Cybercrime-as-a-service the new criminal business model

News by Doug Drinkwater

A new report from Europol's European Cybercrime Centre (EC3) reveals that cybercrime is being increasingly commercialised, and by criminals who use legitimate services to hide their activities.

The 2014 Internet Organised Crime Threat Assessment (iOCTA) report highlights that a service-based criminal industry is developing to the point where an increasing number of those operating in the virtual underground – or darknet – are starting to make products and services for use by other criminals.

This ‘crime-as-a-service' business model is now being seen in the cyber world, as EC3 investigators noted to last month, and it's a result of this that the report suggests that the barriers to entry in cybercrime are being lowered to the extent that even those without technical skills can get involved.

For example, the executive summary highlights how ‘mafia-style' gangs will look to venture into the market in order to buy up the relevant skills and tools.

“This trend towards adopting the cyber-crime features of a more transient, transactional and less structured organisational model may reflect how all serious crime will be organised in the future,” it reads.

The EC3 report continues that cyber-criminals are also abusing legitimate services and tools such as anonymisation (like Tor, which was developed by the US Navy), encryption and virtual currencies to carry out illicit activities – and it adds that future technological developments such as Big Data, wearable devices, augmented reality, the Internet of Things and the move to IPv6 will offer up new attack vectors to hackers.

Adding to the complexity of all this, the 2014 iOCTA emphasises that criminals predominantly operate from outside EU jurisdictions and reveals that outdated legal tools and ‘insufficient response capacities' are to blame for the difficulty in bringing cyber-criminals to justice.

“This 'hidden internet' has become a principal driving force in the evolution of cyber-crime and represents a highly complex challenge for law enforcement,” reads the EC3 statement.

Group head Troels Oerting revealed the difficulties of the darknet at a conference in London earlier this year and told SC last month of the difficulties police face in recruiting the right people and acquiring the right tools.

He even touched on EC3's own difficulties in recruiting the right personnel: “The problem is we can't just move a guy from trafficking and say, ‘OK, now you are a computer expert',” Oerting said, adding that some countries don't even have one EnCase licence to forensically investigate cyber-crime.

"These days, almost anyone can become a cyber-criminal. This puts an ever increasing pressure on law enforcement authorities to keep up. We need to use our new knowledge of how organised crime operates online to launch more transnational operations. We need to ensure that investigations into payment card fraud and online child abuse don't stop at national borders," added Cecilia Malmström, Commissioner Home Affairs, in a statement.

Alan Woodward, visiting professor for computer science at the University of Surrey and co-author of the EC3 report, said in an email to journalists that more international collaboration is required if law enforcement is to be successful.

“Modern cybercrime, especially organised crime is by nature transnational so it is vital that we take an international view of the threat posed by this ever-increasing form of crime,” said Woodward.

“Europol's European Cyber Crime Centre (EC3) is able to provide a unique perspective on this threat as it has access to data from law enforcement agencies across Europe. It should be seen as a vital piece of work which should be read by all policy makers and decision makers involved in combatting cyber-crime.”

He added: “If agencies fail to mobilise to meet the threats highlighted in this report then organised cyber-crime will gain the upper hand. However, if agencies work together, across borders, then we can use modern technologies to catch criminals, rather giving them a platform for ever more innovative forms of crime.”

Adrian Culley, a cyber security consultant and a former detective in the Scotland Yard Computer Crime Unit, told SC that it was little surprise that cyber-crime is becoming more commercial, saying that hackers would often use the darknet to advertise their services…and their ability.

“Cyber-crime as a service has been around for some time. Organised crime is another way of saying unlawful business, and as such is every bit as concerned with profit and efficiency as legitimate business.”

“Cyber-criminals will go where the money is, where the lowest risk is,” he said. However, he warned that police are well-behind on the required skills and reporting mechanisms, adding that the Met Police – which celebrated its 185th birthday today – was ‘failing in cyber space'.

“Whilst Sir Robert Peel's 1829 policing model has mostly stood us in good stead for physical, tangible matters, and indeed been exported around the world, it is now struggling to deliver for digital society and cyber-crime.  A wider debate is needed across society as to how 21st Century policing engages with things cyber.”

“Cyber-crime as a service shows crime continues to innovate. Policing must also innovate to meet this challenge.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews