Crime-as-a-service: now anyone can commit cybercrimes
Imagine, just for a minute, that one fine day you decide to go crazy and get involved in cybercrime. If it were the beginning of the century, your job would not be easy: first, you would have to delve into a large amount of technical knowledge to learn how to identify vulnerabilities in online systems, design exploits, program malware and, all by yourself, create an email for a phishing campaign that looks convincing enough to fool unsuspecting Internet users.
To the disappointment of security executives, entering the world of virtual deceit has become much easier in recent years. These days, an aspiring cybercriminal doesn't have to go through the process we've described above — they just log into a dedicated forum or community and rent a “ready-to-use kit” to attack as many targets as they want. It may sound bizarre, but we are already catching a glimpse of what many call crime-as-a-service or CaaS.
Any similarity to the concept of software-as-a-service (or SaaS) is no coincidence. Highly organized criminal groups have created entire syndicates and have developed tools and platforms that can be rented to anyone who wants to attack a target or craft a campaign without having to develop something from scratch. Malicious scripts, templates, and ready-made infrastructure are used, and a part of the profits are shared with the “big fish” in a simple way.
Who wants malware? Take your pick!
It's hardly necessary to point out how dangerous the increase in CaaS is for the security community. It basically makes entering the world of cybercrime much easier, quickly increasing the number of malicious actors that can harm you. Within this growing sector, there is ransomware-as-a-service (or RaaS) in particular, which is often the most profitable you can find in the depths of the web.
This black market is currently so popular that organized gangs literally post advertisements on forums recruiting new members to use their strains as they wish, as long as the profits from the ransom are duly passed on to the "board". We can mention a number of famous ransomware gangs that operate this way, such as Philadelphia, REvil, Circus Spider, Netwalker, and so on. And best of all — for the aspiring criminal, of course — is that no upfront investment is required.
Obviously, digital hijacking scripts are a great example of CaaS, but they’re not the only ones. It's also easy to find ready-made phishing emails, control and command (C&C) servers available for free use, fake pages from famous e-commerce stores, and even entire botnets — if your goal is to organize a distributed denial-of-service attack (DDoS). CaaS can be considered one of the main reasons for the recent increase in the number of cybercriminal activities around the world.
Automatization of thefts
At this point, you might already be thinking: after all, what do developers of these tools and maintainers of this infrastructure gain from this? Well, a lot. First, they do not have to deal with the “frontline” of cybercrime, remaining hidden and taking fewer risks when carrying out cyberattacks. At the same time, however, they continue to profit in an automated way. In other words: less exposure and more money coming into their accounts.
In the end, CaaS has the same goal as cybercrime in general: to turn a profit in the simplest, fastest, and most practical way possible. That's why it's now more important than ever to invest in good cybersecurity habits.
