Pub. 4 2016 Issue 1

www.uba.org 8 Crime-as-a-Service = Hackers for Hire The Evolution of Cybercrime Close your eyes for one second and picture in your mind a “hacker.” What does he or she look like in your mind? Most people picture a 15-year old kid in his parent’s basement; it’s dark; he’s drinking a 2-liter of soda, eating a bowl of cheese puffs, and he’s “hacking the planet.” Sound about right? The scary truth is that this is very far from reality in today’s world. Most “hackers” are just like you and me. Hacking has evolved from kids trying to figure out how the internet works to an everyday business. Cybercrime, as it’s referred to these days, simply involves folks trying to obtain two (2) things – information or money – from others in order to make more money and grow their business. Not so long ago, cybercrime used to require bad guys with great technical knowledge in order to break into networks and steal data or money without getting caught. However, times have changed, and as the economy of cybercrime continues to grow, the majority of attacks have become automated. Criminals are creating software that makes many of the attacks they perform as easy as simply clicking a few buttons, meaning that the technical expertise once required to be a “hacker” is no longer a job-requirement. In a lot of cases, bad guys will even allow you to sign up for a “service” they provide, such By Jon Waldman, Partner, Senior Information Security Consultant - Security Banking Solutions, LLC as a DDoS attack or sending out phishing emails, rather than having to do it your- self. This is what the industry refers to as “crime-as-a-service.” What is Crime-as-a-Service? Have you ever wanted to perform a Distributed Denial of Service attack on another organization, but didn’t know where to start? Instead of spending your time learning the particulars of how a DDoS works, you can simply find a DDoS provider and pay them to perform the attack on your behalf! There are all kinds of ancillary benefits to using this type of service – from additional anonymity, to better attack-resources, to time-and-cost savings to you. What’s better than that? Crime-as-a-service can be defined as the practice of facilitating illegal activities for cybercriminals through the provisioning of services. While crime-as-a-service has been around for a while, it has been gaining in popularity, as evidenced by a host of new “services” being made readily available for anyone with a malicious agenda to conduct quickly and easily. New Types of Crime-as-a-Service Brian Krebs (www.krebsonsecurity.com ) is a very well-known computer security blogger with deep ties to the underground cybercrime community. Krebs reports frequently on the newest and latest attacks and types of fraud hitting the internet, and crime-as-a-service is no exception. Some of the most recent forms of cyber- crime to be turned into crime-as-a-service include online dating scams, ransomware, warranty fraud, reshipping, and call cen- ters. Online dating is extremely popular, and nearly everyone knows or has heard a sto- ry about someone being the victim of an online dating scam. Online dating scams statistically prey on lonely men via online dating websites or spam email campaigns. Crime-as-a-service automates these attacks by giving the “customer” the option of dif- ferent packages that include standard text, hundreds of email templates, and advice for tricking the victim into sending money to the “customer” via wire transfer. The vendor of this service advertises a response rate of 1.2%, and that “customers” who send at least 30 scams a day can make roughly $2000 per week. Ransomware is another popular attack that is becoming easier to automate