When the United States Secret Service started to focus on cybercrimes nearly two decades ago, the market for this kind of electronic malfeasance was not nearly as large or as organized as it would quickly become, according to William Noonan, deputy special agent in charge for the Criminal Investigative Division of Cyber Operations at the U.S. Secret Service.
Now, just like in other more established arenas of crime, it's not just the sophisticated, knowledgeable and well-financed hackers and cybercriminal organizations that law enforcers like Noonan's team need to worry about, it's also the plethora of small-time or wannabe hackers or online fraudsters who are being supplied and supported by the more savvy perpetrators of internet threats.
“We have become successful developing criminal cases against elite cybercriminals by understanding how they communicate and do business with each other,” Noonan says. “We have learned a lot about this criminal underground…and there's a big distinction between the more widely used underground and the smaller communities of [more skilled] criminals.”
Steve Durbin, managing director, Information Security Forum
Ryan Kalember, SVP of cybersecurity strategy, Proofpoint
Loucif Kharouni, senior threat researcher, Damballa
Sean Mason, director of threat management, Cisco
William Noonan, deputy special agent in charge, Criminal Investigative Division of Cyber Operations, U.S. Secret Service
Raj Samani, VP and CTO, Intel Security
By all accounts, cybercrime-as-a-service has become very prevalent and quite lucrative for the individuals and groups that offer their (mal)wares, thereby extending their black-hat hacking to a much broader arena. Through the dark web or other underground circles, cybercriminals (including nation-states), Eastern European crime rings and long-time hackers are selling everything necessary to perpetrate a cyberattack or broad-based fraud. These nefarious goods include malware (sometimes customized) and exploit kits to bulletproof hosting or the ill-gotten use of compromised computers through botnets to ‘customer service' and support to aid black hat newbies through their online schemes. If hacking and fraud is the illegal side of the internet gold rush, then these cybercrime-service purveyors aim to be the Levi Strauss – outfitting the more illicit online miners with everything they might need to conduct a breach.
With the continued rise and maturation of cybercrime-as-a-service, businesses are seeing more and more attacks – and many of those which previously would be nothing more than a nuisance now carry the weight of escalating at any given moment to something more severe, according to Sean Mason, director of threat management for Cisco. For example, he says buying access into a business through the use of a successfully installed backdoor could allow criminals to blackmail a business, as they may now have access to either destroy or leak data.
“While we generally hear about the smaller dollar amounts to unlock an individual computer, ransoms exceeding one million dollars are not uncommon when blackmailing a large company,” Mason says.
These cybercrime services mirror their legitimate counterparts – cloud, infrastructure and software services vendors – bringing greater operational efficiencies and deeper or more advanced skills sets to users who would not otherwise be able to perpetrate these crimes, or do so as well or on as large a scale. Raj Samani, vice president and chief technology officer at Intel Security, started to see the trend of cybercrime-as-a-service taking off more than three years ago and published a paper on it, titled “Cybercrime Exposed.”
“We began to see broader attacks…and cybercriminals hiring programmers to take advantage of [potential zero days],” Samani says. While it was not unusual for hackers to work together on exploits, what Samani was seeing also included “products and tools and services for sale that could aid anyone.”
Like any good business idea, cybercrime-as-a-service was meeting a need in the market, “appealing to the thousands of would-be cybercriminals who need to rely on someone else,” according to Loucif Kharouni (left), senior threat researcher at Damballa. He experienced the demand for cybercrime-as-a-service first-hand last November when a man in Thailand described as a “wannabe cybercriminal” confused Damballa, which was doing research on Pony Loader, as the company marketing the malware and contacted the company looking to buy and install it. Kharouni did some digging and discovered the prospective “customer” was a scam artist who, as he blogged later, “doesn't strike us as someone who has the technical knowledge to use and install crimeware
While there is virtually no data on how much cybercrime is done using such service providers, industry observers like Ryan Kalember, senior vice president of cybersecurity strategy for Proofpoint, believe cybercrime-as-a-service could easily be playing a role in “north of 90 percent of the online breaches that are out there.”
And organized groups, like the one that was purveying the pernicious Dridex banking malware, aim to be the Salesforce.com of the hacking community, Kalember says. And they're getting better at what they do, Kalember says, offering easy-to-understand and tiered pricing, discounts and other perks to their customers. “Cybercrime services are enabling these [criminals] to reach a scale that is hard to reach on their own,” he adds. “It's like being an individual retailer versus being eBay.”