The Rising Tide of Cybercrime as A Service (CaaS)

By Nik Hewitt, Sr. Content Marketing Manager, TrueFort

Welcome to the era of Cybercrime as a Service, or CaaS, which, quite alarmingly, is like an online marketplace for cybercriminals and their services.

While nothing new, it’s on the rise and a game-changer. Now, anyone with an internet connection and a chip on their shoulder – an unhappy customer, a scorned ex-lover, a disgruntled ex-employee, or a bitter competitor – can employ illicit services such as fraud, cyberattacks, social account takeovers, and even deploy ransomware.

And all this, believe it or not, for the price of our morning coffee and bagel.

How Much Does Cybercrime Cost?

Loading up Tor, we took a dive into the digital underworld of .onion sites and forums, exploring official reports and braving the murky corners of the dark web to gauge the cost of these unlawful digital deeds. Everything we found was from just one evening of exploration. To maintain ethical boundaries, we’ve chosen not to share links to these illicit services, but be assured that a chilling array of options are available for prospective CaaS customers.

Interestingly, the dark web also provides escrow services that hold funds until the buyer is happy with their underhanded ‘purchase,’ ensuring a somewhat bizarre level of customer service in these illicit transactions.

Devious DDoS on Demand 

Fancy crippling a website with a torrent of bogus traffic? It’s possible to commission a targeted Distributed Denial of Service (DDoS) attack for just $5. If you’re willing to shell out $500, you can ramp up the chaos to a 24-hour onslaught potent enough to buckle most commercial servers. The fallout? Lost sales, exhausted security personnel, and a battered reputation – a nightmare scenario, especially if timed to coincide with peak traffic.

DDoS attacks are so powerful that they’re being used as weapons of war. In recent months, hackers with ties to Russia have launched sophisticated cyberattacks against Ukrainian state services, notably targeting the application known as “Diia.” These attacks have been executed using a combination of malware and phishing techniques. The Ukrainian defense and security agencies are among the most vulnerable and primary targets of these cyber onslaughts.

Invading Personal Spaces 

Your personal life is up for grabs in the shadowy marketplace of the dark web. Despite the existence of legal background screening services, the dark web is rife with illicit offerings that promise to delve deeper into a person’s life, background, and financial details for a mere 120-200 USD.

The price tag for thieves might be low, but the cost to society adds up. One recent report concluded that almost 42 million Americans had their identities compromised in 2021, and that the total cost to US consumers was over $52 billion. Young people and the elderly are at increased risk, as are those whose wealth makes them attractive targets for theft of any kind.

Social Media Mayhem 

Should someone want to gain control over someone else’s social media accounts, or recover their own after a security mishap, the dark web provides this service for only 300 USD. This reality underscores the urgent need for beefed-up personal security, strong password practices, and the savvy use of password managers at home and work.

Trust forms the cornerstone of any social platform. It’s what lures people into sharing (often confidential) information. Yet, this very trust can also be a gateway for cybercriminals to gather invaluable data that are then used in orchestrating attacks against organizations or to conduct wider attacks using credential-stuffing tactics. Each month, social media platforms bear witness to the hacking of an astounding 1.4 billion accounts [Gitnux].

Bad actors also exploit personal accounts that are admins’ of business accounts. By assuming a brand’s identity, they can target a company’s employees and customers to pilfer their credentials. Social media is implicated in approximately 81% of all hacking-related data breaches. The greater a business or communities’ presence and engagement on social media, the higher the likelihood that cybercriminals will set their sights on their users. Apart from directly targeting businesses and communities, cybercriminals are also known to exploit social media to engage with potential victims for phishing purposes – an obvious call for MFA and strong personal password protocols.

Points for Pilfering 

Even loyalty points aren’t safe. In a concerning trend for the industries that rely on these rewards, like gaming, aviation, and eCommerce, stolen loyalty points are available for purchase on the dark web. With prices determined by the number of points desired, the digital theft of these assets can also extend to cryptocurrency. Price seems to depend on the number of points desired – 50,000 gaming loyalty points could cost as little as 16 USD, while 200,000 frequent flyer miles might be as low as 70 USD.

One Akamai report found that there were over 100 million “credential stuffing” attacks between July 2018 and June 2020 in which bad actors gained access to one account and used that same password to infiltrate another. 63% targeted the travel, hospitality, and retail loyalty programs. With the global loyalty market expected to reach a value of $11.4 billion by 2025, it’s easy to see the incentive for thieves.

Sneaky Spyware 

The past decade has seen countless scandals around hacked phones and privacy breaches. The dark web is a marketplace for these services, too, with prices starting at 240 USD to plant spyware on a person’s phone, with costs varying based on the target and desired level of access.

How big is the spyware issue? TechCrunch recently reported on an Iranian-developed app called Spyhide that is already believed to be on tens of thousands of Android phones around the world. According to the report, “Spyhide’s database contained detailed records of about 60,000 compromised Android devices, dating back to 2016 up to the date of exfiltration in mid-July. These records included call logs, text messages and precise location history dating back years, as well as information about each file, such as when a photo or video was taken and uploaded, and when calls were recorded and for how long.” TechCrunch analyzed the data and concluded that Spyhide is gathering data on every continent, with primary efforts focused on Europe and Brazil.

The Vendetta Package 

The services offered by hackers-for-hire have become more sophisticated and fees have certainly risen since 2014, when FBI agents arrested Zachary Buchta, then only 17 years old and charged him with conspiracy. Part of hacker groups called LizardSquad and PoodleCorp, Buchta was responsible for DDoS attacks and other malfeasance, including online harassment and attacks for $20 each. He was sentenced to a fine and prison time after pleading guilty to one count of conspiracy to commit damage to protected computers

Today, in the web’s darkest corners, malicious actors offer personalized digital attacks for prices between $1,500 to $2,500. This ‘service’ promises total chaos and the potential to disrupt an individual’s life. But remember, these are shady operators – can you really trust them? No. And let’s not forget the very real possibility of walking into a law enforcement trap.

The Cybercrime Boom

Our shared examples touch on the sprawling underground economy driven by Cybercrime as a Service. With the proliferation of hacking tools, botnet rental operations, and even hacker training courses on the dark web, it’s no surprise that this illicit industry is booming.  According to Forbes, there is a relationship between the increase in cybercrime and the increase in remote work spurred by the pandemic. Remote and hybrid employees are less likely to take recommended security precautions, often working outside of normal office hours and using unprotected personal devices for work tasks. Compounding the work-from-home issue is the widespread use of contractors, who work without supervision and are often less invested in company security.

Experts recommend that businesses take steps, including upgrading hardware and software and implementing mandatory two-factor authentication to protect themselves from hackers. Individuals would be well-served to heed the same advice.

Final Thoughts 

This grim reality serves as a powerful reminder of the critical need for cybersecurity readiness. The old adage rings true – prevention is better than cure. Particularly when cybercrime comes cheaper than cybersecurity, yet the damage it wreaks on businesses and reputations can be crippling. The need for security-minded individuals and organizations has never been more crucial.

About the Author

Nik Hewitt is the Sr. Content Marketing Manager at TrueFort, the leading lateral movement protection platform. He is a BAFTA-winning digital storyteller with nearly three decades of experience in digital content creation and IT/cybersecurity journalism. Now living in rural Ireland, he has worked with some of the world’s largest cybersecurity providers. Currently thriving with the team at TrueFort, Nik is a committed advocate for workplace equality and a champion for the use of AI in digital marketing

Nik can be reached online at www.linkedin.com/in/nikhewitt and at https://truefort.com/