The recent white paper, “Cybercrime Exposed,” released by McAfee and written by its CTO Raj Samani and senior threat engineer François Paget, explores the increasingly service-based model of online crime that is cutting a lot of time out of the equation for people who want to involved in a world that can net big profits for people willing to take the risk.
Four types of services are highlighted in the study: research, crimeware, infrastructure and hacking. Operating together, they form a familiar kind of business market.
Research-as-a-service often involves connecting buyer and seller for things like zero-day vulnerabilities. In some cases, in fact, that may mean arranging a business to sell the flaw to a government entity.
"As this particular [middleman] industry is not illegal, there is no shortage of available middlemen advertising their services on very public forums such as Twitter, among others," Samani and Paget wrote in the report, explaining such a service is "gray" in terms of its legality.
Crimeware-as-a-service is more clear. It involves selling exploits and tools for hacking. Once those mechanisms are in place, infrastructure-as-a-service helps these buyers deliver attacks, such as distributed denial-of-service incursions, spam and malware to victims.
And for those who don't want to get their hands dirty, hacking-as-a-service provides the kitchen sink, enabling someone to outsource an entire malicious project to an individual or group. It requires the least amount of technical prowess from the funder, but is typically the most costly option.
Legal or illegal, services are about the almighty dollar, and the McAfee study highlights one middleman who facilitated a $250,000 deal for a zero-day Apple iOS exploit. Zero-day Google Chrome or Internet Explorer exploits netted hundreds of thousands too, and each time the middleman pocketed 15 percent.
Additional services that fetch an easy buck include the sale of email databases to spammers for $100 to $1,000 – some including more than a million addresses. One post for a relay server for 30 million emails asked for $14,000.
It is interesting to note the manner with which these services are listed online. Several of the postings are advertisements for some legal or seemingly legitimate service, and require some reading between the lines.
Authorities are constantly trying to keep up with this growing market, and some have gone so far as to surreptitiously set up and monitor website forums where cyber crooks are known to congregate.
That is precisely how in 2012 the FBI made one of its largest "carding" busts – crimes in which the internet is used to traffic and exploit an individual's credit card and banking information.Two dozen people across 13 countries were arrested and charged with selling malware, using hacking tools to raid financial databases and selling hijacked credit card numbers. The FBI announced it saved more than $205 million in fraud losses as a result of the bust.
In a March blog, RSA's head of cyber intelligence, Idan Aharoni, explained how professionalized and commercialized the cyber crime services market has become.
“Cyber criminals need to protect their assets just as any legitimate organization would,” he wrote. “We've recently discovered a new underground service by a Russian fraudster in which he offers to audit the PHP code of credit card stores and other scripts – making sure the vendors' stores are secure from hacking attempts.”
The experts at McAfee have been fairly close-lipped regarding the recent release of the white paper, a spokesperson said, explaining they are awaiting the release of more information soon before issuing comments.