Story image

Combatting the rise of Cybercrime-as-a-Service

07 Nov 2018

Article by ESET senior research fellow Righard Zwienenberg

As cybercriminals have grown more sophisticated, hacking into systems can be as simple as downloading the right software from the dark web, then deploying it to the target.

Now, new developments in cybercrime mean that those with ambitions to create havoc online can do so with only the most rudimentary knowledge by taking advantage of Cybercrime-as-a-Service (CaaS). 

No longer the exclusive purview of criminals, cybercrime is now peddled freely on the surface web.

A simple internet search yields many results, which means amateur cybercriminals (or anyone with a grudge), can execute spam attacks, steal people’s identities, and more. 

This becomes more worrisome in the digital age, when people are increasingly comfortable storing their personal data, such as credit card details and medical records, in the cloud.

Combined cloud computing, connected devices, and the Internet of Things (IoT) create a treasure trove of information and potential weak points that cybercriminals can exploit. 

The rewards for this illegal activity can be significant.

A recent study found that cybercrime can pay from tens of thousands of dollars to millions of dollars every year.

And one of the key ways cybercriminals can earn money is to sell tools that can be used to hack others. 

It’s long been known that the dark web houses various hacking tools for sale, along with user manuals that provide a step-by-step guide to help even the newest of ambitious criminals get up and running quickly.

Some of these CaaS providers even provide helpdesk services, further highlighting the level of organisation and professionalism in these communities. 

A complete set of tools for hacking Wi-Fi networks and stealing personal information costs as little as US$125; not a hefty price tag considering the potential damage it could do, and the rewards it could deliver for the cybercriminal.

As well as being cheap, cybercrime is relatively low-risk, especially when considering the potential for profit.

And it only takes a modicum of technical capability for cybercriminals to hide their tracks well enough to make capture an almost laughable concept. 

When it comes to getting caught, a loophole in most countries’ laws means hiring a hacker is not illegal.

In fact, many reputable businesses hire so-called ‘white hat’ hackers to test their cybersecurity defences and find potential loopholes so they can protect themselves more effectively. 

Internationally, there is not yet any unified law that can indict cybercriminals that commit transnational crime.

So, even if a cybercriminal is caught, the authorities may not be able to prosecute.

Furthermore, even in countries where cybercrime is prosecutable, something that’s illegal in one country might be perfectly legal in another, creating another legal grey area.

This contributes to the challenges in prosecuting cybercriminals who launch cross-border attacks. 

This means that victims of cybercrime have very little recourse under the law, so the best approach is to implement security measures that protect against successful attacks. 

These include installing security updates as soon as they become available, using complex passwords and multi-factor authentication, avoiding shared passwords across different accounts, and using antivirus tools with regular scans. 

It’s also essential to ensure all employees are well aware of the risk of phishing attacks, and know how to identify an attack, as well as what to do if they suspect they’re being targeted. 

As well as taking individual responsibility for cybersecurity, it’s important that other organisations recognise the role they can play in protecting end users, and act accordingly.

Internet service providers (ISPs) can employ machine learning tools to proactively identify suspicious activity and deal with it before it spreads through the network. 

Governments should also invest in cybersecurity talent.

With a greater talent pool, better cybersecurity measures can be developed.

Governments are already moving in this direction by implementing privacy legislation that requires businesses to take responsibility for protecting individuals’ information.

In Australia, the mandatory notifiable data breaches (NDB) scheme is already in full swing, while Europe’s General Data Protection Regulation (GDPR) has also taken effect.

Initiatives like these aim to create a safer online environment while making organisations responsible for the data they own and store. 

However, laws are only part of the equation.

It’s also important to have global, unified accords that help make cybercrime less risk-free and lucrative.

By working on ways to detect and prosecute cybercriminals, law enforcement agencies can reduce the significant risk posed by CaaS and other mainstream cybercrime tools. 

How Red Hat aims to accelerate business value with container technologies
Red Hat announced that leading global companies are creating, extending and deploying integration services across hybrid and multicloud environments using agile integration architectures based on Red Hat technologies.
IT employers having to up salaries and bonuses to attract talent
As the modern economy relies increasingly on data, it’s certainly a good time to be working in IT.
Red Hat expands integration product capabilities
Adds end-to-end API lifecycle support and new capabilities for agile integration across hybrid architectures.
Electric car infrastructure needs to be a high priority
“Australians should be able to drive all over this massive nation with complete confidence in a zero-emission vehicle.”
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
BMC adds IBM Cloud, Watson to Helix solution
BMC Helix with IBM Watson delivers cognitive insights across structured and unstructured federated knowledgebases.
Hyundai works with IBM to create a new blockchain-based platform
The network for commercial financing will supposedly provide participants with a single view of all the transactions happening in the network.
Why businesses should invest in energy automation
In industrial applications digital transformation allows businesses to do more with less.