When the United States Secret Service started to focus on cybercrimes nearly two decades ago, the market for this kind of electronic malfeasance was not nearly as large or as organized as it would quickly become, according to William Noonan, deputy special agent in charge for the Criminal Investigative Division of Cyber Operations at the U.S. Secret Service.
Now, just like in other more established arenas of crime, it's not just the sophisticated, knowledgeable and well-financed hackers and cybercriminal organizations that law enforcers like Noonan's team need to worry about, it's also the plethora of small-time or wannabe hackers or online fraudsters who are being supplied and supported by the more savvy perpetrators of internet threats.
“We have become successful developing criminal cases against elite cybercriminals by understanding how they communicate and do business with each other,” Noonan says. “We have learned a lot about this criminal underground…and there's a big distinction between the more widely used underground and the smaller communities of [more skilled] criminals.”
Steve Durbin, managing director, Information Security Forum
Ryan Kalember, SVP of cybersecurity strategy, Proofpoint
Loucif Kharouni, senior threat researcher, Damballa
Sean Mason, director of threat management, Cisco
William Noonan, deputy special agent in charge, Criminal Investigative Division of Cyber Operations, U.S. Secret Service
Raj Samani, VP and CTO, Intel Security
By all accounts, cybercrime-as-a-service has become very prevalent and quite lucrative for the individuals and groups that offer their (mal)wares, thereby extending their black-hat hacking to a much broader arena. Through the dark web or other underground circles, cybercriminals (including nation-states), Eastern European crime rings and long-time hackers are selling everything necessary to perpetrate a cyberattack or broad-based fraud. These nefarious goods include malware (sometimes customized) and exploit kits to bulletproof hosting or the ill-gotten use of compromised computers through botnets to ‘customer service' and support to aid black hat newbies through their online schemes. If hacking and fraud is the illegal side of the internet gold rush, then these cybercrime-service purveyors aim to be the Levi Strauss – outfitting the more illicit online miners with everything they might need to conduct a breach.
With the continued rise and maturation of cybercrime-as-a-service, businesses are seeing more and more attacks – and many of those which previously would be nothing more than a nuisance now carry the weight of escalating at any given moment to something more severe, according to Sean Mason, director of threat management for Cisco. For example, he says buying access into a business through the use of a successfully installed backdoor could allow criminals to blackmail a business, as they may now have access to either destroy or leak data.
“While we generally hear about the smaller dollar amounts to unlock an individual computer, ransoms exceeding one million dollars are not uncommon when blackmailing a large company,” Mason says.
These cybercrime services mirror their legitimate counterparts – cloud, infrastructure and software services vendors – bringing greater operational efficiencies and deeper or more advanced skills sets to users who would not otherwise be able to perpetrate these crimes, or do so as well or on as large a scale. Raj Samani, vice president and chief technology officer at Intel Security, started to see the trend of cybercrime-as-a-service taking off more than three years ago and published a paper on it, titled “Cybercrime Exposed.”
“We began to see broader attacks…and cybercriminals hiring programmers to take advantage of [potential zero days],” Samani says. While it was not unusual for hackers to work together on exploits, what Samani was seeing also included “products and tools and services for sale that could aid anyone.”
Like any good business idea, cybercrime-as-a-service was meeting a need in the market, “appealing to the thousands of would-be cybercriminals who need to rely on someone else,” according to Loucif Kharouni (left), senior threat researcher at Damballa. He experienced the demand for cybercrime-as-a-service first-hand last November when a man in Thailand described as a “wannabe cybercriminal” confused Damballa, which was doing research on Pony Loader, as the company marketing the malware and contacted the company looking to buy and install it. Kharouni did some digging and discovered the prospective “customer” was a scam artist who, as he blogged later, “doesn't strike us as someone who has the technical knowledge to use and install crimeware
While there is virtually no data on how much cybercrime is done using such service providers, industry observers like Ryan Kalember, senior vice president of cybersecurity strategy for Proofpoint, believe cybercrime-as-a-service could easily be playing a role in “north of 90 percent of the online breaches that are out there.”
And organized groups, like the one that was purveying the pernicious Dridex banking malware, aim to be the Salesforce.com of the hacking community, Kalember says. And they're getting better at what they do, Kalember says, offering easy-to-understand and tiered pricing, discounts and other perks to their customers. “Cybercrime services are enabling these [criminals] to reach a scale that is hard to reach on their own,” he adds. “It's like being an individual retailer versus being eBay.”
A look at the market
Cybercrime-as-a-service, for its purveyors, is about efficiency and scale. It is a way for more sophisticated hackers and organized crime rings to squeeze more money out of an exploit they may have already used themselves, or earn revenues by reselling “products and services” (i.e., malware, botnets and knowledge). Noonan says that while, historically, savvy hackers are working in private or with other individuals or groups they know well, the ever-growing expansion of the dark web has given rise to “highly vetted forums which are very difficult to law enforcement to infiltrate.”
