Combatting the rise of Cybercrime-as-a-Service
Article by ESET senior research fellow Righard Zwienenberg
As cybercriminals have grown more sophisticated, hacking into systems can be as simple as downloading the right software from the dark web, then deploying it to the target.
Now, new developments in cybercrime mean that those with ambitions to create havoc online can do so with only the most rudimentary knowledge by taking advantage of Cybercrime-as-a-Service (CaaS). No longer the exclusive purview of criminals, cybercrime is now peddled freely on the surface web.
A simple internet search yields many results, which means amateur cybercriminals (or anyone with a grudge), can execute spam attacks, steal people’s identities, and more. This becomes more worrisome in the digital age, when people are increasingly comfortable storing their personal data, such as credit card details and medical records, in the cloud.
Combined cloud computing, connected devices, and the Internet of Things (IoT) create a treasure trove of information and potential weak points that cybercriminals can exploit. The rewards for this illegal activity can be significant.
A recent study found that cybercrime can pay from tens of thousands of dollars to millions of dollars every year.
And one of the key ways cybercriminals can earn money is to sell tools that can be used to hack others. It’s long been known that the dark web houses various hacking tools for sale, along with user manuals that provide a step-by-step guide to help even the newest of ambitious criminals get up and running quickly.
Some of these CaaS providers even provide helpdesk services, further highlighting the level of organisation and professionalism in these communities. A complete set of tools for hacking Wi-Fi networks and stealing personal information costs as little as US$125; not a hefty price tag considering the potential damage it could do, and the rewards it could deliver for the cybercriminal. As well as being cheap, cybercrime is relatively low-risk, especially when considering the potential for profit.
And it only takes a modicum of technical capability for cybercriminals to hide their tracks well enough to make capture an almost laughable concept. When it comes to getting caught, a loophole in most countries’ laws means hiring a hacker is not illegal.
In fact, many reputable businesses hire so-called ‘white hat’ hackers to test their cybersecurity defences and find potential loopholes so they can protect themselves more effectively. Internationally, there is not yet any unified law that can indict cybercriminals that commit transnational crime.
So, even if a cybercriminal is caught, the authorities may not be able to prosecute.
Furthermore, even in countries where cybercrime is prosecutable, something that’s illegal in one country might be perfectly legal in another, creating another legal grey area.
This contributes to the challenges in prosecuting cybercriminals who launch cross-border attacks. This means that victims of cybercrime have very little recourse under the law, so the best approach is to implement security measures that protect against successful attacks. These include installing security updates as soon as they become available, using complex passwords and multi-factor authentication, avoiding shared passwords across different accounts, and using antivirus tools with regular scans. It’s also essential to ensure all employees are well aware of the risk of phishing attacks, and know how to identify an attack, as well as what to do if they suspect they’re being targeted. As well as taking individual responsibility for cybersecurity, it’s important that other organisations recognise the role they can play in protecting end users, and act accordingly.
Internet service providers (ISPs) can employ machine learning tools to proactively identify suspicious activity and deal with it before it spreads through the network. Governments should also invest in cybersecurity talent.
With a greater talent pool, better cybersecurity measures can be developed.
Governments are already moving in this direction by implementing privacy legislation that requires businesses to take responsibility for protecting individuals’ information.
In Australia, the mandatory notifiable data breaches (NDB) scheme is already in full swing, while Europe’s General Data Protection Regulation (GDPR) has also taken effect.
Initiatives like these aim to create a safer online environment while making organisations responsible for the data they own and store. However, laws are only part of the equation.
It’s also important to have global, unified accords that help make cybercrime less risk-free and lucrative.
By working on ways to detect and prosecute cybercriminals, law enforcement agencies can reduce the significant risk posed by CaaS and other mainstream cybercrime tools.