Crime-As-A-Service (CaaS) Expands Tools and Services
Crime-as-a-Service Could Be the Next Big Threat to Your Business
Companies deal with a variety of risks to their business operations every single day, but there is a new threat originating in the Dark Web that they cannot afford to overlook: “crime-as-a-service,” or CaaS.
Crime-as-a-service is when a professional criminal or group of criminals develop advanced tools, “kits” and other packaged services which are then offered up for sale or rent to other criminals who are usually less experienced. This is having a powerful effect on the world of crime – and cybercrime in particular – because it lowers the bar for inexperienced actors to launch sophisticated cyber attacks and scams. In 2017, Europol released a new study that flagged CaaS as a major facilitator of serious online crimes, as well as traditional crimes like illegal weapons sales.
Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organisations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organisations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organisations will struggle to keep pace with this increased sophistication and the impact will extend worldwide, with cryptoware in particular becoming the leading malware of choice for its threat and impact value. The resulting cyber incidents in the coming year will be more persistent and damaging than organisations have experienced previously, leading to business disruption and loss of trust in existing security controls.
Here are five popular CaaS offerings on the Dark Web that are most likely to impact small businesses:
- Phishing kits
Email attacks consistently rank at the top of the list when it comes to small business cyber threats. It used to be fairly easy to spot a fake email, as these scams were often riddled with spelling mistakes and bad English. Today, however, that is no longer the case. Professional “phishing kits” are now available online which are very good at helping criminals impersonate legitimate organizations like banks and the IRS. These kits may come with pre-written form letters which imitate the language, format and logos of real organizations; fake web pages to solicit the victim’s information; “crimeware” that automates the theft of online credentials; spamming software and more.
Security tip: Use a malware detection service with anti-phishing support and consider “whitelisting” key operators in the company so they will only receive email from approved contacts. Security awareness training is also important.
- Exploit kits
There are an abundance of software vulnerabilities out in the wild, but it takes skill to use them. For this reason, professional hackers sell “exploit kits” online (such as RIG, Neutrino and Sundown/Nebula) that incorporate these vulnerabilities into a ready-made hacking tool or set of tools that make it easier for a criminal to break into a company’s network and/or infect it with malware.
Security tip: Make sure all software is updated regularly. Additionally, check the company’s website and network using a vulnerability scanning service.
Worms, Trojans and viruses are the crown jewel of any attacker’s toolkit. But, developing “good” malware requires solid expertise, which not many cybercriminals have. Today, however, anyone can go onto the Dark Web and buy malware and malware kits, which they can use as-is or customize for specific targets. These online offerings even come with antivirus evasion (i.e., they hide or alter the malware’s “signature” in order to prevent detection by an AV product) and customer support. Ransomware is extremely popular today, but there are plenty of other dangerous products up for sale, including banking Trojans, remote access Trojans (RATs), keyloggers and mobile malware.
Security tip: Assume your business will get infected with malware and plan accordingly. Have an outbound firewall in place to prevent malware from “phoning home” to the attacker. Segregate the network so malware can’t spread easily. Backup data regularly in case of loss. Use two-factor authentication for all online accounts.
- Criminal phone banks
As the name implies, this is a service in which criminals have created their own call center operation that can be rented out to other criminals. These are usually operated over VoIP lines in order to conceal their true location and make it easier to spoof phone numbers and impersonate legitimate organizations. They may even use “soundtracks” to imitate the background noises of a busy call center or office, and provide operators with specific accents. A criminal might rent a call center to support a phishing email campaign (“Call this number for assistance with your IRS claim”), or to social engineer an office employee or impersonate a company official to fool a bank.
Security tip: Establish clear policies for employees about sharing sensitive information via phone, especially with respect to financial transactions.
Distributed denial-of-service (DDoS) attacks can be crippling to any business, as they can knock out websites, customer portals, e-mail service and network connectivity. In the past few years, they have also become exponentially more powerful, due to methods like DNS amplification and NTP amplification attacks. It’s estimated that 73 percent of global brands and organizations are hit by DDoS attacks every year, and many are the victims of repeated attacks. Criminals used to have to build up their own “botnet” containing thousands of infected computers in order to launch these attacks, but now all they have to do is rent a botnet service online.
Security tip: Consider hiring a DDoS mitigation service to protect your website.
The importance of planning ahead
Crime-as-a-service will increase the risks of financial fraud, cyber extortion and data theft for all types of businesses, but smaller companies are at the greatest risk. For this reason, it is essential for business owners to create a “defense in depth” approach that focuses equally on preventive security and post-breach containment. The latter is especially important because no business will be able to prevent every cyber-attack. By planning ahead for a network breach, the company can minimize the damage.