True to form, cybercriminals not only stole funds, personally identifiable information, credentials, bank account information , health records and more in 2014 but they also poached legitimate business tactics and strategies to bolster illicit operations. In a recent interview with Dell SecureWorks’ David Shear, BankInfoSecurity’s, Tracy Kitten uncovers trends in the underground cybercrime market. Most notable is the growing trend of “Cybercrime-as-a-Service” or (CaaS).
In 2015, we can expect to see a continued increase in the number of underground operations offering full-service cybercrime. Just as in any marketplace, competition continues to rise in the underground resulting in the constant evolution of services and new features. Some key attributes of leading suppliers of CaaS closely resemble those of a valid business, including:
- Superior customer service
- Tutorials and training
- Satisfaction guaranteed
- Value-added data (personally identifiable information documentation such as a driver’s license or a utility bill to enable authentication)
- Reputation for delivering quality services
Data reigns in the underground
Big data is the name of the game for cybercriminals as retailers and financial institutions tighten up security and require more information for verification. In a recent report by Dell SecureWorks, researchers found that “the markets are booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards and driver's licenses.”
In addition to the traditional phishing and vishing scams, bad actors are seeking personally identifiable information (PII) through a myriad of new avenues including healthcare records, travel sites and social media. This information is then sold as value-added intelligence used to commit large-scale fraud or identity theft. Services and offerings come in an à-la-carte format with a wide range of costs per item. The following shows some common costs associated with services and data available for purchase.
Figure 1. Value of stolen data (observed by PhishLabs R.A.I.D in Q4 of 2014).
Cybercriminals post offerings in a plethora of underground forums, some are open and some exclusive, closed-membership communities. The following example is an advertisement for cybercrime services and data including social security numbers, credit card numbers (complete with CVV number), “fullz” and “kitz” which essentially contain everything you need to commit fraud.
Figure 2. Advertisement for cybercrime services and stolen data.
I would be remiss if I didn’t mention Vawtrak – a sophisticated banking Trojan, sold through a CaaS model. PhishLabs’ R.A.I.D. has followed the threat closely and has observed recent enhancements that indicate the threat is growing in complexity and expanding its target list. As the poster child for Cybercrime-as-a-Service, Vawtrak has quite the decorated history, recognized as a rival to the one and only, Zeus. It is anticipated that Vawtrak will continue to grow as other threats and CaaS crews pop up, learning from and building off of the developments realized by the recent banking Trojans.
As criminal enterprises continue to demonstrate aggressive R&D and business development activities, consumers and financial institutions will have to evolve security parameters. Instead of reacting to threats, a proactive approach to mitigating risks is needed. Financial institutions should continue to keep a close eye on developments and ensure that account holders are educated and aware of the threat.
Join PhishLabs' Director of Threat Intelligence, Don Jackson, on January 29, 2015 for a live webinar on on the underground marketplace and Cybercrime-as-a-Service. Click here to register.