Cybercriminals, now at your service

For just a few thousand dollars, you can rent a hacking service to augment your pitiful coding skills and create your own cybercrime racket.

As criminal hacking syndicates grow to rival the complexity and profitability of legitimate corporations, it’s not surprising that more experienced hackers are again expanding the market by reselling their exploits to less experienced wannabe hackers or criminals looking to ply their trade online. Welcome to the latest twist on the hacker black market: cybercrime as a service.

CAAS differs from other black-market hacking services because it sells advanced hacking skills to less talented individuals and organizations, not unlike hiring a Web developer to build you a snazzier website than you could ever manage on your own. And not surprisingly, those eager to commit smarter cybercrimes are flocking to the concept like birds to seed.

Using the Dark Web as their marketplace, skilled cybercriminals—including nation-states, foreign crime rings, and sophisticated but unaffiliated hackers—are selling everything necessary to help nefarious newbies perpetrate a cyberattack or broad-based fraud, from custom malicious software and toolkits to take advantage of software flaws, to fraudulent website hosting, to ‘customer service’ support.

“What we’re seeing is typically financially motivated,” says Robert Novy, deputy assistant director of the Office of Investigations for the cyber branch of the U.S. Secret Service. “This has been a progression over a long period of time. ‘Malware as a service’ is very popular lately, and the risk is very low.”

Indeed, Novy says that while the Secret Service and other government agencies have been tracking the sale of malware “products” and services by Eastern European and other foreign hackers and online crime groups for years, business is picking up. A seller could use the Dark Web to resell a zero-day vulnerability, botnet, or piece of malware. A buyer could use it to get in on the ground floor of one of the fastest-growing and most profitable criminal enterprises—without even having to learn to code.

“The cybercrime industry is just that—an industry with a well-defined ecosystem, role specialization, and all the trappings of any other industry.” — Brian Fitzgerald, chief marketing officer, Veracode

Novy compares the use of the Dark Web to trade CAAS to Colombian drug lords’ product sales to Mexican cartels; they would increase their profits while limiting their own risk.

And according to Raj Samani, vice president and chief technology officer for Intel Security, who helped coin the term “cybercrime as a service” when he authored an Intel Security report about cybercrime in 2013, the market is only getting bigger.

“The reality is that the market for these services is literally anybody with a browser,” Samani says. “Yes, we have talked about these services on Tor, but the truth is that there is a lot of stolen data available on the Surface Web.”

As Brian Fitzgerald, chief marketing officer for Veracode, points out, “The cybercrime industry is just that—an industry with a well-defined ecosystem, role specialization, and all the trappings of any other industry.”

The range of malicious goodies for sale has expanded and become more specialized too. Novy says cybercrime vendors are often selling tailored exploits targeting particular industries, such as health care or payment processors, or even a specific bank or business. Specialties include malware, botnet, or data network access, or distributed denial-of-service or ransomware schemes. Malware kits selling for less than a hundred dollars may include customer support, upgrades, and online help, according to Fitzgerald.

“Cybercrime is a mature space, and there is unfortunately honor among thieves,” Fitzgerald says. “There are rating systems to judge the quality of malware tools, and these criminals collaborate and share information often better than the companies and nations they are targeting.”

For the average online user, or even the corporate IT professional, there is not much more to be done to combat this threat than the basic cybersecurity hygiene experts constantly espouse.

“Education is the No. 1 way to fight this,” Novy says. “People need to know there’s a threat, and know their vulnerabilities.” Although it has been around for years, spear-phishing remains a major attack vector for the uninitiated user who continues to open unknown attachments or respond to fraudulent emails, he adds.

Novy recommends that people improve their cyberhygiene by maintaining and regularly changing complex passwords, and using multifactor authentication. Fitzgerald adds, “For consumers, it’s watching the transactions on your account carefully, avoiding downloading content or files without trusting the source, and keeping devices current with operating system and software upgrades.”

For companies, Fitzgerald underscores the importance of writing “high-quality software that not going to get easily hacked using common attack methods,” as well as having strong user controls, minimizing the surface area of risk to defend by monitoring Web applications and network proliferation, and maintaining good internal detection and response.

At the end of the day, however, Samani points out that there is little more to do than to be careful and vigilant.

“We all entrust organizations to look after our data, no matter what we do personally. When they are compromised, it is data about you and [me] that eventually ends up on underground forums,” Samani says. “Best we can do is become more hard-nosed about what we share, and who with.”