Cyberattacks Spike, Thanks to Crimeware Services

Dark-web opportunists are creating do-it-yourself hacking kits. This is what your enterprise can do to thwart them.

dark web crimeware

A few years ago, an amateur developer came up with a brilliant cyberattack scheme. He created Tox, a ransomware service that offered its toolkit for free on the dark web, provided it gets a 20 percent cut of each ransom it’s used for. Tox was loophole of sorts for any upstart criminal who had the drive to dabble in cybertheft, but lacked the skills to make the necessary software. In turn, its creator simply had to maintain the efficacy of the platform, sit back, and cash it. McAfee got wind of Tox, and its popularity ballooned in wake of the exposure.

“It didn’t take long before the platform counted over one thousand users and recorded over one thousand infections,” wrote ZDNet of the crimeware, “with an average of more than two hundreds of polling viruses per half-hour.” Tox shut down due to this sudden demand, which overwhelmed its creator, who turned out to be a teenager.

Since then, we recognize Tox as one of the most high-profile “Crimeware as a Service” (or CaaS) offerings. It’s a burgeoning, entrepreneurial market of do-it-yourself hacking kits on the dark web that’s opening data-breach opportunities to a new demographic of criminals, while exposing enterprises to countless more attacks. Enterprises are reminded that threat visibility is no longer just important, it’s a non-negotiable—because cybercrime has expanded into a bona-fide ecosystem. This is also driving curiosity towards the emerging field of advanced security-analytics platforms, which are architected for visibility, velocity, and precision (namely, eliminating alert fatigue).

It’s imperative to find a security solution that can keep up with the speed and ease at which CaaS offerings evolve. Late last year, a hacker advertised that the Mirai botnet, which boasts more than 400,000 infected bots, was available for rent (see screenshot, below). Bleeping Computer reported that it, “targets embedded systems and Internet of Things devices and has been used in the past two months to launch the largest DDoS attacks known to date.” The hacker, who goes by BestBuy, told the publication that the price is determined by the number of bots used, how long a customer would like an attack to last, and its “cooldown time,” or time between DDoS attacks.

Image courtesy of Bleeping Computer

Earlier this month, a U.S. District Court judge sentenced a Russian hacker to five years in prison for designing and selling the Citadel banking trojan. A true businessman, he even crowdsourced tech support and provided an online bug-reporting system for complaints. All told, Citadel is said to be responsible for more than $500 million in losses.

Meanwhile, SC magazine reports that a new breed of CaaS products, such as the Emotet banking Trojan, include successful components of the WannaCry and Petya viruses. Dark Reading also reports that Shadow Broker, the group responsible for stealing the NSA data that begat WannaCry, is getting in the CaaS business. For $23K a month, clients will get “a new monthly data-dump service…to access exploits, zero-days, and hacking tools stolen from the U.S. government.” The publication goes on to explain that there are now “modularized” black-market products, too, such as DiamondFox, that offer key-logging, password-stealing, and DDoS attack techniques.

Most CaaS attacks hinge on social engineering, or manipulating human behavior. This is why analytics-based security—which baselines, then looks for anomalies in behaviors—transforms how an enterprise is safeguarded. Because you cannot prevent attacks, but you can absolutely stop them in the act.