In the old game of cat and mouse between cybersecurity and cybercrime, it all comes down to who can come up with a smart move. Cybercriminals often take advantage of good ideas from IT or security to massively expand their machinations: cybercrime as a service.
During 2022, the major cybercrime groups have built an entire ecosystem of services for well-funded criminals and other cronies that, as far as we know today and much to the chagrin of victims, is well organized. What's more, the as-a-service approach to cybercrime has meant that comparatively inexperienced cybercrooks have effective attack tools at their disposal that they would not be able to use without these services.
The diverse cybercrime as a service
Access as a Service
Access to compromised accounts and systems is sold individually or in bulk via underground services, including Remote Desktop Protocol (RDP) and VPN credentials, accounts, databases, web shells, and exploitable vulnerabilities.
Malware Distribution/Spreading as a Service
This means spreading malware in dedicated regions or sectors, or even on a broad scale. In the offers that the Sophos X-Ops team has seen for such services, it is not always clear which strategy was used. But possible attack vectors include watering hole attacks, exploitation of vulnerabilities, or combination with AaaS (Access-as-a-Service) offerings.
Phishing as a Service
These are threat actors that offer an end-to-end service for phishing campaigns, including cloned websites, hosting, specially crafted emails to bypass spam filters, and panels to monitor the results.
OPSEC as a Service
Sophos X-Ops saw this service in a criminal forum together with Cobalt Strike. The seller is offering prospects to support them with an OPSEC (Operations Security) service, which can either be set up once or subscribed to monthly, and is designed to hide Cobalt Strike infections and minimize the risk of detection and attribution.
Crypting as a Service
This cybercrime service is a common service available for purchase on many forums. It encrypts the malware in such a way that it cannot be detected – especially by Windows Defender and SmartScreen, and to a lesser extent by traditional antivirus products. For example, the service was priced at $75 for one-time use, or $300 for a one-month subscription that included unlimited use of the service.
Scamming as a Service
The Sophos X-Ops team saw some examples of "scamming kits", particularly related to cryptocurrency scams, being promoted on criminal forums. It wasn't always clear what exactly was being sold, but one ad offered a ready-made "Elon Musk Giveaway BTC Scampage" for $450. This is a popular scam on Twitter and has even made the rounds in a fake video.
Vishing as a Service
This is a voice phishing ("vishing") service where a threat actor offers to rent a voice system to take calls. And that along with an "AI system" so the renter can choose to have their victims talk to a bot instead of a human.
Spamming as a Service
Spamming-as-a-Service is an old favorite but still prevalent on criminal forums. It offers bulk spamming through a variety of mechanisms including SMS and email. In some cases, the cyber criminals offer to set up the entire infrastructure from scratch; in other cases, they operate the infrastructure and use it to send custom spam messages.
Scanning as a Service
This criminal service gives users access to a range of legitimate commercial tools - including Metasploit, Invikti, Burp Suite, Cobalt Strike, and Brute Ratel - to find (and presumably exploit) vulnerabilities. The entire infrastructure is apparently built and maintained by the vendor, according to research by Sophos X-Ops, who claims elsewhere that "you" just have to wait for the scan result in the mailbox".
That was it? Rather not!
For 2023 and beyond, it can be expected that the professionalization of cyber crime will continue. The industrialization of ransomware has already enabled the evolution of ransomware “affiliates” into more professional, specialized exploitation companies. Through the use of professional and offensive cybercrime-as-a-services, the cybercriminals can no longer be clearly associated with specific ransomware operations, state-organized espionage or other specific motives. The professionalized groups have specialized in giving all motivated actors who are willing to pay access to criminal activities.
In many ways, these groups have mimicked the business models of the cloud and web services industries. Much like how enterprise IT departments have adopted the “as-a-service” model for more and more operations, today almost every aspect of cybercrime can be outsourced to “crime-as-a-service” providers as well. Ascending trend. More on this in the Sophos Threat Report 2023.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.