessary for fighting cybercrime and containing this epidemic permanently.