Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/13/2020
10:30 AM
Raveed Laeb
Raveed Laeb
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Will This Be the Year of the Branded Cybercriminal?

Threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts.

All businesses evolve and adapt to their environments. Businesses in the Dark Web are no exception. In the burgeoning and nearly unpoliceable business climate that is the Dark Web, it's only natural that businesses should become more "professional" — both in their revenue models and in their practices. We saw this happen in 2019 and expect even greater movement in this direction in 2020.

The "Servitization" of the Dark Web
Making money from stolen personal credentials via the Dark Web is pretty much de rigueur for would-be cybercriminals. Yet in the past, this process involved significant effort for the cybercriminal-to-be.

First, criminals needed to code or acquire a Trojan to use for infecting online banking portals or payment systems. Then they'd have to disseminate their malware and infect targets. Following the infection, they'd need to access all infected machines, harvest relevant data, and process it. Only then could they begin cashing out — selling stolen credentials or data via the Dark Web.

This process is now becoming astoundingly less complex — and infinitely more dangerous.

Servitization is the process of shifting from selling products to selling services that provide the outcomes those products deliver. This shift has transformed many above-board business models, and this same process will continue to spread across criminal networks this year and beyond. Today's cybercriminals are already buying and selling services rather than goods in the cybercrime financial ecosystem — and this trend will accelerate.

This means that threat actors no longer need to suffer the complexities of development, infection, extraction, and monetization on their own. Rather, they can use malware-as-a-service (MaaS) — the same malware that was previously sold as a product is now being sold as a business service.

Numerous underground markets have already sprung up around this business model. For example, today there are markets on the Dark Web where cybercriminals can pay a monthly fee for access to an updated dataset maintained by threat actors. There are also pay-per-bot markets, in which buyers can view "bots" — machines infected with banking Trojans — that can conduct services and attain credentials on demand.

The fact that the level of skill required to commit cybercrimes is dropping spells trouble for individual victims and organizations alike. Underground threat actors have learned that they can reach far beyond low-hanging fruit — the credentials that come with an easy cash-out process. We will see an increasing number of threat actors targeting assets with more difficult cash-out processes because servitization can take over the heavy lifting for any given crime.

New Branded Monetization Channels Emerge
Essentially, we're seeing cybercrime evolve into recognizably mainstream business models — and we expect this to accelerate this year.

Cybercriminals will have incentives to invest heavily in their businesses as payoffs continue to grow and enforcement lags. New cybercrime monetization channels continue to emerge — from concentrating efforts on manual transactions and listings in markets, to focusing on sales of credentials, network access, and more-sophisticated fraud. Drawing inspiration from legitimate online businesses, cybercriminals are increasingly using automation to help move stock off their virtual shelves and collect data to better monetize deliverables, and they will continue to do so.

Moreover, with the commoditization of cybercrime-as-a-service, organizations are naturally seeking differentiation to make their services stand out in a crowded market. Instead of selling services or data listings on an individual basis, threat actors will put more effort into building lasting business-like enterprises — investing more in branding, customer support and even intuitive user interfaces.

The Bottom Line
It's time to recognize that the Dark Web operates just like any other market — supply and demand, clients and suppliers. While it might not be regulated, the market is checked by the invisible hand of cybercrime monetization channels. Given this, threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts. The days of cybercriminals doing the dirty work themselves using homemade or bare-bones tools may well be nearing an end. In 2020, cybercriminals will choose professionally designed tools based on reputation, brand, logo, and even slick marketing material. The era of the branded cybercriminal may well be upon us.

Related Content:
 
 

Leveraging over 11 years of expertise in intelligence collection, Raveed Laeb is responsible for leading the product team and intelligence collection platform at KELA. Raveed has an in-depth knowledge on threat actors, specializing in the cybercrime financial ecosystem. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Michael Mayes
100%
0%
Michael Mayes,
User Rank: Apprentice
1/16/2020 | 12:39:52 PM
Like Mad Men for Cybercrime
Great article by Raveed Laeb on professional branding by cybercriminals. The recent Maze ransomware RaaS site looks like it was designed by an ad agency, digital black markets offer tools in carding shops that let buyers check the balance and usablility of stolen cards, and there are many professionally produced video tutorials to teach script kiddie hackers. The fact so few crybercrimes are fully investigated, let alone prosecuted, means this business will only get more sophisticated and pervasive. 
Raveed Laeb
50%
50%
Raveed Laeb,
User Rank: Author
1/20/2020 | 5:08:45 AM
Re: Like Mad Men for Cybercrime
Thanks Michael.

Much agreed; the vast supply of services and products available for attackers is amazing, and as time passes it only gets more specialized and adapted to cybercrminals' needs.

For me the key point here is actually quite optimistic - as overwhelming as it might feel, these underground markets and service providers are an amazing intelligence collection opportunity. 5 years ago cybercriminals might have been less sophisticated and had less readily available resources, but we defenders now have an ability to tap into the same stream of data and exploit it to our own good.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...