There’s something rather pleasing about the corrupt sounding jargon of "cybercrime-as-a-service". The notion that criminals are outsourcing with the same obfuscating sales pitches and the Office style antics the rest of world endures seems too enticing to be true.
Yet only this May a hundred people said to be involved with the sale and purchase of the Blackshades trojan were arrested in an international police sweep. Powerful malware was being sold for as little as $40, with user support even thrown in for free. At least you couldn’t accuse these crooks of skimping on the extras.
"We need to face the reality that the cybercrime-as-a-service economy has created parity between the capable hacker gang and ordinary aspiring criminals armed with mere credit cards," says Mike Fey, executive VP of security firm McAfee. "These perpetrators could be in it just for the money, they could be your business competitors, or they could be a nosy neighbour down the street."
But cybercriminals are not limited to flogging you malware and helping you set it up. These days they are offering everything: research on security vulnerabilities, infrastructure to facilitate attacks, and even hacking as a service in itself.
As with many crimes, the increased reach and usage of the internet has only served to encourage criminals in this emerging field, with a report from the Center for Strategic and International Studies (CSIS) estimating cybercrime costs the world in excess of $400bn a year.
For comparison, the Boston Consulting Group, a management consultancy, predict by 2016 the internet economy of the G20 will be worth $4.2tn. We use the net to store our data and buy goods, but it also is swallowing up old trades such as taxis, takeaways and telephones. Soon enough the internet economy will be more or less the entire economy.
Cybercrime is paying, and increasingly so
Like its offline predecessor crime online is predominantly about money. A Verizon review of the last decade of cybercrime showed that while a fifth of the breaches could be attributed to spying, the lure of lucre was the motivator more than three-fifths of the time.
The move to a digital economy is both cause and effect of intellectual property becoming the major asset in business. As shown by the recent hack on the European Central Bank, even personal data can be a target – including addresses, emails and phone numbers.
"We’re seeing more and more cases of cyber criminals stealing unencrypted data and either selling it on the black market, or using it for cyber blackmail," says Jason Hart, VP of cloud security at SafeNet. "Any data stored in a plain-text state is easily readable and can be easily accessed by cyber criminals, so companies need to think about encrypting all customer data, both in storage and transit."
Technologies developed with the explicit purpose of protecting citizens from overbearing governments are now being exploited by criminals. Ransomware that blackmails victims with the threat of permanently encrypted files commonly makes use of Bitcoins as a payment type, and a recent example of the malware even uses the anonymity network Tor to prevent hackers getting caught.
The Internet’s famed lack of borders hailed by some post-nationalists has also been a boon to crooks, who can sell their wares on any country with so much as a dial-up connection. Police are unfortunately not so free, and hostility between states is likely to aid hackers for years to come, despite the success of international botnet takedowns in recent months.
We do everything online, including crime
The resurgence of online marketplace Silk Road following the arrest of its alleged founder Ross Ulbricht by the Federal Bureau of Investigation (FBI) shows the whac-a-mole esque problem before the authorities. As attempts to block filesharing the Pirate Bay from UK ISPs also showed, the web is always one step ahead of the police.
Ulbricht stands accused not merely of facilitating the sale of drugs, but of attempting to have a fellow Silk Road user assassinated. The Internet is not merely inspiring new crimes, but absorbing the old ones into its infrastructure – mirroring the businesses they seek to exploit.
For security experts and police alike this is all new ground. Neil Thacker, EMEA information security and strategy officer at Websense, recently told CBR that the internet required fundamental reform if it was to become even reasonably secure. Until that happens we can expect the crooks to keep coming, and to sell their services to those willing to pay.
