Lucrative business: cybercrime-as-a-service

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

With news of the struggling high street becoming a regular occurrence, it is not surprising that increasingly small businesses are seeking opportunities online.

However legitimate SMEs are not alone in realising the benefits of the internet for business success. Cybercriminals are business owners in their own right, operating on a highly professional level. What’s more, many are relying on the vulnerabilities of small business websites to run their illegal trade.

With the rise of cloud computing, small business owners are not just selling their goods and products online, but are increasingly selling their online services – giving rise to a number of “as-a-service’ businesses. While legitimate companies offer services such as “software-as-a-service’, “infrastructure-as-a-service’ and “platform-as-a-service’, this trend has fed down into illegal cyber trades. The accessibility of these illegal cyber trades however is of significant concern. With millions of email addresses available on commercial auction sites, to simple online searches providing access to DDOS services.

Crimeware-as-a-service
Many people wouldn’t know where to start when it comes to hacking a computer, but worryingly there are cybercriminals out there making a successful business out of selling the tools required to carry out an attack.

This ranges from selling developed code that enables amateur hackers to gain access to websites, to receiving payment for checking illegal files against a range of security software and revealing which security protection is vulnerable to an attack. These illicit business owners even offer translation services, so that criminals can scam victims in foreign countries.

Research-as-a-service
For those who have the tools needed to launch an attack, but wish to know when is the right time to act, criminals offer services that alert hackers as soon as a computer application becomes vulnerable to an attack. This is called the zero-day vulnerability window.

Research-as-a-service also includes the sale of huge lists of email addresses that can be filtered based on geographic region, or even profession.

Infrastructure-as-a-service
While the above three services make their money from selling their criminal skills, there is also a market for the rental of the equipment necessary for an attack. This can involve renting out a whole network of infected computers. Known as a botnet, these networks can be used for a number of services, such as sending spam, launching DoS attacks and distributing malware.

This also extends to the rental of platforms that enable attacks, such as mail relays that facilitate the sending of unsolicited email. What’s more, with some of these services there is even a helpful customer service chat window to help the would-be criminal with a technical questions they may have in carrying out their attack.

Hacking-as-a-service
For criminals who wish to carry out a malicious attack on a website, or an identity theft, but lack the IT skills to do so, there are people out there who will simply hack a computer for them if the price is right. Offering hacking-as-a-service, these cyber criminals facilitate outsourced cyber attacks, stealing sensitive data such as bank credentials, credit card data, and login details in exchange for cash.

Cybercrime promoters
Any small business owner can testify to the difficulty of getting noticed on the internet, and even a business that deals in the criminal underworld needs to gain customer awareness. Yet despite the obvious barriers, these illegal traders have built an entire ecosystem that relies on cybercrime to make a living – so how do they advertise their services?

These cybercrime traders are brazenly promoting their illegal services on open platforms – in particular the legitimate websites of SMEs. Whether offering customers the opportunity to review products, comment on articles, or discuss and share their ideas, live forums are a common feature on many websites, but the problem is that they are largely unmonitored by small business owners.

As such, cybercriminals have sensed an opportunity and not only are they stealing sensitive data from SMEs that do not protect themselves effectively, they are also relying on unrestricted SME websites to advertise their illegal services.

And this goes beyond open forums, as many small business owners that operate market places or open ecommerce sites are unaware that these illegal services are being sold and traded directly from their legitimate website.

This solves the problem of customer awareness for cybercrime traders, as a quick Google search of the relevant illegal services will take them straight to a post on the small business website. However this is obviously bad news for small business owners. While they believe they are running an honest online business, unbeknownst to them, they are facilitating an underground side-operation from their own company.

Genuine potential customers will be unaware that these posts are not supported by the website owners themselves and, after stumbling across these illicit adverts, are likely to lose trust in the company and take their custom elsewhere.

Black market, big money
Not only can such schemes lose SMEs money, but while small business owners are struggling to deal with the costs of running a legitimate business, cybercriminals are making a lucrative trade off the back off them – and in many cases making more money than the SMEs themselves.

The whitepaper uncovered a number of well-paid deals, such as the sale of email addresses for whole regions for as much as £570, while crimeware-as-a-service tools can be rented out for $150 a day and credit card details with a good balance can be sold at £65 a card. But it is vulnerabilities that can rake in the real money for these underground tradesmen and an Apple iOS exploit was recently sold for over £160,000.

Gaining customer loyalty and competing with well-known trusted brands when running a business online is a challenge in itself for small business owners, so it is essential that they don’t get a reputation as a cybercrime facilitator. As such, it is important for small business owners to invest in the right level of protection so that it is not their own customers’ details that are traded online. Moreover SMEs need to make a habit of regularly checking their open forums and comment sections for these dodgy deals.

Cybercrime businesses feed off the vulnerability of others, so creating an atmosphere of alertness and security in the workplace will help to defeat them and their criminal-minded customers.