Forget Anonymous, or even a high-profile hacker like Weev, famous for exposing a loophole at U.S. mobile giant AT&T. The next hacker eyeing your company as a potential way to cash in could be almost anyone – and they don’t even have to know how to code.
That’s the conclusion drawn from a whitepaper from security solutions provider McAfee Inc., which found that not only is cybercrime becoming more ubiquitous, but also that it’s incredibly easy to access.
When asked what type of methodology he used to write the report, author Raj Samani suggested an experiment. SMB owners can do something as simple as entering “email address” in the search field in eBay, or “buy distributed denial of service (DDoS)” on Google, and access a whole host of vendors who are more than happy to sell a list of email addresses or provide a root kit that can force a site to shut down.
All of these service providers seem almost legitimate, almost like regular business-to-business operations. That’s led a lot of industry experts to refer to this kind of activity as “cybercrime as-a-service.”
What they’re doing is helping regular people with no technical skills to become hackers – something that’s very lucrative when credit card numbers and other financial data are at stake, said Samani, vice-president and chief technology officer for McAfee EMEA.
“When I was originally considering writing this paper, I kind of said, yeah, but it’s not new,” he said. “But when I started to do some digging, I was kind of like, I can’t believe the breadth of services that are available … Today’s cybercriminal doesn’t require technical expertise. They don’t even need a computer, they can go to an Internet café. All they need is a method to pay.”
He and his co-author, François Paget, were floored to find people interested in delving into cybercrime even have access to chat support services, which provide tips to would-be hackers struggling with technical issues.
“How many other crimes actually give you a customer service helpdesk?” he asked. “My favourite film is Goodfellas and I couldn’t imagine Joe Pesci behind a call centre, giving advice on how to run a money racketeering program. It’s almost to the point where these websites look so professional.”
In the McAfee whitepaper, Samani and Paget outlined four major categories of cybercrime as-a-service: research-as-a-service, crimeware-as-a-service, cybercrime infrastructure-as-a-service and hacking-as-as-a-service.
For example, with research-as-a-service, there are companies who are not necessarily doing anything illegal in facilitating the sale of zero-day vulnerabilities. But they may pass these onto middlemen called exploit brokers, who then sell them to hackers. One famous example is the Grugq, a go-between who sold exploits to government agencies and facilitated the sale of an Apple iOS exploit, making a neat commission from the sale.
Crimeware-as-a-service gives new hackers the tools to conceal malware from a system’s protection mechanisms, and it also includes any hardware that helps hackers steal information. For example, a hacker might buy a piece of hardware that will help him or her skim cards and steal credit card numbers.
Within the cybercrime infrastructure-as-a-service category, hackers can rent a network of computers to launch DDoS attacks, or use platforms to host malicious content through options like bullet-proof hosting.
The fourth category, hacking-as-a-service, means the whole operation can be outsourced to someone else. While that might cost more than just buying separate pieces of a hacker’s toolkit, it also makes it very easy to commit identity theft.
With what amounts to a buffet of cybercrime options, with hardly any aspiring hacker starved for choice, Samani said businesses need to protect themselves. Even an SMB might be tempted to hack into one of its competitors’ systems on the cheap, if services enabling cybercrime are cheap enough, he added.
“The interesting thing is, every story you see on cybercrime – you know, the rise of cybercrime, the rise of intellectual property theft, the rise of credit card fraud, major companies being knocked out by DDoS attacks – this is kind of a foundation for pretty much all of it. This is now being put into the hands of everybody,” he said.
Still, businesses can protect themselves through avoiding clicking links through emails unless they trust the source, through making sure all of their security systems are up to date, and by just using plain old common sense, Samani said.
“Just ask yourself, do I really need to give up this much information? I call it a digital tattoo – once the information is out there, it’s out there for life and is very expensive to remove, and it leaves scars,” he said. “[You need] to apply a degree of common sense.”