Cybercrime business includes a complete range of deliverables, from attack tools and methods, consulting, services, advertising, and a myriad of programs that serve as the `product'. The more features or the more complex the service offered, the higher the price. A worrying new phrase has entered the lexicon of cybercrime - Crime-as-a-Service (CaaS). While the term is self-explanatory it more than adequately describes how cybercrime in the 21st Century has become commoditised. Truly, cybercrime is now big business.
CaaS has become a well-oiled machine, built on a wide network of players that fulfill specific functions. Just as with any other business, there are products and services available to be sold to customers. These include; Consulting services such as botnet setup ($350-$400); Infection/spreading services (~$100 per 1K installs); Botnets and Rentals - Distributed Denial of Service or DDoS ($535 for 5 hours per day for one week), email spam ($40 / 20K emails) and Web spam ($2/30 posts); Crimeware Upgrade Modules. SpyEye Modules as an example, range anywhere from $500 upwards to $10K. SpyEye is a prolific banking botnet that emerged in 2010 and can be upgraded to enable advanced features for money laundering.
The wide range of available services also includes highly specialised ‘Cloud Cracking', which offers high performance password cracking at a low cost and significantly reduces time it takes to uncover strong passwords. Altogether, 300 million att empts which take about 20 minutes cost around $17. Cloud Cracking has been around for several years but Fortinet is seeing a significant increase in speed offered by these services and a reduced cost. This service is enabled by the distributed computing model, with networks of processors basically providing more horsepower, similar to the SETI project.
Cybercriminals also reap profits by renting or leasing hacking tools to third parties, often for a set price but subject to negotiation, with tools offering more elaborate and evasive features commanding the highest price. Tools for rent can include:
- Botnets: Features include broadcast command and control, keylogging, download and spam. Examples include Zeus/SpyEye ($700 for old version, $3,000 for the new) and Butterfly ($900)
- Simplified botnets: Features include downloading and executing malicious code. Used primarily for rentals/Crime-as-a-Service. Once grown, operators will charge about $100 to load malicious software on 1,000 machines. The cost of simplified botnet code starts as low as ($50)
- Remote Access Trojans (RATs): Features include targeted attacks, with screen shot and webcam feed capabilities. Examples include Gh0st Rat, Poison Ivy and Turkojan ($250)
- Exploit Kits: Enables exploiters to attack users via Websites. Examples include Black Hole, GPack, MPack, IcePack and Eleonor ($1K-$2K)
- Crypters, Packers and Binders: Allows an attacker to obfuscate binary code, piggyback code and generally avoid detection ($10-$100)
- Source code: This is generally free and available to anyone through well-known kits posted on underground forums. It can be leaked from private/controlled versions of code in a case where hackers attack hackers. Source code is the root of all malicious code that exists today and a big reason why new threats keep coming up. It can be copied, modified and molded into a new threat with relative ease. One example is Zeus, which has had manifold modifications since its release (and new variants continue to appear) due to the ease of access to the source code and the amount of documentation that exists describing how to modify it.
In order to manage such a complex and comprehensive offer to their marketplace, cybercrime syndicates have organised themselves, defining hierarchical structures with roles up and down the command chain:
The executive suite
The organisation's ‘executives' make decisions, oversee operations, and ensure that everything runs smoothly. Just as with legitimate enterprises, these executives set up the original business model and infrastructure. Once they get the operation off the ground, they then move to a business
development role and hand off the ‘dirty work' to the infantry and are no longer involved with launching attacks.