Crime as a Service in a cloud near you

A fascinating, and not a little perturbing, picture of how the cloud services are being exploited by cyber criminals has been uncovered by Raj Semani, VP Chief Technology Officer at McAfee EMEA. The increasingly widespread <Something>-as-a-Service model that can has gained a new, and not so healthy, member – CaaS.

That stands for Crime as a Service, a trend that was unearthed by Semani in his researches for his recently published whitepaper, Cybercrime Exposed.He has discovered that, rather than remain skulking in the shadows, the modern-day cybercriminal often sets up as a small business, offering their skills and capabilities as `services’, in the same way a business might turn to Salesforce.com for CRM or Netsuite for ERP and business management services.

What is more, in amongst a growing army of small businesses and start ups that are exploiting the as-a-service model to help build their businesses, it is not always easy to spot the cybercriminal.  

During his researches, Semani discovered that cybercriminals are business owners in their own right and many are using small business websites to brazenly run their illegal trade – whether that means using SMEs’ unmonitored forums to advertise their illegal activity, directly selling through SME ecommerce sites, or stealing and selling SME’s customer data.

He has already unearthed a number of types of service, many of which are then used by other cybercriminals or those with some other malicious intent.

Research-as-a-Service is a business model where cybercriminals offer services that alert hackers as soon as an application or service becomes vulnerable to an attack - the so-called zero-day vulnerability window. Some of them even trade in specific markets, such as the public sector.  This also includes the sale of customer email addresses, and more esoteric services such as brokering exploits, where the RaaS business acts as the middle man between a hacker with a vulnerability for sale and a cybercriminal with a target in mind, taking a commission along the way.

Crimeware-as-a-Service incorporates the identification and development of the exploits used for the intended attack. This can include professional services such as `applications’ development, where the code developed is for criminal rather than business purposes and the provision of malware such as Trojans, Rootkits and Ransomware. It is even possible rent exploits by the day as a service.

Cybercrime Infrastructure-as-a-Service is much like any IaaS operation,  except that the infrastructure in question is what is necessary to mount an attack, such as the  rental of a network of infected computers under the control of a cybercriminal  that would be needed to carry out a denial-of-service (DoS) attack. For those with more longer term operations in mind, it is even possible to find hosting services that ask no questions.

Perhaps the most complete criminal interpretation of cloud operational models is Hacking-as-a-Service. This is where criminals can bypass all the stages of coding the exploit or buying in the individual components and instead outsource their hacking activity in its entirety.

Semani’s paper makes interesting reading and shows how, as is often the case, the criminal mind is at least as adept at exploit new developments as the smartest business people. The `as-a-Service’ model is already pushing deep into the business psyche as a way of gaining business and operational agility in timescales and costs that make business sense.

Cybercriminals have also noted, however, that they make sense in that marketplace too, which no doubt means that hacking exploits will occur ever-more frequently.