With cybercrime-as-a-service opening the door to anyone wanting to make a quick buck, organisations have to worry about amateur attackers as well as seasoned professionals. With hacking tools available on the dark Web for only a few hundred dollars, the enterprise faces more threats than ever before.
“Today’s cyber criminal doesn’t need to be a technical wizard,” says Simon Campbell-Young, MD of Credence Security. “All he needs is a few hundred dollars and a computer. A recent report by Armor revealed that the dark market is riddled with tools and services that can be used to commit various attacks. For example, it costs as little as $10 an hour for a DDoS attack, and around $200 for spam for hire.”
Users can purchase remote access to compromised PCs for around $13 a month, and can rent an exploit kit for $80 per day or $500 a week. “Even more alarming is how some cyber criminal groups now offer updates and troubleshooting for their tools, a criminal version of customer support.”
He says ransomware attacks, a scourge that has soared in popularity over the last year, can also be committed by those with little to no technical savvy. “Ransomware kits are available to rent from around $1000 a month, which may seem steep – but the return on investment can be several hundred times higher than that. Some criminals even let buyers test out the product for a day or two to see if they like it first.”
In fact, he suggests that the growth of ransomware-as-a-service (RaaS) is one of the drivers behind the massive spike in ransomware attacks over the last year. “The ease of which anyone can buy a ransomware kit is cause for concern, and explains why so many individuals are doing it. Not only is it practically money for jam, with a small investment seeing a potentially massive profit, there’s the added attraction that people have the perception that you’re not really physically stealing anything. These attacks are distant enough from the victim, it’s almost a ‘passive’ crime, that makes it easier for people who wouldn’t normally steal to carry out.
And this is just the tip of the iceberg, he says. “You name it, the dark market has it for sale. Stolen credit cards and personal data, hacked social media profiles, airline reward points, even passports from foreign countries are freely available. Illegal businesses on the dark Web sell every possible tool of the trade, enabling anyone to launch a cyber attack.”
Security leaders are worrying about cyber espionage, and state-sponsored attacks, but they need to understand that sophisticated attackers are making a career out of bringing organisations to their knees, he adds. “Although nation-state attackers are very well funded and determined, they have specific targets in mind. A very real danger comes from the crime-as-a-service business, that not only sells tools to anyone with the cash, they are available for hire, and could potentially take out any business in their cross hairs.”
Companies must practice good cyber-hygiene, as well as engage with their peers to anticipate what the dark market will come up with next, Campbell-Young says. “As quickly as the bad guys invent a new tool or services, security practitioners need to develop new defences. It’s no good just monitoring the threat landscape, the industry needs to work together to anticipate the next moves.”
From an enterprise security point of view, the actual threats remain the same, but the number of people involved with them is growing exponentially, he concludes.