As global cybercrime continues to generate huge revenues annually, Phil Muncaster investigates the rapidly developing role of the as-a-service model
They used to say “crime doesn’t pay.” Well, the new reality of global cybercrime is very different. A thriving underground economy of buyers and sellers, tech experts and novices has evolved over the past decade to the point where global cybercrime revenues today are estimated at anywhere between $600bn and $1.5tn per year.
Cybercrime is highly professional and organized, holding a dark mirror up to the ‘real world’. It’s also an economy that is, to an extent, fueled by the continued inadequacies of corporate and home security.
Over the past few years, the as-a-service model has both broadened and deepened the overall cybercrime threat, “productizing malware and making cybercrime as easy as shopping online,” according to Bromium CEO, Gregory Webb. Exactly what role does it play today, how is it evolving and what hope do we have of disrupting or mitigating the threat it poses to organizations?
“Instead of even attempting to learn everything, cyber-criminals specialize in smaller, more manageable skill-sets"
Democratizing the Threat Landscape
Experts aren’t yet agreed on the size of the underground cybercrime economy, which isn’t surprising when one considers that much of it operates on the dark web. A 2018 Center for Strategic International Studies (CSIS) report sponsored by McAfee claims a figure of $600bn (0.8% of global gross domestic product - GDP), up from $500bn in 2014 (0.7%). A recent Bromium report written by Michael McGuire, senior lecturer in criminality at the UK’s University of Surrey and titled The Web of Profit, points to a sum of more than double that: $1.5tn, which is equal to the GDP of Russia.
A separate study into the Cybercrime-as-a-Service (CaaS) phenomenon by MIT researchers cites figures claiming cybercrime generated revenues of $3tn in 2015 and further, is on track to hit a staggering $6tn by 2021.
What they can agree on is the fact that the as-a-service model has become an increasingly important component of the underground cybercrime economy, democratizing the means to launch attacks so that even those with few technical skills can grab themselves a piece of the pie. Europol’s 2017 Internet Organised Crime Threat Assessment (IOCTA) explains how, unlike any other type of criminality, cybercrime allows novices to “rub virtual shoulders” with veterans.
“Instead of even attempting to learn everything, cyber-criminals specialize in smaller, more manageable skill-sets,” the Europol report continues. “When they require something outside their own area of competency, they need only to find someone offering the appropriate tool or service in the digital underground.”
So what exactly is on offer as a service? According to that MIT report, Cybercrime-as-a-Service: Identifying Control Points to Disrupt, no part of the cybercrime value chain has been left untouched. That means everything from vulnerability discovery and exploit development, to deception and obfuscation, payloads, security checks, payload repackaging, botnets, traffic redirection, bulletproof hosting, reputation escalation, target selection, domain knowledge, money laundering, mule recruitment, reputation, value evaluation and even hacker training.
From threats to infrastructure and human support, no stone has been left unturned by the vast underground cybercrime economy. Here the ‘customer’ experience is king, competition can be intense and prices fluctuate according to demand. The Bromium report claims zero-day iOS exploits can sell for as much as $250,000, while SMS spoofing will cost you just $20 per month, for example.
"For cyber-criminals, it is a much more efficient method of making money"
The Platform is King
It’s also an economy spread across larger multi-national ‘organizations’ that can pull in profits of over $1bn, to smaller ‘SMEs’ where returns of $30-$50,000 are more likely, according to the University of Surrey’s McGuire. So-called ‘platform capitalism’ is at its heart, with those larger players the providers and facilitators of CaaS. McGuire tells Infosecurity there are three main dangers associated with this trend.
“Firstly, for cyber-criminals, it is a much more efficient method of making money and they know this. Secondly, the risk of being caught is reduced as they are not directly committing first order crime. This makes it much harder for police to intercept, or even disrupt cybercrime channels, so the bigger operators are getting away with committing crime, while a couple of the lower level guys may get caught,” he explains. “Finally, legitimate platforms that were built before the sophisticated tools of today were developed have gaps in their security, which criminals can exploit. There is a lot of evidence to suggest that these legitimate platforms are being abused by cyber-criminals.”