This is where the elite work and trade in zero days or one criminal goes to find another cybercriminal who can help them develop or customize an exploit, Noonan says.
The majority of top-tier cybercriminals are typically operating out of Eastern Europe – Ukraine, Estonia, Lithuania, Romania and Bulgaria – and using Russian as their primary language. Plus, there are a lot of scams in the more public forums, with service providers selling exploits that have already been burned, for example.
But, increasingly, Noonan says he is seeing an escalation of cybercriminals working together and reselling their wares to other crooks that they know and have been vetted (think of the talented gang of thieves from Ocean's Eleven, who all knew each other by reputation). Indeed, according to a 2014 report from McAfee, the former Soviet Union has become a breeding ground for cybercrime-as-a-service, with more than two dozen organizations in Eastern Europe that have as much expertise as a nation-state and offer exploit kits to online buyers for as little as a few hundred dollars.
Zohar Alon, who formerly worked in Israeli air force intelligence and is now CEO and co-founder of Dome9 Security, says that he has seen a lot of cybercrime marketplace activity in areas of the world where compliance and cybersecurity is loosely or rarely enforced. “Criminal activities that are organized like a fast-growing Silicon Valley startup and operate in environments where they are hiring cybersoldiers are considered almost legitimate,” he says.
“Some of these illicit sites look like legitimate web stores…some will tell you exactly how to use their exploits and others will offer money laundering services [or other services],” Noonan says. “Some of these criminals are like wedding planners, handling every aspect. There's a high degree of sophistication here.”
The market is not just sophisticated but broad, according to Samani (left), who says that as with many underground marketplaces, cybercrime-as-a-service can offer prospective buyers just about any service or product they could want. “There is so much available,” says Samani, explaining that buyers can purchase any kind of exploit or malware, or customized variants, or stolen financial, medical or personal information from any country, or other kinds of data offered in a variety of ways. “It's really accessible and you are given every option you might want,” he says.
And, for the experienced hacker or crime ring looking to multiply earnings on a successful exploit, offering cybercrime services moves them one more layer away from committing an actual crime – and from getting caught. “They get to be the arms dealer rather than the one who is firing the weapon,” Proofpoint's Kalember says.
Kharouni at Damballa says it is hard to determine how much cybercriminals are making on these services, but, based on what he has seen in the market, a “good tool” can sell for $5,000 or more. He has heard anecdotally that customized versions of the Zeus trojan could sell for $10,000 for one copy. “It really depends on how well-known and widespread the exploit is,” he says. “But we know that they are making a lot of profit as so many newcomers want them to provide more services. It's a growing trend.”
Intel's Samani agrees that cybercrime-as-a-service is getting wider and broader and more accessible. “It is now behind the majority of [online] attacks. And it will continue to grow in strength,” he says.
Limiting the exposure
What can organizations do in the face of this new threat from a more pervasive, well-outfitted and well-supported crop of would-be hackers and emerging cybercrime rings? Kharouni says the main goal, as with good online security in general, is to make sure that the company or agency has good network security in place, as well as a flexible risk plan that takes into account the growing plethora of potential attacks. “You want to be thinking about industry standards and practices,” Kharouni says, adding that employee education continues to be a high priority – especially since many popular scams and exploits still rely largely on human error (i.e., spearphishing scams).
Organizations could be more proactive in their efforts to stay a step ahead of cybercrime trends too, according to Samani. Rather than just monitoring attacks as they happen, he recommends assigning security staff or even online marketing personnel to listen in for online chatter – specifically about their organization or industry peers. “Many times you will hear that your organization has already been pwned, or that there are individuals after you,” he says. He also suggests the long-popular use of “honey pots” to weed out less-savvy hackers.
However, sometimes there is no preventing an attack when it is coming from so many fronts, and companies and agencies need to anticipate that, to a certain degree, being breached is not so much a question of if but when.
Steve Durbin (left), managing director of the Information Security Forum, says that cyber resilience anticipates a degree of uncertainty. “It's difficult to undertake completely comprehensive risk assessments about participation in cyberspace,” he says. “Cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inescapable attack.”
By adopting a realistic, broad-based, collaborative approach to cybersecurity and resilience, Durbin says that government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly and appropriately. Durbin recommends that organizations establish a crisis management plan, which should include a formal cyber resilience team. This team, made up of experienced security professionals – including employees, investors and customers – should, he says, become “the driving force behind cybersecurity initiatives by ensuring that necessary communication takes place between all relevant players, and making sure all facts are determined for each incident in order to put a comprehensive recovery plan in place.”
Noonan agrees that education is a critical part of the puzzle, and he admits that when it comes to combatting the growing challenge of cybercrime services even the U.S. Secret Service can't do it alone. To that end, his group not only works with other major federal and local domestic law enforcement, but also has partnerships around the globe with groups like Interpol, Europol and authorities in Russia, Ukraine, Estonia, Germany, the United Kingdom and several other countries. The Secret Service just opened a new office in Singapore.
“We see this as a serious threat,” Noonan says.