Cybercrime has evolved over the years. Many cybercriminals have, in fact, become highly organized, essentially turning their enterprises into full-fledged businesses.
What Is Cybercrime-as-a-Service?
Cybercrime-as-a-service (CaaS) is essentially a criminal application of the “as-a-service” business model to online attacks. With it, even cybercriminal newbies can instantly obtain the resources they need to launch an attack.
CaaS offerings include malware, botnets, hacking specialists, databases of stolen personal information, penetration testing of potential targets’ networks, open-source research, and a whole lot more.
What Services Are Available Via the Cybercrime-as-a-Service Model?
Four basic service types can be had through the CaaS model, namely:
- Data gathering on victims through legal or illegal means
- Reselling stolen personal data or email addresses
- Identifying and selling zero-day vulnerabilities
- Malware hosting on secure networks
- Leasing of established botnets for distributed denial-of-service (DDoS) attacks
- Cloud hosting for operations
- Leasing sophisticated exploits and other malware
- Designing and delivering customized solutions
- Tutorials for defeating advanced cybersecurity defenses
- Developing malware for niche markets
- Outsourcing a complete cyber attack
- Providing technical support for cybercriminal activities
- Feeding stolen data into a robust infrastructure
- Tutorials for technical expertise required by attacks
- Selling ransomware for use in attacks
- Tutorials on using various ransomware variants
- Leasing ransomware operation infrastructure
- Providing access to command-and-control (C&C) servers
- Providing spyware and other malware for phishing attacks
- Tutorials on running phishing attacks
- Leasing botnets to distribute phishing emails
- Selling premade phishing forms and pages
What Other Terms Are Associated with Cybercrime-as-a-Service?
CaaS is also known by other names that include “attack-as-a-service,” “malware-as-a-service,” and “fraud-as-a-service.”
Why Is Cybercrime-as-a-Service Gaining Traction?
In the past, cybercriminals needed to know how to code before they could launch an attack. They needed to set up their infrastructure, including setting up a botnet, to distribute as many spam and phishing emails as possible. That, of course, requires breaking into tons of computers using a piece of malware and turning them into bots or zombies. Only after that can they proceed to the attack itself.
These days, aspiring cybercriminals no longer need coding know-how nor experience. They can just go to the Dark Web and purchase the tools they need. Cybercrime experts even offer tutorials on using the tools they sell.
Probably the best-selling CaaS offerings are databases containing stolen personal data. Stolen information is typically sold in bulk. But some stolen credit card accounts are priced based on their available balance. If a credit card has US$2,023 left, it gets sold for around 10% of the remaining balance.
Another popular CaaS offering is tutorials for cybercrimes that range from phishing to launching a sophisticated targeted attack.
Why Should Companies Be Wary of Cybercrime-as-a-Service-Enabled Attacks?
Any individual or company should be wary of cybercrime, as 60 million Americans alone have succumbed to identity theft throughout time. An organization that gets breached can lose as much as US$3.92 million. Almost 60% of enterprises believe they are at risk of compromise. And if that is not scary enough, former Federal Bureau of Investigation (FBI) director Robert S. Mueller III said, “There are only two types of companies—those that have been hacked and those that will be hacked.”
CaaS is a powerful and dangerous cybercrime enabler, making it a truly global threat. That said, potential victims should respond in a collaborative and coordinated manner if they wish to succeed. The world needs better cybercrime laws that should be implemented strictly. Stakeholders must work together to investigate threats as best they could. Governments and law enforcement agencies must share intel and know-how, especially since cybercrime often transcends boundaries and jurisdictions.