Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/13/2020
10:30 AM
Raveed Laeb
Raveed Laeb
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Will This Be the Year of the Branded Cybercriminal?

Threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts.

All businesses evolve and adapt to their environments. Businesses in the Dark Web are no exception. In the burgeoning and nearly unpoliceable business climate that is the Dark Web, it's only natural that businesses should become more "professional" — both in their revenue models and in their practices. We saw this happen in 2019 and expect even greater movement in this direction in 2020.

The "Servitization" of the Dark Web
Making money from stolen personal credentials via the Dark Web is pretty much de rigueur for would-be cybercriminals. Yet in the past, this process involved significant effort for the cybercriminal-to-be.

First, criminals needed to code or acquire a Trojan to use for infecting online banking portals or payment systems. Then they'd have to disseminate their malware and infect targets. Following the infection, they'd need to access all infected machines, harvest relevant data, and process it. Only then could they begin cashing out — selling stolen credentials or data via the Dark Web.

This process is now becoming astoundingly less complex — and infinitely more dangerous.

Servitization is the process of shifting from selling products to selling services that provide the outcomes those products deliver. This shift has transformed many above-board business models, and this same process will continue to spread across criminal networks this year and beyond. Today's cybercriminals are already buying and selling services rather than goods in the cybercrime financial ecosystem — and this trend will accelerate.

This means that threat actors no longer need to suffer the complexities of development, infection, extraction, and monetization on their own. Rather, they can use malware-as-a-service (MaaS) — the same malware that was previously sold as a product is now being sold as a business service.

Numerous underground markets have already sprung up around this business model. For example, today there are markets on the Dark Web where cybercriminals can pay a monthly fee for access to an updated dataset maintained by threat actors. There are also pay-per-bot markets, in which buyers can view "bots" — machines infected with banking Trojans — that can conduct services and attain credentials on demand.

The fact that the level of skill required to commit cybercrimes is dropping spells trouble for individual victims and organizations alike. Underground threat actors have learned that they can reach far beyond low-hanging fruit — the credentials that come with an easy cash-out process. We will see an increasing number of threat actors targeting assets with more difficult cash-out processes because servitization can take over the heavy lifting for any given crime.

New Branded Monetization Channels Emerge
Essentially, we're seeing cybercrime evolve into recognizably mainstream business models — and we expect this to accelerate this year.

Cybercriminals will have incentives to invest heavily in their businesses as payoffs continue to grow and enforcement lags. New cybercrime monetization channels continue to emerge — from concentrating efforts on manual transactions and listings in markets, to focusing on sales of credentials, network access, and more-sophisticated fraud. Drawing inspiration from legitimate online businesses, cybercriminals are increasingly using automation to help move stock off their virtual shelves and collect data to better monetize deliverables, and they will continue to do so.

Moreover, with the commoditization of cybercrime-as-a-service, organizations are naturally seeking differentiation to make their services stand out in a crowded market. Instead of selling services or data listings on an individual basis, threat actors will put more effort into building lasting business-like enterprises — investing more in branding, customer support and even intuitive user interfaces.

The Bottom Line
It's time to recognize that the Dark Web operates just like any other market — supply and demand, clients and suppliers. While it might not be regulated, the market is checked by the invisible hand of cybercrime monetization channels. Given this, threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts. The days of cybercriminals doing the dirty work themselves using homemade or bare-bones tools may well be nearing an end. In 2020, cybercriminals will choose professionally designed tools based on reputation, brand, logo, and even slick marketing material. The era of the branded cybercriminal may well be upon us.

Related Content:
 
 

Leveraging over 11 years of expertise in intelligence collection, Raveed Laeb is responsible for leading the product team and intelligence collection platform at KELA. Raveed has an in-depth knowledge on threat actors, specializing in the cybercrime financial ecosystem. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Mayes
50%
50%
Michael Mayes,
User Rank: Apprentice
1/16/2020 | 12:39:52 PM
Like Mad Men for Cybercrime
Great article by Raveed Laeb on professional branding by cybercriminals. The recent Maze ransomware RaaS site looks like it was designed by an ad agency, digital black markets offer tools in carding shops that let buyers check the balance and usablility of stolen cards, and there are many professionally produced video tutorials to teach script kiddie hackers. The fact so few crybercrimes are fully investigated, let alone prosecuted, means this business will only get more sophisticated and pervasive. 
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5397
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
CVE-2019-17635
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
CVE-2019-19339
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
CVE-2007-6070
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2019-17634
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could...