Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/13/2020
10:30 AM
Raveed Laeb
Raveed Laeb
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Will This Be the Year of the Branded Cybercriminal?

Threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts.

All businesses evolve and adapt to their environments. Businesses in the Dark Web are no exception. In the burgeoning and nearly unpoliceable business climate that is the Dark Web, it's only natural that businesses should become more "professional" — both in their revenue models and in their practices. We saw this happen in 2019 and expect even greater movement in this direction in 2020.

The "Servitization" of the Dark Web
Making money from stolen personal credentials via the Dark Web is pretty much de rigueur for would-be cybercriminals. Yet in the past, this process involved significant effort for the cybercriminal-to-be.

First, criminals needed to code or acquire a Trojan to use for infecting online banking portals or payment systems. Then they'd have to disseminate their malware and infect targets. Following the infection, they'd need to access all infected machines, harvest relevant data, and process it. Only then could they begin cashing out — selling stolen credentials or data via the Dark Web.

This process is now becoming astoundingly less complex — and infinitely more dangerous.

Servitization is the process of shifting from selling products to selling services that provide the outcomes those products deliver. This shift has transformed many above-board business models, and this same process will continue to spread across criminal networks this year and beyond. Today's cybercriminals are already buying and selling services rather than goods in the cybercrime financial ecosystem — and this trend will accelerate.

This means that threat actors no longer need to suffer the complexities of development, infection, extraction, and monetization on their own. Rather, they can use malware-as-a-service (MaaS) — the same malware that was previously sold as a product is now being sold as a business service.

Numerous underground markets have already sprung up around this business model. For example, today there are markets on the Dark Web where cybercriminals can pay a monthly fee for access to an updated dataset maintained by threat actors. There are also pay-per-bot markets, in which buyers can view "bots" — machines infected with banking Trojans — that can conduct services and attain credentials on demand.

The fact that the level of skill required to commit cybercrimes is dropping spells trouble for individual victims and organizations alike. Underground threat actors have learned that they can reach far beyond low-hanging fruit — the credentials that come with an easy cash-out process. We will see an increasing number of threat actors targeting assets with more difficult cash-out processes because servitization can take over the heavy lifting for any given crime.

New Branded Monetization Channels Emerge
Essentially, we're seeing cybercrime evolve into recognizably mainstream business models — and we expect this to accelerate this year.

Cybercriminals will have incentives to invest heavily in their businesses as payoffs continue to grow and enforcement lags. New cybercrime monetization channels continue to emerge — from concentrating efforts on manual transactions and listings in markets, to focusing on sales of credentials, network access, and more-sophisticated fraud. Drawing inspiration from legitimate online businesses, cybercriminals are increasingly using automation to help move stock off their virtual shelves and collect data to better monetize deliverables, and they will continue to do so.

Moreover, with the commoditization of cybercrime-as-a-service, organizations are naturally seeking differentiation to make their services stand out in a crowded market. Instead of selling services or data listings on an individual basis, threat actors will put more effort into building lasting business-like enterprises — investing more in branding, customer support and even intuitive user interfaces.

The Bottom Line
It's time to recognize that the Dark Web operates just like any other market — supply and demand, clients and suppliers. While it might not be regulated, the market is checked by the invisible hand of cybercrime monetization channels. Given this, threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts. The days of cybercriminals doing the dirty work themselves using homemade or bare-bones tools may well be nearing an end. In 2020, cybercriminals will choose professionally designed tools based on reputation, brand, logo, and even slick marketing material. The era of the branded cybercriminal may well be upon us.

Related Content:
 
 

Leveraging over 11 years of expertise in intelligence collection, Raveed Laeb is responsible for leading the product team and intelligence collection platform at KELA. Raveed has an in-depth knowledge on threat actors, specializing in the cybercrime financial ecosystem. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Raveed Laeb
50%
50%
Raveed Laeb,
User Rank: Author
1/20/2020 | 5:08:45 AM
Re: Like Mad Men for Cybercrime
Thanks Michael.

Much agreed; the vast supply of services and products available for attackers is amazing, and as time passes it only gets more specialized and adapted to cybercrminals' needs.

For me the key point here is actually quite optimistic - as overwhelming as it might feel, these underground markets and service providers are an amazing intelligence collection opportunity. 5 years ago cybercriminals might have been less sophisticated and had less readily available resources, but we defenders now have an ability to tap into the same stream of data and exploit it to our own good.
Michael Mayes
100%
0%
Michael Mayes,
User Rank: Apprentice
1/16/2020 | 12:39:52 PM
Like Mad Men for Cybercrime
Great article by Raveed Laeb on professional branding by cybercriminals. The recent Maze ransomware RaaS site looks like it was designed by an ad agency, digital black markets offer tools in carding shops that let buyers check the balance and usablility of stolen cards, and there are many professionally produced video tutorials to teach script kiddie hackers. The fact so few crybercrimes are fully investigated, let alone prosecuted, means this business will only get more sophisticated and pervasive. 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25316
PUBLISHED: 2021-04-14
A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterp...
CVE-2021-28797
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (an...
CVE-2020-36323
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
CVE-2021-31162
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
CVE-2017-20004
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.