What if anyone could access cybercrime? Few know it yet, but this catastrophic scenario is already a reality. This is the promise of “cybercrime as a service”, that is, turnkey offerings sold on the “dark web” (the underground web) by cybercriminal organizations. This democratization of cybercrime even partly explains the current explosion of cyberattacks, Guillaume Poupard, director of the National Information Systems Security Agency (Anssi), told La Tribune.
In fact, cybercrime has become in recent years a real economic sector, which has taken over, for the worse, the functioning of the software industry.
The “SaaS” model adapted to cybercrime
To understand how “Caas” (cybercrime as a service) works, we must understand SaaS (software-as-a-service), that is, the economic model of software, dominant in the software industry since the early 2010s. model is based on a paradigm shift from property to use. Before the digital revolution, software companies sold a physical product, since they market its turnkey use.
One of the most symbolic examples of this change is that of Office, the famous Microsoft office suite (Word, Excel, PowerPoint …). For two decades, he had to pay at once for a license, in the form of a key that allowed him to activate the software package on his computer. But in 2011, Microsoft released Office 365 – an online and therefore more flexible version of its product. To obtain it, customers subscribe per month or per year, with the maintenance guarantee (correction of problems and updates) carried out by the publisher itself. In short: all problems are managed by the company, and the customer only has to benefit from the product … which he no longer owns.
Companies from all sectors have declined this service model: today we speak of “Platform-as-a-service”, “mobility-as-a-service” or even “infrastructure-as-a-service”. But also “cybercrime as a service”.
From botnets to phishing to ransomware, cybercrime is a business like any other
Because yes, the cybercriminal environment has not escaped this transformation of uses. Instead of selling malicious products, which are sometimes difficult for buyers to exploit, a large number of criminals now offer their services in the form of profits. The phenomenon reached such popularity that the report of the Ministry of the Interior on “the state of the digital threat in 2019”, for the second consecutive year mentioned the term “cybercrime as a service” (CaaS).
The government insisted in its text on the main problem posed by the popularization of the “CaaS” model. Specifically, it allows anyone who is willing to spend a little money to launch a cyberattack, whereas before it was necessary to have a minimum of technical knowledge. “Now it is enough to pay a ‘service provider’ to activate its network of infected machines for your benefit,” the speakers note. Very simple, but devastating.
Originally, the service model came mainly to support the activity of “botnets”, these groups of thousands of infected machines capable of acting in unison under the orders of the same operator. For a few hundred dollars, a person could hire the attack capacity of one of them. Botnets are used in particular for denial of service (or DDoS) attacks that bring down victims’ sites or applications by overloading them with requests.
But today, the “as-a-service” model is available for all cyberattacks: phishing, ransomware, malware distribution … Some even offer additional services such as hosting malicious sites or laundering bitcoins (called “mixers” ).
“Cybercrime as a service” operations have significantly lowered the barrier to entry for new criminals who can now simply purchase a service, rather than learn to commit a cybercrime, “says Derek Manky, director of the Fortinet research laboratory. , in an article published in 2020.
No more technical barriers to launching cyber attacks
The latest notable example of this evolution of the cybercriminal offering, on September 21, Microsoft’s security team released a rare report on a “phishing-as-a-service” operation, dubbed “BulletProofLink.” Phishing could be considered as zero degree cybercrime, because it is relatively unspecific: it consists of sending a fraudulent message in order to trap its targets into giving out personal information. Above all, criminals use it to steal identifiers or bank details.
Before, people interested in this malicious activity had two options:
- Develop your own template for malicious sites and emails, and launch the campaign themselves. In other words, they had to have some development skills in addition to campaigning.
- Buy a “phishing kit”, for a few tens of dollars, with email templates and sites pre-designed by competent people. If this product opened the door to cybercrime for people unable to develop their own models, they still had to learn how to configure the phishing site, organize the sending of emails or manage the recovery of stolen information. Sometimes unsuccessful – that’s why many phishings seem rude.
With your PaaS model [phishing as a service, Ndlr]BulletProofLink offers a third option. Against the payment of a subscription, the organization takes care of the entire phishing value chain: from the creation of imitations of emails and sites to the recovery of the passwords of the victims, including the sending of emails and the management of the site.
In other words, the client only has to pay and target their target, and they will receive the stolen credentials if the attack is successful. All with personalized support.
Ransomware, the last nail in cybercrime as a service
But if the concept of ‘cybercrime as a service’ is gaining more and more attention, it is mostly thanks to the appalling rise in ransomware gangs since 2017. All major groups operate on a ‘ransomware-as-a-service’ ”( Or RaaS), with shared activity on two levels.
At the heart of the organization are the “operators”, who design and maintain the malware. They also manage the gang’s communication on cybercriminal networks, as well as with victims, and are responsible for recruiting outsiders, the “affiliates.”
Second link in the chain, affiliates can be compared to the self-employed. They go through a selection process, more or less demanding depending on the organization, to obtain the right to exploit the ransomware developed by the operators. It is up to them to find the best methods to infect the victims, even if the operators sometimes offer some tools in addition to the ransomware.
Affiliates expose themselves instead of operators – in case of failure, the authorities will come back to them first. But if it is successful, it is the jackpot: if the victim ends up paying the ransom, the affiliate responsible for the attack will receive between 70% and 80% of the amount from the operators, who will take care of the negotiation.
The RaaS model protects operators, but not controlling their entire value chain can cost them dearly. If a clumsy affiliate attacks the wrong target, for example critical infrastructure like the Colonial Pipeline pipelines, and incurs the ire of the highest authorities, the police will not distinguish between the gang and its partner. This is how the Darkside gang retired early, without it being known if the authorities caught up with its members, or if they disappeared before them.
However, on a larger scale, cybercrime as a service promotes the development of cybercrime activities:
“This new economic model has led to an industrialization of cybercrime. It allows a specialization of talents and a division of labor within organizations, which makes them more efficient and profitable”, concludes Derek Manty in his research article.
In other words, cybercriminals can spend more time developing their malware, as well as attracting more and more customers.