Companies deal with a variety of risks to their business operations every single day, but there is a new threat originating in the Dark Web that they cannot afford to overlook: “crime-as-a-service,” or CaaS.
Crime-as-a-service is when a professional criminal or group of criminals develop advanced tools, “kits” and other packaged services which are then offered up for sale or rent to other criminals who are usually less experienced. This is having a powerful effect on the world of crime -- and cybercrime in particular -- because it lowers the bar for inexperienced actors to launch sophisticated cyber attacks and scams. In 2017, Europol released a new study that flagged CaaS as a major facilitator of serious online crimes, as well as traditional crimes like illegal weapons sales.
This evolution in the world of cybercrime also coincides with a shift in the types of businesses that are being targeted. When people think of data breaches, they usually think of big corporate victims like Yahoo, Target and Home Depot. However, the reality is that cybercriminals are increasingly targeting small businesses over enterprises, because an small businesscan’t afford to spend what a large corporation does on cybersecurity.
According to a 2016 study by the Ponemon Institute, half of all small businesses in the U.S. have been breached by hackers. They are also the top target for “spear-phishing,” or targeted fake email attacks, which have more than doubled since 2011. CaaS is a major contributing factor to the rise of these attacks on small businesses.
It’s important to understand that crime-as-a-service is not some minor new trend in hacking. It is a game changer, particularly for small businesses. Because of CaaS, future online attacks will be harder to detect, harder to prevent, there will be far more of them and they will be considerably more expensive to clean up than they have been in years past.
Here are five popular CaaS offerings on the Dark Web that are most likely to impact small businesses:
1. Phishing kits
Email attacks consistently rank at the top of the list when it comes to small business cyber threats. It used to be fairly easy to spot a fake email, as these scams were often riddled with spelling mistakes and bad English. Today, however, that is no longer the case. Professional “phishing kits” are now available online which are very good at helping criminals impersonate legitimate organizations like banks and the IRS. These kits may come with pre-written form letters which imitate the language, format and logos of real organizations; fake web pages to solicit the victim’s information; “crimeware” that automates the theft of online credentials; spamming software and more.
Security tip: Use a malware detection service with anti-phishing support and consider “whitelisting” key operators in the company so they will only receive email from approved contacts. Security awareness training is also important.
2. Exploit kits
There are an abundance of software vulnerabilities out in the wild, but it takes skill to use them. For this reason, professional hackers sell “exploit kits” online (such as RIG, Neutrino and Sundown/Nebula) that incorporate these vulnerabilities into a ready-made hacking tool or set of tools that make it easier for a criminal to break into a company’s network and/or infect it with malware.
Security tip: Make sure all software is updated regularly. Additionally, check the company’s website and network using a vulnerability scanning service.
Worms, Trojans and viruses are the crown jewel of any attacker’s toolkit. But, developing “good” malware requires solid expertise, which not many cybercriminals have. Today, however, anyone can go onto the Dark Web and buy malware and malware kits, which they can use as-is or customize for specific targets. These online offerings even come with antivirus evasion (i.e., they hide or alter the malware’s “signature” in order to prevent detection by an AV product) and customer support. Ransomware is extremely popular today, but there are plenty of other dangerous products up for sale, including banking Trojans, remote access Trojans (RATs), keyloggers and mobile malware.
Security tip: Assume your business will get infected with malware and plan accordingly. Have an outbound firewall in place to prevent malware from “phoning home” to the attacker. Segregate the network so malware can’t spread easily. Backup data regularly in case of loss. Use two-factor authentication for all online accounts.
4. Criminal phone banks
As the name implies, this is a service in which criminals have created their own call center operation that can be rented out to other criminals. These are usually operated over VoIP lines in order to conceal their true location and make it easier to spoof phone numbers and impersonate legitimate organizations. They may even use “soundtracks” to imitate the background noises of a busy call center or office, and provide operators with specific accents. A criminal might rent a call center to support a phishing email campaign (“Call this number for assistance with your IRS claim”), or to social engineer an office employee or impersonate a company official to fool a bank.
Security tip: Establish clear policies for employees about sharing sensitive information via phone, especially with respect to financial transactions.
Distributed denial-of-service (DDoS) attacks can be crippling to any business, as they can knock out websites, customer portals, email service and network connectivity. In the past few years, they have also become exponentially more powerful, due to methods like DNS amplification and NTP amplification attacks. It’s estimated that 73 percent of global brands and organizations are hit by DDoS attacks every year, and many are the victims of repeated attacks. Criminals used to have to build up their own “botnet” containing thousands of infected computers in order to launch these attacks, but now all they have to do is rent a botnet service online.
Security tip: Consider hiring a DDoS mitigation service to protect your website.
The importance of planning ahead
Crime-as-a-service will increase the risks of financial fraud, cyber extortion and data theft for all types of businesses, but smaller companies are at the greatest risk. For this reason, it is essential for business owners to create a “defense in depth” approach that focuses equally on preventive security and post-breach containment. The latter is especially important because no business will be able to prevent every cyber attack. By planning ahead for a network breach, the company can minimize the damage.