Cybercrime-as-a-Service (CaaS) Lets Hackers Rival Nation States

Cybercrime is stereotypically associated with lone-wolf hackers or loose syndicates of amateurs. Recent incidents such as the 2014 hacking of electronic highway signs in North Carolina (by someone security researcher Brian Krebs dubbed a “script kiddie“), as well as historical ones like the 2012 hacks of Skype, Facebook and Microsoft Windows using the widely available Blackhole exploit kit, seem to confirm such stereotypes of cybercrime as a dangerous, albeit niche, activity.

However, cybercriminals are gradually turning into professionals, capable of rivaling nation states for power and global reach. Rather than rely exclusively on low-hanging exploits or simple tools, they are crafting sophisticated malware and carrying out cyberattacks that can undermine network security, intercept transactions and harvest consumer data.

Mounting Global Costs of Cybercrime Shine Spotlight on An Increasingly Professional Industry

No longer just a concern for the IT department or security teams, cybercrime has become a serious time and money pit for entire organizations as its purveyors take up advanced tactics. Whether targeting corporate intellectual property or end user login credentials, cybercrime is a big business:

  • A 2014 report from the Center for Strategic and International Studies, underwritten by Intel Security’s McAfee, estimated that cybercrime and cyberespionage cost approximately $445 billion annually. For context, that’s slightly less than 1 percent of world income and roughly on par with the global narcotics trade. The U.S., China and Germany each lost between 0.6 percent and 1.6 percent of GDP, mostly to IP theft. Hundreds of thousands of jobs could be lost to cybercrime’s effects.
  • Underscoring the growing resemblance of cybercrime to traditional crime, digital bank heists, enabled by malware and surveillance, can be as effective as actual in-person robbery. Mt. Gox, until recently the world’s leading Bitcoin exchange, succumbed to persistent attacks and was ultimately raided of nearly $500 million in cryptocurrency. Similarly, cybercriminals made off with troves of payment card data from Target without having to set foot in many of the stores; instead, they exploited a remote HVAC connection and utilized malware.
  • The former Soviet Union has become a hotbed for outfits that provide cybercrime-as-a-service. McAfee’s report asserted that there may be more than 20 cybercriminal organizations in Russia, Ukraine and elsewhere with expertise rivaling that of a nation state. Russia’s underground economy also offers botnets and exploit kits for as low as a few hundred dollars, as detailed in Trend Micro’s “Russian Underground 101” report. Such sharing of information and resources has cultivated a highly capable cybercriminal community.
  • In some cases, cybercrime has not only rivaled nation state sanctioned hacking, but merged with it. A recent, years long Iranian scheme to win the trust of U.S. officials involved elaborate social engineering and phishing tactics.

Cybercrime has become professionalized and globalized, with perpetrators casting wide nets as they look to cause lasting harm. Although such marked evolution of cybercriminal strategies and tactics is to be expected as powerful CPUs and network bandwidth become more readily available, it has been greased by growing financial lucrativeness.

Ill-intentioned hackers can steal assets not only from individuals, but also at scale from businesses via exploitation of weak infrastructure such as point-of-sale terminals or setup of wide reaching botnets that enlist thousands of infected endpoints. What’s more, they may be paid for sharing knowledge that contributes to these successful breaches, while benefiting from the massive repositories of already available resources that can be used to craft effective malware.

“In this era of electronic transactions, nothing screams ‘crime’ like a massive data breach, whether carried out by individual attackers or sophisticated cybercriminal gangs,” stated the authors of Trend Micro’s “TrendLabsSM 1Q 2014 Security Roundup” report. “Instead of going only after individuals, cybercriminals went after unusual targets like PoS terminals in retail chains.”

The Gameover Zeus Botnet and The Prevailing Cybercrime Business Model

Professional cybercrime is indeed lucrative because of the opportunity to make millions from the theft and resale of sensitive data. In going after big targets such as banking networks, retailers and stock exchanges, cybercriminals have upped their games with the aim of netting more assets and money.

For example, the Zeus banking Trojan, which dates back to 2007, was heavily modified this year into a botnet called Gameover Zeus. This variant uses a decentralized peer-to-peer infrastructure that makes it difficult to take down. It can steal banking credentials from compromised devices and then use them to redirect wire transfers to accounts controlled by cybercriminals. Infected PCs are enlisted into the botnet and begin transmitting the CryptoLocker ransomware, which encrypts user files and demands payment before its timer runs out.

Law enforcement from around the world recently convened to take action against Gameover Zeus. The malware is estimated to have stolen more than $100 million, while CryptoLocker alone raked in $27 million just in its first two months on the market, according to the FBI.

Certainly, the massive amounts of money stolen in successful breaches and infections are helping sustain the current surge in sophistication of cybercriminal tactics and technology, creating a problematic cycle. There’s also the issue of cybercriminals receiving hefty sums to go after particular targets. This cybercrime-as-a-service business model is fueling growth in the potency of malware, which in turn can demand increasing fees from victims and interested parties alike.

“Someone who wants to infect computers with a particular type of malware would go to one of the organized crime groups and ask them – crime-as-a-service – can you infect 20,000 computers and for that we’ll pay you so much,” stated Paul Gillen, head of operations at the European Cybercrime Center. “They do that, and they get a pay-per-infection rate. It is quite a sophisticated business model.”

Taking on professional cybercrime requires a joint effort from world governments as well as security firms. Modern technical solutions such as continuous monitoring and secure messaging must be used alongside better IP protections to curb the impact of advanced schemes.