At one time, the number of people capable of performing an attack was very small. And, years ago, most companies could rest assured knowing the few experienced and skilled hackers out there would almost always go after larger, more lucrative targets. Now, however, the times have changed, as Crime-as-a-Service (CaaS) continues to rise.
Today, criminal organizations offer malware as a service to customer looking to buy. And, as criminal hacking becomes available to larger pools of less experienced hackers, attacks become less sophisticated.
As a result, tactics are changing. In fact, crime-as-a-service now even pursues low-value targets.
Let’s take a look at a few examples of CaaS, and see what makes it so dangerous to smaller businesses everywhere.
CaaS Malware Builders
Many low-skilled hackers wish they could enjoy the benefits of skilled hackers. But, they don’t always have the talent or resources to create their own code and learn the ins-and-outs of IT systems.
That’s exactly where crime-as-a-service comes into play.
Skilled hackers often create malware builders to sell to those who can’t do it on their own. You see, CaaS works the same as nearly any other business. Someone can create something others desire, and so they capitalize on it.
For example, the author of KurayStealer borrowed code from other attacks to provide a password-stealing code package that less-skilled hackers could incorporate into other software.
Additionally, in July, malware researchers discovered teenagers on Discord offering similar malware builders and kits. Instead of delivering the malware themselves, they offered it anyone who paid the group a membership fee of 7 to 37 Australian dollars.
Think about that for a minute. For seven dollars (Aus.), anyone could get their hands on crippling malware. And now, instead of worrying about a handful of criminal hackers, countless more threaten businesses.
Hackers-for-Hire
For groups that need additional talent, the Atlas Intelligence Group (AIG) cybergang created a CaaS anonymous job market called the Atlantis Cyber-Army.
Think of it like Upwork, or Fiverr, but for criminals.
Here, criminal gangs can post a project request and connect with anonymous black-hat hackers. These criminal hackers then perform the task, in exchange for a flat fee or share of any extortion money obtained.
The job board allows the AIG gang to offer an incredible range of services. It also simultaneously isolates the parties in the cybercrime. This means they can’t reveal each other’s identities in the event of law enforcement action.
Just like any other legitimate business model, crime-as-a-service always looks for a competitive edge in the quest for profits.
Crime-as-a-Service Phishing & Proxy Offerings
Crime-as-a-service gangs also create specialized infrastructure products to enable attacks.
For example, the bluntly-named “Robin Banks” offers phishing kits. These kits specifically impersonate large banks, such as Citibank, Bank of America, Lloyds Bank, Santander, and Wells Fargo.
Low-skilled attackers can buy these phishing services to distribute malware-builder malware. Then, they turn to command and control (C2) services, such as Dark Utilities, to run the attacks.
Once underway, attackers use proxy servers to attempt to hide the source of the attacks.
However, the owners of these proxy servers don’t always know about their participation in a crime.
In fact, some threat actors hack into Microsoft SQL servers. There, they convert the devices into online proxy services routed through unsuspecting organizations.
The nature of these proxy services became exposed earlier this year in the breach of the pseudo-legitimate Microleaves proxy service. The breach revealed their network included many servers that affiliates brought into the network using malicious tactics.
For instance, one affiliate bundled malware with software distributions, in order to gain unauthorized access to servers. Then, they later sold access to them for proxy services and botnets.
While unusual for a legitimate service, attackers often use this strategy to create proxy services for criminals.
Recently, the 911.re criminal proxy service closed abruptly after a data breach exposed inner workings. Their absence now leads to a supply-chain crunch for hackers.
Meanwhile, other existing proxy services, such as SocksEscort, no longer take on new customers, because their existing infrastructure of unsuspecting victims can’t handle more bandwidth.
It’s amazing how far the implications of CaaS reach in the industry.
Ransomware-as-a-Service (RaaS)
Cybercriminals began offering RaaS several years ago. As a result, this easy access led to difficult situations and more widespread attacks.
For example, one victim organization company suffered three separate ransomware-as-a-service attacks within a two-week period. In this case, attackers even encrypted each other’s already-encrypted ransomed files multiple times.
Unfortunately, though companies comprise most targets of ransomware attempts, individuals aren’t off limits, either.
For instance, low-skilled hackers used Instagram ‘follower bots’ to target individual video gamers with a SolidBit ransomware variant. Although attackers can’t expect much money from individuals, the minimal effort needed offers incentive for low-level hackers to attack low-level targets.
One RaaS vendor even offers their Redeemer ransomware builder for free – with a catch. The creator of Redeemer retains the encryption keys, providing them to hackers in exchange for 20%of the paid ransom.
If there’s a way to profit from others’ hard work, CaaS will find a way.
Silver Linings & Defensive Measures
Crime-as-a-service offerings expand attacks and entice low-level attackers to go after even the smallest companies. In some cases, even individuals are targeted by CaaS attacks.
Now, the possibility of an economic recession leads many researchers to worry even further. There’s a real possibility that an increasing number of struggling employees might become tempted to join fraudsters, willing to sell access to local systems.
Fortunately, skilled hackers remain rare, leaving a silver lining.
Since many of these attacks are basically duplicates using known techniques, modern endpoint detection products and managed security teams detect them.
For help strengthening your cybersecurity defense, Blue Bastion can help, along with the assistance of our network specialist division Ideal Integrations.
Simply contact us at 412-349-6680, or fill out the form below, and our security experts will provide a no-obligation discussion of potential solutions.
And, as always, stay vigilant.
