Cybercrime as a service poses new challenges for organisations

When most people think of the rise of services in the tech industry, they might think of subscription-based streaming music and video services or cloud storage with monthly fees attached. However, as contradictory as it might sound, the last several years has also seen the rise of cyber crime as a service — despite the fact that, for victims of these hacks, “service” is the last word that should be used to describe it.

As cybercrime has increased from just a few bad apples to a mature industry, a fully-fledged hacker economy has developed. Hackers offer everything from Distributed Denial of Service (DDoS) to ransomware extortions to the anyone with a few dollars to spare. And that poses a big problem that needs to be solved.

A growing (hidden) industry

Pinning down an exact value for illicit economies is always tough. However, there’s no doubting that the hacker economy is big business. According to one study, the cybercrime economy could be worth as much as $1.5 trillion annually, based on the money acquired, laundered, and reinvested by cybercriminals. The services on offer can range from the development of customized malware and kits for exploiting software vulnerabilities through fully orchestrated “hacker for hire” attacks intended to bring down entire systems.

Unfortunately, the barrier to entry for these hacks has lowered considerably, resulting in an underground sector that’s booming. Things have been aided along by the rise of cryptocurrencies and dark web online markets. These not only make it easy to enlist cybercriminals, but also to make and receive transactions below the radar of usual scrutiny.

The biggest threats

As noted, a wide range of different weapons and services are available. One of the biggest concerns for many is the threat of a DDoS attack. These attacks involve seizing control of unprotected computers, often Internet of Things (IoT) devices, and using them to bombard networks with requests: ultimately causing the overloaded systems to fail as a result.

Hackers who will write the necessary code, or carry out wholesale attacks, is increasing. In April 2018, a group of investigators in the United States, United Kingdom., and Holland removed the attack-for-hire service WebStresser. At that time, it boasted over 150,000 registered users. It had been used for launching over 4 million attacks during a period of three years.

Another type of attack that’s growing in popularity involves “Ransomware-as-a-Service” (RaaS). Ransomware attacks work by encrypting files or data on victims’ systems, and then holding targets to ransom in order to restore access. If they do not pay, they may lose valuable intellectual property and crucial business data.

Authors of RaaS platforms typically host ransomware code, which can then be deployed by “affiliates.” These platforms are often offered for free, with the author receiving their payment in the form of a profit-sharing model. As victims of the attack make their payments (something which is usually done via a cryptocurrency like Bitcoin), this is paid into an account held by the author. A portion is then passed along to the affiliate. In other instances, the platform is bought outright from an author.

The other popular cybercrime product on the market are exploit kits. These are not quite as widespread as DDoS and RaaS attacks due to the fact that they are harder to monetize — although that doesn’t mean that they have disappeared altogether. Exploit kits are often available for rent either on a daily, weekly, or monthly basis. They are typically used to infect victims with malware; sometimes capable of stealing information such as login details, contact lists, messages, or otherwise exploiting vulnerabilities with software security. As an alternative to malware, hackers can also initiate phishing scams such as spear-phishing emails, designed to trick unwitting users into surrendering valuable information.

Solving the problem

Authorities are increasingly aware of how criminals have taken to hacking as a new way to make money. But companies must not simply rely on this as a solution to the problem. Businesses must take proactive steps in making sure that they do not fall victim to these cybercrime-as-service attacks.

First and foremost, it is crucial to educate your workforce so that they do not make the problem worse with human error. Phishing emails, for instance, are easy to educate employees about so that they are less likely to be acted on if received. Companies must also choose the right security systems to deal with these threats. A good security system will monitor for suspicious activity and block threats such as ransomware or DDoS attacks before they can cause damage.

This is a fast moving field, and it’s important that people stay informed about the changes that are taking place. But they can also seek expertise from the good guys ready to counteract those who are looking to do harm.