sb-eu logo
Story image

Combatting the rise of Cybercrime-as-a-Service

07 Nov 2018

Article by ESET senior research fellow Righard Zwienenberg

As cybercriminals have grown more sophisticated, hacking into systems can be as simple as downloading the right software from the dark web, then deploying it to the target.

Now, new developments in cybercrime mean that those with ambitions to create havoc online can do so with only the most rudimentary knowledge by taking advantage of Cybercrime-as-a-Service (CaaS).  No longer the exclusive purview of criminals, cybercrime is now peddled freely on the surface web.

A simple internet search yields many results, which means amateur cybercriminals (or anyone with a grudge), can execute spam attacks, steal people’s identities, and more.  This becomes more worrisome in the digital age, when people are increasingly comfortable storing their personal data, such as credit card details and medical records, in the cloud.

Combined cloud computing, connected devices, and the Internet of Things (IoT) create a treasure trove of information and potential weak points that cybercriminals can exploit.  The rewards for this illegal activity can be significant.

A recent study found that cybercrime can pay from tens of thousands of dollars to millions of dollars every year.

And one of the key ways cybercriminals can earn money is to sell tools that can be used to hack others.  It’s long been known that the dark web houses various hacking tools for sale, along with user manuals that provide a step-by-step guide to help even the newest of ambitious criminals get up and running quickly.

Some of these CaaS providers even provide helpdesk services, further highlighting the level of organisation and professionalism in these communities.  A complete set of tools for hacking Wi-Fi networks and stealing personal information costs as little as US$125; not a hefty price tag considering the potential damage it could do, and the rewards it could deliver for the cybercriminal. As well as being cheap, cybercrime is relatively low-risk, especially when considering the potential for profit.

And it only takes a modicum of technical capability for cybercriminals to hide their tracks well enough to make capture an almost laughable concept.  When it comes to getting caught, a loophole in most countries’ laws means hiring a hacker is not illegal.

In fact, many reputable businesses hire so-called ‘white hat’ hackers to test their cybersecurity defences and find potential loopholes so they can protect themselves more effectively.  Internationally, there is not yet any unified law that can indict cybercriminals that commit transnational crime.

So, even if a cybercriminal is caught, the authorities may not be able to prosecute.

Furthermore, even in countries where cybercrime is prosecutable, something that’s illegal in one country might be perfectly legal in another, creating another legal grey area.

This contributes to the challenges in prosecuting cybercriminals who launch cross-border attacks.  This means that victims of cybercrime have very little recourse under the law, so the best approach is to implement security measures that protect against successful attacks.  These include installing security updates as soon as they become available, using complex passwords and multi-factor authentication, avoiding shared passwords across different accounts, and using antivirus tools with regular scans.  It’s also essential to ensure all employees are well aware of the risk of phishing attacks, and know how to identify an attack, as well as what to do if they suspect they’re being targeted.  As well as taking individual responsibility for cybersecurity, it’s important that other organisations recognise the role they can play in protecting end users, and act accordingly.

Internet service providers (ISPs) can employ machine learning tools to proactively identify suspicious activity and deal with it before it spreads through the network.  Governments should also invest in cybersecurity talent.

With a greater talent pool, better cybersecurity measures can be developed.

Governments are already moving in this direction by implementing privacy legislation that requires businesses to take responsibility for protecting individuals’ information.

In Australia, the mandatory notifiable data breaches (NDB) scheme is already in full swing, while Europe’s General Data Protection Regulation (GDPR) has also taken effect.

Initiatives like these aim to create a safer online environment while making organisations responsible for the data they own and store.  However, laws are only part of the equation.

It’s also important to have global, unified accords that help make cybercrime less risk-free and lucrative.

By working on ways to detect and prosecute cybercriminals, law enforcement agencies can reduce the significant risk posed by CaaS and other mainstream cybercrime tools. 

Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
McAfee finds vulnerabilities in 'temi' the videoconferencing robot
Temi is commonly used in environments including businesses, healthcare, retail, hospitality, and other environments including the home.More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More