The increasing frequency, variety, and complexity of attacks are the product of an emerging “cybercrime-as-a-service” provider market. This market allows malicious parties to execute attacks at considerably lower cost, with considerably lower levels of technical savvy.
As is the case with cloud computing, this service-based cybercrime ecosystem provides greater efficiency and flexibility to cybercriminals—just as it does in other “business” ventures. This approach extends well beyond hiring individuals to undertake specific tasks (such as coding an exploit) to include a broad variety of products and services available either to buy or rent.
This marketplace contains many stakeholders, ranging from formal, legitimate organizations selling vulnerabilities to parties that meet their strict eligibility criteria, to underground websites that allow individuals to offer illegal services. Law enforcement’s focus on cybercrime at a global level has led to “as-a-service” models for illegal activities going even deeper underground.
Such underground platforms are implementing stronger mechanisms to ensure that participants are who they purport to be (or at the very least are not law enforcement officials). Ironically, while the platforms that facilitate the services marketplace for illegal activities are going deeper underground, the trade in zero-day vulnerabilities is more transparent than ever before.
Most of these services are clearly administrated by cybercriminals. There are, however, a number of services that remain legal. Overall, we can class services as part of black or gray markets. We use the classification “gray” when the activities or real customers are difficult to determine.
Unlike our other categories, research-as-a-service does not have to originate from illegal sources; there is room for a gray market. There are commercial companies that provide the sale of zero-day vulnerabilities to organizations that meet their eligibility criteria. And, there are individuals who act as middlemen, selling such intellectual property to willing buyers who may or may not have the same strict eligibility requirements.
Vulnerabilities for sale: a commercial marketplace. Today’s marketplace serves those looking to acquire zero-day vulnerabilities—software vulnerabilities for which there is no known solution at the time of their discovery. This category is known for its customer eligibility requirements—such as requiring that customers are law enforcement officials or government organizations. Regardless of these requirements, these services can and are being used to acquire vulnerability intelligence for use in attacks.
Exploit brokers. Although the acquisition of vulnerabilities can be conducted via a commercial entity, there are opportunities to purchase through brokering services. This could be a single individual who acts as a commission-driven middleman to facilitate sales with third parties.
Spam services. Rather than manually building email lists, would-be spammers have the luxury of simply purchasing a list of email addresses. Aside from the customization of the message in a particular language, the unsolicited email may require more granularity. For example, if there is something particularly relevant to consumers in a US state, there are services that supply email addresses belonging to individuals from specific states.
This category incorporates the identification and development of exploits used for an intended operation—and may also include the development of ancillary material to support the attack (droppers, downloaders, keyloggers, bots, and more). It includes tools used to conceal malware from security protection mechanisms (cryptors, polymorphic builders, joiners, crackers, and the like), as well as spammer/robot tools like XRumer. In addition, this category includes the availability of hardware that may be used for financial fraud (for example, card skimming) or equipment used to hack into physical platforms.