Driving annual revenue of over $1.6 billion per year, cybercrime-as-a-service is a flourishing segment of the shady cybercrime ecosystem. The easy availability of hacking tools and expertise as services democratizes cyberattacks.
Now, budding cybercriminals no longer need expert technical knowledge or special software to inflict damage—the right amount of cryptocurrency is enough to launch a cyberattack.
This article explains the cybercrime-as-a-service model, assesses its impact on the threat landscape, and gives an overview of the most common types of services that underground vendors sell to other threat actors.
What is cybercrime-as-a-service?
Cybercrime-as-a-service (CaaS) is a business model for organized online crime in which threat actors (or “vendors”) offer cyberattack capabilities to customers, often on a subscription basis. Customers find the type of service they want and then pay a subscription fee or some sort of commission, almost always via cryptocurrency to preserve anonymity.
The emergence of CaaS mirrors the wider adoption of the as-a-service business model in the world of IT. Cloud-based services have become the norm for businesses, where they pay a monthly subscription fee to use apps and computing infrastructure through the cloud.
CaaS allows hackers with little to no technical knowledge to carry out sophisticated cyberattacks. Given that in a hypothetical world where cybercrime is a state, it’d be the world’s third-largest economy, many aspiring hackers want a piece of the pie. This greed, along with dramatically reduced entry barriers to cybercrime explains why cyberattacks grew in volume by 38% in 2022 alone.
The CaaS model also improves efficiency for more skilled cybercriminals. Rather than constantly looking for their next victim and coordinating full attacks, cybercrime-as-a-service vendors can specialize in one type of service. Similarly, experienced hackers can combine their existing knowledge with readily available services that take out a lot of the grunt work that goes into cyberattacks.
Types of cybercrime-as-a-service
From dark web marketplaces to invite-only forums to Telegram channels, the booming underground cybercrime ecosystem is vast. Here are some of the main cybercrimes that are offered as a service.
Ransomware-as-a-service (RaaS)
Ransomware is a complex multi-phase cyber attack that generally requires:
- Gaining access to a target environment via a compromised system or device.
- Maintaining remote communication with the target via dedicated command and control infrastructure.
- Escalating privileges to gain administrative permissions on the network.
- Installing a special type of malware (ransomware) that encrypts multiple files and/or devices and demands a ransom to decrypt them.
This complexity previously deterred those who lacked the expert coding skills required for creating ransomware and the tools to execute these attacks. But ransomware-as-a-service (RaaS) changed the game.
The RaaS model sees technically adept cyber gangs code their own ransomware strain, package it with other useful tools for carrying out successful attacks, and offer this set of tools as a subscription-based service.
Affiliates who subscribe to these services either pay a monthly fee or a commission; the latter is usually a percentage of any ransom that the subscriber manages to exfiltrate from target companies.
Aside from drastically lowering entry barriers to what is a lucrative type of cyber attack, the RaaS model also lets its creators stay somewhat out of the spotlight of law enforcement and earn money while not being the perpetrators of the attacks. RaaS operators typically recruit subscribers by posting on dark web forums.
RaaS is a smaller segment of a larger malware-as-a-service (MaaS) model in which hackers can access trojans, viruses, worms, spyware, and other malicious tools for a fee. Some services offer malware for use “off the shelf”. Off-the-shelf malware is available for deployment immediately without any need for customization so that customers can target who they want and with whatever delivery mechanism they prefer.
Other MaaS services let customers simply pick a target and type of malware, and the vendor then customizes the deployment for a targeted attack on the chosen victim.
Phishing-as-a-service
Phishing remains an incredibly effective and widespread attack vector. In a phishing attack, hackers send emails that trick victims into taking certain actions, such as revealing login credentials or opening a malicious file.
Phishing techniques range from spammy to sophisticated (the most complex techniques often referred to as spear phishing), and a successful attack is often the gateway to achieving other nefarious objectives.
The continued success of phishing spawned a niche phishing-as-a-service underground market. In this market, vendors offer phishing “kits” for a subscription fee. Each customer’s phishing kit may contain components like:
- Email templates.
- Designs for making convincing fake websites.
- Dynamically created web addresses for malicious attachments.
- Customer support.
DDoS-as-a-service
Whether for internal or customer-facing applications, your business likely depends on having servers and other network resources available for end users. A distributed denial of service (DDoS) attack overwhelms targeted resources with a flood of malicious traffic, which disrupts access for legitimate users and often makes the affected service or apps completely inaccessible.
The large influx of traffic in a DDoS attack comes from a network of computers under the control of an adversary, known as a botnet. Each computer on this botnet is typically infected with malicious software that enables outside control of the device.
DDoS was one of the earliest types of cybercrime-as-a-service to emerge—a paper published as far back as 2013 warned about the threat of this new business model.
For as low as $20 per month, anyone can anonymously carry out a DDoS attack on a target by essentially renting out a botnet that other hackers built. Most DDoS-as-a-service vendors provide an intuitive user interface that allows customers to simply select a target and specify the duration of the attack.
Exploit-as-a-service
The most valuable type of software vulnerability is a zero-day, so-called because the vendor of the software doesn’t know about this weakness and therefore has had zero days to create a working patch that fixes it. Zero-day vulnerabilities often command millions of dollars on the dark web, but making such deals carries a lot of risk for the threat actors selling them.
Exploit-as-a-service is an emerging trend that sees vendors leasing out zero-day vulnerabilities to many customers rather than selling them for exclusive use. While this model is still relatively new compared to other types of cybercrime-as-a-service, it’s worth being aware of the potential for more frequent zero-day exploits.
Defending against cybercrime-as-a-service
CaaS is a business model rather than a type of cyberattack, and combating the threat means getting better at detecting and responding to a near-constant onslaught of attacks.
With would-be cybercriminals having such easy access to sophisticated tools and services, the reality is that some of these attacks will slip by your more reactive defense systems, such as antivirus tools that only detect signatures of known threats.
CaaS offers widespread access to a huge variety of attacks targeting any business and any part of that business's IT infrastructure. So, not only does this business model make cyberattacks more frequent, but it also results in more diversity in the types of cyberattacks encountered and the businesses targeted by buyers of these services.
Managed detection and response (MDR) combines sophisticated technology and human intelligence to constantly monitor your systems for advanced cyber threats, respond to and triage security incidents, and improve defenses. Expert security analysts help you discover and intercept attacks early before the damage is done.
Covalence by Field Effect provides end-to-end MDR coverage across your endpoint devices, network, and cloud services. Book your demo here.
