The Evolution of Cybercrime as a Service

Organizations need to add layers of security to defend against ever-increasing cyberattacks.

istock 1227400166

The Evolution of Cybercrime as a Service

You’ve likely heard of software as a service (SaaS), infrastructure as a service (IaaS), and numerous other “as-a-service” platforms that help support the modern business world. What you may not realize is that cybercriminals often use the same business concepts and service models in their own organizations as regular, non-criminal enterprises. While this may have started several years ago, the tactic has continued to grow with today’s criminals taking advantage of easy-to-access solutions.

Cybercrime as a service follows the same path as most as-a-service business offerings. Talented criminals who’ve written successful malicious code have begun renting access to their own cybercrime “solutions” to lower-level criminals who either don’t have the resources or know-how to design, write, and execute cyberattacks on their own. Criminals provide the service for a cut – and that cut is growing, with some criminals receiving 10% to 20% of any profits made in an attack that uses their code.

Anything that can be automated can be sold as a service – and this is what’s really turned the industry on its head in the past few years. Hackers are looking for ways to add subscription-like services on the dark web. They even often have reputation reviews, much like you might rate a local restaurant or purchase from your favorite department store. In short, it’s become as easy as: point, click, choose, execute.

The increased risk comes from the fact that crime is now in the hands of lower-level hackers because it’s easy; those new to the game or just looking to make a bigger impact can access elite hacking services that weren’t accessible in the past. Today’s criminals don’t need to know much, and this means the barrier to entry is low and it’s financially feasible to target the small or medium-sized businesses that tend to have a less robust security posture. While hackers might not make as much per transaction, they haven’t had to invest as much to enter the criminal world to start with, and it’s much easier to monetize and replicate the same attack again and again – which adds up over time.

The biggest risk factor for small and medium-sized business today is still the password. Again, and again, studies show the most popular – and therefore least secure – password is “123456”, with other combinations like “password” and “password1234” consistently coming in as close contenders.

For organizations looking to boost their security posture and protect themselves against more prevalent – and accessible – threats, a layered security solution and multifactor authentication are critical. Cybercriminals will often target those organizations most easy to hack. By requiring an additional layer of verification alongside strong, unique passwords, small and mid-sized organizations are less likely to suffer a breach by making it more difficult for a hacker to break into the system.

It’s also wise to deploy a layered defense-in-depth approach that includes malware protection, timely patching, DNS security, encryption and backup. Yet perhaps the most effective method for blocking malware is education and training. The vast majority of infections are caused by employees clicking bad links or having poor password practices that make it easy for criminals to walk in the front door, but education helps individuals spot attempts and other social engineering methods.

Because cybercrime is always evolving, there’s no perfect solution. Yet, organizations that adopt a defense-in-depth framework and have a contingency plan for dealing with an attack are far less likely to find themselves staring down the barrel of an expensive and debilitating attack – especially since as-a-service models make it easier for criminals to enter the game.

Kelvin Murray is a senior threat researcher with Webroot and specializes in P.E. files, stat analysis and security news. Kelvin is based in Webroot’s international office in Dublin, where he mostly writes, presents and teaches.


Copyright © 2021 IDG Communications, Inc.