Instead of programming skills, today’s online criminals only need a credit card. They can find out a software package’s vulnerability to a zero-day exploit by purchasing the information on the black market. To find out the password to hack into a mailbox, a criminal only needs to fill out an online form to hire a service provider. In a recent white paper, Raj Samani, CTO at online security company McAfee, and his colleague Francois Paget conclude that “cybercrime as a service” will significantly increase the number of attacks on businesses and private individuals – simply because the availability of such criminal services makes cyber attacks so easy even for the technically untrained.
The two security experts have identified four sectors in the market for criminal online services.
1. Research as a service
If a security researcher or hacker discovers a weakness in a program, he or she can of course report this to the manufacturer. However, he can also pass the information on to an intermediary, who could then sell it to government agencies, for example. The McAfee white paper uses the example of an intermediary known as “Grugq.” According to a Forbes report, he was able to sell an iOS exploit for US$ 250,000, taking 15 percent of the total amount himself as commission. According to Samani and Paget, such practices are not illegal. For example, the two researchers also found messages such as the following on the public social network Twitter: “Hi… We’ve found 5 zero-day exploits, now available for auction.” A report on golem.de confirms the findings. Even the US government has purchased weaknesses from hackers via intermediaries. Intermediaries do not necessarily need to know anything about IT, can earn a lot of money, and according to the McAfee authors, are not acting altogether illegally.
Ten million e-mail addresses for $900
The security experts also include the selling of e-mail lists for spam attacks in the “research as a service” category. For an untrained sender of unwanted e-mails, compiling such a list would require a great deal of effort. Offers such as one allowing a user to purchase 10 million e-mail addresses of people in Florida for less than $900 at the click of a mouse sound much more appealing, however. Samani and Paget do not provide links to any online shops making such offers, but they do note that spammers are able to choose lists based on specific requests such as gender, occupation, or clients of a specific bank. The price for a list of 700,000 e-mail addresses of doctors based in the USA? $144.34.
Next page: Professional programmers on the dark side
2. Crimeware as a service
Why write malicious code if you can hire a professional, albeit shady, programmer to do it for money? This business model of cybercrime as a service isn’t new. The McAfee experts cite the Zotob worm virus from 2005, which a programmer developed in return for a fee. In addition to customized solutions, criminals can also purchase standard malware such as Trojan horses or “ransomware,” which blocks a user’s computer, and demands that they enter their credit card details. Even software to exploit weaknesses can be rented. For example, for the CritX tool, Samani and his co-author found an offer of $150 a day.
The authors also uncovered translation services that translate spam e-mails into the language of the target audience, which at least saves the attacker some of the work. And the same goes for testing viruses. If an attacker who has written his own virus wants to ensure that all his hard work was not for nothing, online services are available that will test the malware against 35 antivirus programs before the planned attack.
Botnet for rent for $570
3. Cybercrime infrastructure as a service
The most well-known solution in this market segment of cybercrime as a service is the Botnet. The McAfee CTO uncovered a price list for renting the network for sending phishing e-mails. Customers can reserve different levels, including the Bronze level with the following services: DDoS Bot, three months of free updates, and including a program for capturing passwords – $570. Looking for an SMTP relay server to send mass e-mails? Also no problem. In the example given in the white paper, a customer can even get help from a live chat service. The only downside: The e-mail volume is capped at 30 million messages a month.
Next page: Hacking made easy – for a price
Cybercrime as a service providers overseeing the entire hacking process
4. Hacking as a service
According to the McAfee investigation, the most expensive, yet easiest, method of cybercrime is to pay another party to oversee the entire hacking process. “E-Mail Password Cracking Made Easy” advertises one service provider. The user of the service need do nothing more than enter the e-mail address and name of his victim and pay. Would-be online criminals can even purchase credit card data without giving a second thought about how to get hold of the data. Based on their research, Samani and Paget estimate the price for a Visa card user’s data and PIN in Europe to be $150. Not exactly cheap, but if the cyber criminal exhausts the user’s credit limit in one purchase, his investment has paid off.