The Evolution of Cybercrime as a Service
Organizations need to add layers of security to defend against ever-increasing cyberattacks.
	
By Kelvin Murray | 9 July 2021 2:20 AEST



The Evolution of Cybercrime as a Service

Youve likely heard of software as a service (SaaS), infrastructure as a service (IaaS), and numerous other as-a-service platforms that help support the modern business world. What you may not realize is that cybercriminals often use the same business concepts and service models in their own organizations as regular, non-criminal enterprises. While this may have started several years ago, the tactic has continued to grow with todays criminals taking advantage of easy-to-access solutions.

Cybercrime as a service follows the same path as most as-a-service business offerings. Talented criminals whove written successful malicious code have begun renting access to their own cybercrime solutions to lower-level criminals who either dont have the resources or know-how to design, write, and execute cyberattacks on their own. Criminals provide the service for a cut  and that cut is growing, with some criminals receiving 10% to 20% of any profits made in an attack that uses their code.

Anything that can be automated can be sold as a service  and this is whats really turned the industry on its head in the past few years. Hackers are looking for ways to add subscription-like services on the dark web. They even often have reputation reviews, much like you might rate a local restaurant or purchase from your favorite department store. In short, its become as easy as: point, click, choose, execute.

The increased risk comes from the fact that crime is now in the hands of lower-level hackers because its easy; those new to the game or just looking to make a bigger impact can access elite hacking services that werent accessible in the past. Todays criminals dont need to know much, and this means the barrier to entry is low and its financially feasible to target the small or medium-sized businesses that tend to have a less robust security posture. While hackers might not make as much per transaction, they havent had to invest as much to enter the criminal world to start with, and its much easier to monetize and replicate the same attack again and again  which adds up over time.

The biggest risk factor for small and medium-sized business today is still the password. Again, and again, studies show the most popular  and therefore least secure  password is 123456, with other combinations like password and password1234 consistently coming in as close contenders.

For organizations looking to boost their security posture and protect themselves against more prevalent  and accessible  threats, a layered security solution and multifactor authentication are critical. Cybercriminals will often target those organizations most easy to hack. By requiring an additional layer of verification alongside strong, unique passwords, small and mid-sized organizations are less likely to suffer a breach by making it more difficult for a hacker to break into the system.

Its also wise to deploy a layered defense-in-depth approach that includes malware protection, timely patching, DNS security, encryption and backup. Yet perhaps the most effective method for blocking malware is education and training. The vast majority of infections are caused by employees clicking bad links or having poor password practices that make it easy for criminals to walk in the front door, but education helps individuals spot attempts and other social engineering methods.

Because cybercrime is always evolving, theres no perfect solution. Yet, organizations that adopt a defense-in-depth framework and have a contingency plan for dealing with an attack are far less likely to find themselves staring down the barrel of an expensive and debilitating attack  especially since as-a-service models make it easier for criminals to enter the game.



Kelvin Murray is a senior threat researcher with Webroot and specializes in P.E. files, stat analysis and security news. Kelvin is based in Webroots international office in Dublin, where he mostly writes, presents and teaches.
