Story image

Combatting the rise of Cybercrime-as-a-Service

07 Nov 2018

Article by ESET senior research fellow Righard Zwienenberg

As cybercriminals have grown more sophisticated, hacking into systems can be as simple as downloading the right software from the dark web, then deploying it to the target.

Now, new developments in cybercrime mean that those with ambitions to create havoc online can do so with only the most rudimentary knowledge by taking advantage of Cybercrime-as-a-Service (CaaS). 

No longer the exclusive purview of criminals, cybercrime is now peddled freely on the surface web.

A simple internet search yields many results, which means amateur cybercriminals (or anyone with a grudge), can execute spam attacks, steal people’s identities, and more. 

This becomes more worrisome in the digital age, when people are increasingly comfortable storing their personal data, such as credit card details and medical records, in the cloud.

Combined cloud computing, connected devices, and the Internet of Things (IoT) create a treasure trove of information and potential weak points that cybercriminals can exploit. 

The rewards for this illegal activity can be significant.

A recent study found that cybercrime can pay from tens of thousands of dollars to millions of dollars every year.

And one of the key ways cybercriminals can earn money is to sell tools that can be used to hack others. 

It’s long been known that the dark web houses various hacking tools for sale, along with user manuals that provide a step-by-step guide to help even the newest of ambitious criminals get up and running quickly.

Some of these CaaS providers even provide helpdesk services, further highlighting the level of organisation and professionalism in these communities. 

A complete set of tools for hacking Wi-Fi networks and stealing personal information costs as little as US$125; not a hefty price tag considering the potential damage it could do, and the rewards it could deliver for the cybercriminal.

As well as being cheap, cybercrime is relatively low-risk, especially when considering the potential for profit.

And it only takes a modicum of technical capability for cybercriminals to hide their tracks well enough to make capture an almost laughable concept. 

When it comes to getting caught, a loophole in most countries’ laws means hiring a hacker is not illegal.

In fact, many reputable businesses hire so-called ‘white hat’ hackers to test their cybersecurity defences and find potential loopholes so they can protect themselves more effectively. 

Internationally, there is not yet any unified law that can indict cybercriminals that commit transnational crime.

So, even if a cybercriminal is caught, the authorities may not be able to prosecute.

Furthermore, even in countries where cybercrime is prosecutable, something that’s illegal in one country might be perfectly legal in another, creating another legal grey area.

This contributes to the challenges in prosecuting cybercriminals who launch cross-border attacks. 

This means that victims of cybercrime have very little recourse under the law, so the best approach is to implement security measures that protect against successful attacks. 

These include installing security updates as soon as they become available, using complex passwords and multi-factor authentication, avoiding shared passwords across different accounts, and using antivirus tools with regular scans. 

It’s also essential to ensure all employees are well aware of the risk of phishing attacks, and know how to identify an attack, as well as what to do if they suspect they’re being targeted. 

As well as taking individual responsibility for cybersecurity, it’s important that other organisations recognise the role they can play in protecting end users, and act accordingly.

Internet service providers (ISPs) can employ machine learning tools to proactively identify suspicious activity and deal with it before it spreads through the network. 

Governments should also invest in cybersecurity talent.

With a greater talent pool, better cybersecurity measures can be developed.

Governments are already moving in this direction by implementing privacy legislation that requires businesses to take responsibility for protecting individuals’ information.

In Australia, the mandatory notifiable data breaches (NDB) scheme is already in full swing, while Europe’s General Data Protection Regulation (GDPR) has also taken effect.

Initiatives like these aim to create a safer online environment while making organisations responsible for the data they own and store. 

However, laws are only part of the equation.

It’s also important to have global, unified accords that help make cybercrime less risk-free and lucrative.

By working on ways to detect and prosecute cybercriminals, law enforcement agencies can reduce the significant risk posed by CaaS and other mainstream cybercrime tools. 

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.