Pub. 11 2016-2017 Issue 5

www.nebankers.org Extraordinary Service for Extraordinary Members. Crime-as-a-Service = Hackers for Hire The Evolution of Cybercrime Jon Waldman, CISA, CRISC, Partner, Senior Information Security Consultant, SBS CyberSecurity C LOSE YOUR EYES FOR ONE SECOND AND PICTURE A “ hacker.” What does he or she look like in your mind? Most people picture a 15-year-old kid in his parents’ basement. It’s dark, and he’s drinking a two-liter of soda, eating a bowl of cheese puffs, and “hacking the planet.” Sound about right? The scary truth is this is very far from reality in today’s world. Most “hackers” are just like you and me. Hacking has evolved from kids trying to figure out how the internet works to an everyday business. Cybercrime, as it’s referred to these days, simply involves folks trying to obtain two things—infor- mation ormoney—fromothers in order to grow their business. Not so long ago, cybercrime required bad guys with great technical knowledge to break into networks and steal data or money without getting caught. Times have changed, however. As the economy of cybercrime continues to grow, themajority of attacks have become automated. Criminals are creating software that makes many of the attacks they perform as easy as clicking a few buttons. As a result, the technical expertise once required to be a “hacker” is no longer a job requirement. In many cases, bad guys now will allow you to sign up for a “service” they provide, such as a Distributed Denial of Service (DDoS) attack or a phishing scam, rather than having to do it yourself. This is what the industry refers to as “crime-as- a-service.” What Is Crime-as-a-Service? Have you ever wanted to performaDDoS attack on another organization, but didn’t know where to start? Let’s pretend you did. Instead of spending your time learning the particulars of how a DDoS works, you can simply find a DDoS provider and pay them to perform the attack on your behalf! There are all kinds of ancillary benefits to using this type of service— from additional anonymity to better attack resources to time and cost savings to you. What’s better than that? Crime-as-a-service can be defined as the practice of facili- tating illegal activities for cybercriminals through the provi- sioning of services. While crime-as-a-service has been around for a while, it has been gaining in popularity, as evidenced by a host of new “services” now readily available for anyone with a malicious agenda to conduct quickly and easily. New Types of Crime-as-a-Service Brian Krebs (www.krebsonsecurity.com ) is a well-known computer security blogger with deep ties to the underground cybercrime community. Krebs reports frequently on the new- est and latest attacks and types of fraud hitting the internet. Crime-as-a-service is no exception. Some of the most recent forms of cybercrime that have been turned into crime-as-a-service include online dating scams, ransomware, warranty fraud, reshipping, and call centers. Online dating is extremely popular, and nearly everyone knows or has heard a story about someone falling victim to an online dating scam. Online dating scams statistically prey on lonely men via online dating websites or spam email cam- paigns. Crime-as-a-service automates these attacks by giving the “customer” the option of different packages that include standard text, hundreds of email templates, and advice for tricking the victim into sending money to the “customer” via wire transfer. The vendor of this service advertises a response rate of 1.2 percent, and that “customers” who send at least 30 scams a day can make roughly $2,000 per week.