Malware as a service – cyber crime’s new industry

Organised criminal gangs (OCGs) are increasingly using software services of the type more usually associated with legitimate corporations to grow their operations. By offering 'malware as a service', OCGs are employing business models similar to those developed by legitimate companies in order to extend their global reach.

The companies providing the software used by OCGs to break into organisations’ IT systems, commonly called ‘malware’, now employ business models frequently comprising a revenue stream, a budget, market researchers, a global pool of developers, software quality assurance and testing, help desk support, and even money-back guarantees. This process is now being referred to as the 'industrialisation' of cyber crime.

Intelligence and security services now fear that cyber attacks on corporates may start to escalate severely as a result of the proliferation of 'off-the-shelf' malware designed to break into corporate IT systems. Speaking at the recent InfoSec Security Conference in London, US Federal Bureau of Investigation (FBI) agent Michael Driscoll said that the potential effects of selling 'malware as a service' in this way are potentially 'devastating'.

According to the FBI, the 'malware as a service' industry is currently being controlled by a relatively small group of criminals. Driscoll believes that as few as 200 people may be enabling OCGs to mount sophisticated cyber attacks by selling 'over-the-counter' malware, botnets, distributed denial of service (DDoS) software and other hacking services.

The full scale of the threat is, in any case, hard to quantify accurately. In an effort to disguise their identities, the OGCs offer their services on the Dark Web, where slick websites offer services ranging from illegal drug deliveries to assassinations.

By encrypting communications and using the virtual currency, Bitcoin, as an online currency, the OCGs hope to remain anonymous. The increasing globalisation of the Internet also makes it all but impossible to track down the shadowy figures behind the industrialisation of the criminal web. For example, while the malware development industry in Russia alone is estimated to be worth roughly $2 billion (£1.2 billion) a year, the Russian authorities are reluctant to pursue hackers whose victims are outside Russia.

But there is also evidence that the 'industrialisation' of cyber crime may be growing. One clear indication that the global malware market is being directed by the same market forces that govern any industry is the downward pressure on the pricing of some services. As a relatively old-fashioned form of cyber intrusion, a DDoS attack, can, for example, be contracted on the Dark Web at under $40 (£25) per hour.

While many organisations now have security systems in place in order to deal with DDoS attacks, many of these intrusions now mask a more sinister trend. But as the most common type of DDoS attack involves overloading the target organisations email service with communication requests, dealing with this form of intrusion is extremely time consuming for the target organisations IT team.

It is for this reason that OCGs now increasingly see a DDoS attack not as an end in itself but as a smokescreen for a subtler and more sophisticated malware attack. Falling prices in services such as DDoS attacks are evidence of a growing and increasingly competitive industry and should be seen as a warning of more smokescreen DDoS attacks.

Other types of hacking services are also freely available on the Dark Web. Phishing and spear phishing attacks are also being sold as a service. A standard phishing attack involves sending spoof emails in order to gather sensitive information such as passwords and financial data.

A spear phishing attack, on the other hand, is designed to send particularly convincing emails to selected individuals within a targeted organisation. Often, a technique referred to as 'social engineering' is used to discover personal details about an executive or selected staff member in order to make the fake email appear more convincing. In some cases, the spear phishing attack merely instructs the unsuspecting target to release a password or transfer funds to a bank account under the control of the OCG. In other cases, the spear phishing email comes with an attachment. Believing this to be from a bonafide source within his/her own organisation, the victim of a spear phishing attack will innocently open what appear to be, for example, a straightforward Word document.

But the attachment also contains hidden malware which opens a back door into the target organisation's IT system, giving the OCG untrammelled access to the target organisation's entire database.

Another website active on the Dark Web gave details of an even more sophisticated form of malware, 'ransomware'. This is the software widely used to hold corporations to ransom after encrypting their most sensitive data. Unless the target organisation pays the ransom demand within a certain period of time, the files become permanently encrypted or destroyed.

All the malware needed to make these and other types of attack are now available on the Dark Web at a price. Given the growing industrialisation and sophistication of malware-as-a-service, companies can expect an escalation in targeted attacks from OCGs.

In order to protect themselves against the newly industrialised cyber crime industry, companies must not continue to rely on traditional anti-virus software, which is virtually useless against modern malware. Instead, they must employ best-practice Twentieth Century software such as KCS Glasswall in order to halt spear phishing and other malware attacks.

This can identify incoming communications and stop anything that comes from an unknown or untrusted source.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.