Cybercrime-as-a-service the new criminal business model
Cybercrime-as-a-service the new criminal business model

The 2014 Internet Organised Crime Threat Assessment (iOCTA) report highlights that a service-based criminal industry is developing to the point where an increasing number of those operating in the virtual underground – or darknet – are starting to make products and services for use by other criminals.

This ‘crime-as-a-service' business model is now being seen in the cyber world, as EC3 investigators noted to last month, and it's a result of this that the report suggests that the barriers to entry in cybercrime are being lowered to the extent that even those without technical skills can get involved.

For example, the executive summary highlights how ‘mafia-style' gangs will look to venture into the market in order to buy up the relevant skills and tools.

“This trend towards adopting the cyber-crime features of a more transient, transactional and less structured organisational model may reflect how all serious crime will be organised in the future,” it reads.

The EC3 report continues that cyber-criminals are also abusing legitimate services and tools such as anonymisation (like Tor, which was developed by the US Navy), encryption and virtual currencies to carry out illicit activities – and it adds that future technological developments such as Big Data, wearable devices, augmented reality, the Internet of Things and the move to IPv6 will offer up new attack vectors to hackers.

Adding to the complexity of all this, the 2014 iOCTA emphasises that criminals predominantly operate from outside EU jurisdictions and reveals that outdated legal tools and ‘insufficient response capacities' are to blame for the difficulty in bringing cyber-criminals to justice.

“This 'hidden internet' has become a principal driving force in the evolution of cyber-crime and represents a highly complex challenge for law enforcement,” reads the EC3 statement.

Group head Troels Oerting revealed the difficulties of the darknet at a conference in London earlier this year and told SC last month of the difficulties police face in recruiting the right people and acquiring the right tools.

He even touched on EC3's own difficulties in recruiting the right personnel: “The problem is we can't just move a guy from trafficking and say, ‘OK, now you are a computer expert',” Oerting said, adding that some countries don't even have one EnCase licence to forensically investigate cyber-crime.

"These days, almost anyone can become a cyber-criminal. This puts an ever increasing pressure on law enforcement authorities to keep up. We need to use our new knowledge of how organised crime operates online to launch more transnational operations. We need to ensure that investigations into payment card fraud and online child abuse don't stop at national borders," added Cecilia Malmström, Commissioner Home Affairs, in a statement.