What is CaaS?
Put simply, Cybercrime as a Service (CaaS) means black hat hackers for hire.
Now, any ex-employee with a grudge, any disgruntled customer, any troubled ex-partner, or vindictive competitor, literally anyone with the right browser, can hire a dark web bad actor to perform fraud-as-a-service, attacks-as-a-service, social account takeover, or malware-as-a-service for the price of a toasted artisanal sandwich and a large caffè latte.
We took a look around, at official reports and via the dark web, to see how much it would cost a black market hacker to conduct digital dirty work on our behalf. We have chosen not to provide links to the examples we found, to avoid ease of direct access to these criminal services. Bots for everyone
A targeted distributed denial of service (DDoS) attack from multiple sources, to take down a specific website or slow it down by flooding the network, server, or application with fake traffic, can cost as little as $5 for a five-minute attack. For under $500 (to overwhelm most business-sized servers) anyone seeking revenge, conducting blackmail, wanting to hobble a competitor, or for the purposes of protest or generic hacktivism, can pay to block legitimate users to a site for 24 hours. The costs in direct sales, security team hours, and reputation of this can be catastrophic, especially if conducted at already peak times.
For whatever reason, if someone wanted access to someone else’s social media accounts, or indeed their own if they have been hacked themselves or mislaid their passwords – Facebook, Instagram, WeChat, TickTock, Twitter, or even Gmail account takeover – this seems to be a popular and common service offered on the dark web. Bad Actors are offering this, within 24 hours, for a mere $300. Considering the emotional stress and disruption a hack on social accounts can cause, and the personal information that would then be available to others, this is a terrifying call for strong passwords, good personal security, and the use of a password manager at home and at work.
Playing private detective
While legitimate services for background screening and personal investigation exist, like HooAreYou or CheckMate used in recruitment and for security screening purposes, intelligence reports are also offered on the dark web.
These black hat services, offered for around $120, offer a less subtle, less legal, and more intrusive look into a person’s background and digital activity, even offering information like bank balances and lists of recent purchases. If a curious party wants to follow someone else’s digital journey, and their footprint in the real world, they can do so easily by recruiting a skilled “someone” with access to a few select pieces of software and a portfolio of phishing tactics. Some of the same hackers are also offering to locate specific people based on their digital and financial activity, for only $140.
To put this in context, a private detective in the US would cost between $99 and $150 per hour.
If you want loyalty…
If you can buy digital currencies – Bitcoin, Ethereum, or whatever cryptocurrency the black hat hacker for hire accepts – you can buy stolen loyalty points.
Extremely worrying for loyalty point service providers and associated industries like aviation, eCommerce, and gaming; costs for this service seem to depend on the number of points someone wishes to buy. 50,000 loyalty points from an online gaming platform can cost as little as $12, while 200,000 frequent flyer miles (easily Los Angeles to New York, economy class) could be as little as $60. These are automatically siphoned from users’ accounts using account takeover tactics, through bulk lists of email addresses and passwords which are available for sale for mere cents via dark web forums. For the hackers offering these services, this is apparently as “simple as a few clicks.”
For $1,500 to $2,500, in dark web forums, some nefarious individuals are offering targeted attacks on “Anyone you want” and claiming they will “wipe them out” (digitally). This includes the infiltration and/or closure of social media accounts, bank accounts, and eCommerce accounts. They promise to create “total chaos” and to “shut down their lives.”
One might suggest, however, that anyone asking for “$1,500 up front” in cryptocurrency to perform this kind of service is the last person who could be trusted to carry this sort of work out. Also, as with any of these services, there is the very real possibility that this is a law enforcement honeypot to snag the unwary. Taking part in illegal activities like this is not free of risk for the person doing the hiring, even if hidden behind the anonymity of the dark web and cryptocurrency payments.
Eavesdropping on devices
There have been numerous scandals and public court cases over the last decade where individuals have been accused of hacking into the phones of celebrities, lawmakers, royalty, and even the victims of crimes to get the “scoop” on a news story.
Through tricking people into installing phony applications, making them click on infected links, or via phishing tactics, bad actors are offering to install spyware (keyloggers and Trojans) on a person’s phone for as little as $200. Cost seems to vary, however, depending upon whose device you wish to gain access to, if you want full access or just call logs and SMS records, what carrier they are using, and if you can get possession of the phone long enough for software to be installed. Simple SIM card swapping can be done for as little as £30, but this means that the target no longer has control of their phone and current communications would not be monitored.
Not just used to steal photographs or eavesdrop on private messaging, this sort of intrusion could also be weaponized to read corporate emails or capture account passwords. With many SMEs (on which 50% of all cyber-attacks are conducted) taking a “bring your own device” (BYOD) approach to phones and smart devices, more employees could be using potentially vulnerable devices to access organizational information.
Growth in activity
These are just a few examples we saw of the growing underground economy based on cybercrime as a service, funded by untraceable digital currencies, and a product of the availability of hacking tools and botnet rental operations. With a plethora of hacker training courses and facilities now accessible on the dark web for any would-be bad actor looking to exploit an open market, there has been an unsurprising growth in this unlawful industry over the past few years. Less nefarious services are readily available, with penetration testing available by the hour on the likes of Fiver, “researcher” contact lists existing on forums for data journalism, and communities out there of rated gray-hat operators who will happily scrape web data for you.
With increased media publicity around the dark web, greater access to digital currencies, cybercrime as a service appearing more frequently in popular culture, and the rise in the number of dark web bad actors, this all makes for worrying reading. When anyone with an axe to grind or point to prove can download Tor, load up a Bitcoin wallet, and then (within an hour) recruit criminals to conduct illegal activity on their behalf, prevention is always going to be better than cure.
Cybercrime is cheaper than cybersecurity, though the results can be incalculable for business and reputation. In the modern digital world, cyber security readiness is critical for organizations, and a security-minded approach is essential now and for individuals in the future.
Try Imperva for Free
Protect your business for 30 days on Imperva.