Malware as a service isn’t anything new. We have known you could either hire hackers to perform specific malware attacks, or hire platforms per hour or per attack to cause havoc.
What we didn’t know is that malware as a service is available for as little as $10 on the dark web.
Cybercrime experts HP Wolf Security wrote a report outlining the findings of a study they performed in The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat
Landscape and How to Fight Back.
One of the key findings was:
“Cybercrime goods and services are cheap and plentiful – Over three-quarters of advertisements (76%) for malware and 91% for exploits are listed for under $10. The average cost of compromised Remote Desktop Protocol credentials is just $5. Vendors are selling products in bundles, with “plug and play” malware kits, malware as a service, tutorials and mentoring services all reducing the need for technical skills and experience to conduct attacks – in fact, few threat actors today are advanced coders.”
The report goes onto assume that zero day exploits and more involved vulnerabilities cost more, but the basic types of exploits we see being used in the world are readily available.
This can explain some of the rise in malware attacks we have seen over the past year.
“Complex attacks previously required serious skills, knowledge and resource, but now the technology and training is available for the price of a gallon of gas,”
Said HP senior malware analyst and report author Alex Holland.
“And whether it’s having your company and customer data exposed, deliveries delayed or even a hospital appointment cancelled, the explosion in cyber crime affects us all. At the heart of this is ransomware, which has created a new cyber criminal ecosystem rewarding smaller players with a slice of the profits. This is creating a cyber crime factory line, churning out attacks that can be very hard to defend against and putting the businesses we all rely on in the crosshairs.”
These dark web marketplaces are surprisingly sophisticated. Some have escrow systems to help build trust, others use feedback to help give buyers confidence in the seller.
Others require bonds of up to $3,000 to be able to sell on the website. Presumably, if your exploits don’t work, refunds are offered out of the bond.
It’s more of an organized setup than we might imagine, but obviously works.
It also clearly demonstrates that businesses and individuals need to become aware of the risks of cybercrime, and take even basic steps to help prevent becoming a victim of it.