From Facebook to Amazon and Uber, these data-driven platforms have not only proved the inspiration for the underground CaaS model, but are also valuable channels in their own right: for cyber-criminals to acquire data, spread malware, launder money and much more. A recent investigation by journalist Brian Krebs revealed over 100 private discussion groups on Facebook that had been facilitating cybercrime and fraud for years. It took an estimated two hours for him to find them, which raises question marks over the social network’s commitment to security on its platform.
Disrupting the Disruptors
So is there any way the white hats can hope to fight back? The CSIS/McAfee report cites law enforcement estimates that although cybercrime is massive, “a much smaller number of individuals may be responsible for the bulk of the most significant cybercrime offerings.” This would seem to make disruption by police a plausible way to tackle the CaaS epidemic. In fact, there have been some notable successes.
Earlier this year, Europol trumpeted its takedown of webstresser.org, thought to be the world’s largest DDoS-for-hire platform. Trend Micro has also had success, teaming up with the UK’s National Crime Agency in an operation that led to the conviction of an individual responsible for selling crypting and Counter Anti-Virus (CAV) services. Its work with the FBI also saw two of the ringleaders of the notorious Scan4You CAV platform brought to justice.
However, James Lewis, director of the technology and public policy program at the CSIS, is pessimistic. “There are two dilemmas: many of the best criminals operate out of sanctuaries, so when one market is disrupted, another quickly appears,” he tells Infosecurity. “The second is that they are as fast or faster at adopting new technologies as the defenders, and use it to generate new ‘products’ very rapidly. Tor and cryptocurrencies help criminals deal with some of the trust problems. I wonder sometimes if law enforcement efforts are too much like a game of whack-a-mole.”
So is the only effective way to combat the unstoppable force of cybercrime simply to improve baseline corporate security across the board? After all, make yourself a harder target and, even with the low barriers to entry afforded by the as-a-service model, the ROI from attacks becomes less attractive to the criminals.
SANS-certified instructor and founder of Open Security, Matthew Toussain, agrees that “organizations must become their own first line of defense,” arguing that law enforcement is by its very nature too reactive at times.
“Today, proactive defenses are necessary. Understanding the risks inherent in one’s own network is a required first step; information security assessments help to solve this shortcoming,” he says.
“The next strategic factor for organizations to focus on should be the attack types preferred by actors in their threat model,” Toussain continues. “Often these attacks include DDoS, exploitation and ransomware. Solid network defenses and the ability to restore critical systems from backups are key components of any defensive posture here.”
The bottom line is that as long as there’s money to be made from cybercrime, and the platform capitalism model continues to function largely undisturbed, there will be no end to CaaS. While the information security industry can help, support and publicize those law enforcement wins when they come, a bigger impact will arguably come from simply improving corporate cybersecurity around the world. There are few quick wins in a long-running battle like this
The Bigger Picture
Unfortunately, the growth of the cybercrime economy is most likely having a major impact on rising global crime rates. Bromium’s Web of Profit report claims that around 20% of revenue or $300bn is reinvested annually in activities including drug manufacture, human trafficking and terrorism. For example, the arrest of a Dutch money laundering gang led to the discovery of equipment used to make ecstasy. Meanwhile, one British-born Al-Queda follower is said to have made $3.5m from card fraud.
That’s not to mention the large sums of revenue reinvested into cybercrime ventures. Larger cybercrime gangs are said to plough money back into expanding their operations; this could include buying more crimeware and infrastructure, paying money mules or investing in more technical support and human resources. The continued growth of the industry has also been a boom for nation state hackers looking to take shortcuts, says the UK’s University of Surrey’s Michael McGuire.