Cybercrime-as-a-service: How the Custom cybercrime Market works

[Father]

In recent years, to organize a cyberattack, you no longer need to understand malicious software and the design of security systems. The underground market offers services for any request: from a simple DDoS attack to complex campaigns using zero-day vulnerabilities. How this sphere works, read the Cyber Media article.

In essence, Cybercrime-as — a-service is the reverse side of a trend that has already emerged in the legal IT market. The growing complexity of technology coupled with a shortage of qualified personnel creates a demand for specialized services. Companies are already used to the service model, which allows them not to invest in their own infrastructure, not to look for specialists in the state, but to attract outsourcing teams. Cybercriminals do the same: instead of spending their resources on deploying C2C servers, developing or buying malware, searching for targets, etc., they prefer to pay for access to ready-made tools and immediately launch attacks.

Of course, all this would not be possible without the accompanying infrastructure. Underground trading platforms are located in a closed part of the Internet( darknet), settlements between the parties are carried out anonymously using cryptocurrency.

Artem Izbayenkov
Director of Cybersecurity Development at Edge2

The main audience of CaaS includes a wide variety of users with different levels of technical knowledge and motivation. Experienced hackers and cybercriminals can use them to expand their capabilities. Company competitors and business spies turn to CaaS to attack competitors in order to steal confidential information, ideas, customers, or even disrupt the work of competing companies. In addition, the CaaS model can be attractive for novice cybercriminals. Some services even provide simple interfaces and instructions to make the attack process more accessible for beginners. Hacktivists can use CaaS services for cyber-testing and attacks on web resources in order to draw attention to social or political issues.

Cybercrime-as-a-service directions​

Currently, the shadow market offers services for any stage of a cyberattack: from finding suitable targets to directly infecting and intercepting valuable data.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

A typical CaaS platform includes very different tools. This is a store for malicious app designers. They are not built on a turnkey basis, but you can choose the necessary modules yourself and how they will work. For example, you can create a template and email text in the phishing constructor, or you can write your own message in the ransomware app and specify a bitcoin wallet, for example.

The main offers on the CaaS market can be grouped as follows:

• Malware-as-a-service ("malware as a service"). This includes the development, distribution, and support of malicious programs: ransomware cryptographers, spyware Trojans, and so on.
• Ransomware-as-a-service ("ransomware as a service"). Separately, it is worth noting the model, thanks to which many people learned about CaaS. With the proliferation of cryptographers, web platforms have emerged that allow you to configure ransomware programs, set ransom amounts, and remotely manage campaigns.
• DDoS-as-a-Service ("DDoS attack as a service"). DDoS services provide access to botnets that can be used to launch such attacks on demand.

Evgeny Tsarev
Managing Director of RTM Group, expert in cybersecurity and IT law

A conditional schoolchild can organize a criminal business, for example, on DDoS attacks, take $200 in cryptocurrency for a day of attacking some online stores. Of course, there is not only this category, but also those who are professionally engaged in the implementation of attacks and subsequent actions. If it is necessary to involve "social engineers", then, accordingly, another direction is involved. That is, the principle of division of labor works very clearly in groups, and everyone improves their skills in their own sector.

• Exploit-as-a-service ("exploit as a service"). Cybercriminals provide access to zero-day vulnerabilities or automated tools that allow them to exploit known vulnerabilities in software or systems.
• Infrastructure-as-a-service ("infrastructure as a service"). These services provide access to servers and previously hacked networks that are combined into a botnet to launch DDoS attacks, send spam or malware.
• Hacker-as-a-service ("hacker as a service"). Experienced cybercriminals are hired to break into targeted networks, steal data, or sabotage information systems.
• Phishing-as-a-service ("phishing as a service"). Cybercriminals offer an online interface that allows even non-experts to create and manage phishing campaigns. These services usually provide ready-made phishing templates, hosting services for phishing sites, and tools for collecting victim data.
• Vulnerability-discovery-as-a-service ("vulnerability detection as a service"). This area is the search for vulnerabilities in the infrastructure with malicious purposes. Vulnerability detection tools are used to identify potential gaps in the organization's security perimeter.
• Exploit-delivery-as-a-service. A separate group of services is aimed at delivering the exploit to target systems. To do this, attackers offer a complex of botnets, traffic redirection tools,and hosting services in jurisdictions where the authorities overlook malicious activity.
• Attack-as-a-service ("attack as a service"). This area includes services for implementing the main task of the organizer of a cyber attack, whether it is stealing confidential information, disrupting the operation of the target network,introducing ransomware or DDoS.

In addition to the main areas, the CaaS market has support services that open up additional opportunities for communication between criminals, monetization of campaigns, and marketing activities. Some services help malware developers find customers, others provide a platform for sharing experience and communication, and others are cryptocurrency exchanges, platforms for laundering and withdrawing criminal funds.

Evgeny Tsarev
Managing Director of RTM Group, expert in cybersecurity and IT law

As for the declarations that the tools are provided "turnkey", yes, there is such a thing. But the reality is somewhat different, any tool costs money, and very significant ones, and popular platforms are not so technologically cool and ineffective. Tools with high performance don't get into the public domain. They are bought and used by guys for whom $1 million is not money. And with large budgets, groups have their own development, support, and laundering teams — these are full-fledged companies, so to speak, only criminal ones. These guys don't want to develop platforms, they play big.

How to protect your company from CaaS​

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

I wouldn't talk about any special measures. CaaS platforms create threats based on already known types of attacks, so if your organization is ready to fend off hackers, it generally doesn't matter where they got their attack tools. However, this is a threat to home users whose networks are not so secure. And given how many people work from home, this could be an ideal way for hackers to gain access to corporate networks.

Experts recommend using a set of measures: some are aimed at preventing, others at deterring intruders after an incident. A penetration test in applications, networks, and endpoints will help eliminate vulnerabilities before cybercriminals can take advantage of them. You should also think through a business continuity plan in advance so that an incident doesn't lead to the shutdown of business units, or even the entire company. It is very important to invest in staff cyber literacy — the vast majority of data leaks start with an employee error.

The development of Cybercrime-as — a-service is one of the most worrying trends in today's cybercrime arena. And if "traditional" groupings often bypass the RU space, then everyone can use CaaS platforms. Therefore, experts interviewed by Cyber Media agree that Russian companies should pay close attention to these risks.