Like crime in general, cybercrime stays in the shadows. It happens in the dark alleyways of the Internet, hidden from the public eye. Yet, this underground world is very similar to ours. Let’s look at the mechanics of cybercrime as a service.
Netflix, Adobe, Microsoft Office, Spotify — all these familiar services are based on the software-as-a-service business model, which typically involves subscription plans. Cybercriminals keep up with the times and implement the same processes but instead of video-streaming or productivity tools, they provide malicious services that other cybercriminals pay subscription fees to use. And just like the services we use in our everyday lives, there is a wide variety of underground tools available for cybercriminals as well.
DDoS as a service
A distributed denial-of-service (DDoS) attack is an attempt to make an online resource unavailable by overwhelming it with internet traffic. Services that offer DDoS attacks are usually called “booters” or “stressers”. Here is an example of one.
In addition to a variety of monthly plans, it offers an API manager, FAQ section, and support via the Telegram messaging app.
The plans differ in terms of attack duration and intensity. More expensive plans offer more powerful DDoS attacks that are harder for targeted websites to withstand.
Hackers carry out such attacks for various reasons, among them revenge, blackmail, and hacktivism.
Phishing as a service
Phishing attacks typically involve a threat actor using social engineering to trick victims into clicking on a malicious link, downloading malware, or revealing confidential information (e.g., logins, passwords, or bank card details). Phishing attacks are usually carried out via email and other messaging platforms. There are various malicious tools that hackers use to conduct phishing attacks, and some are offered according to a subscription model. An example of a platform that rents out phishing tools is W3LL Store, an underground online marketplace dedicated to business email compromise (BEC).
The above is what a purchase page on W3LL Store looks like. OV6, for example, is a powerful phishing kit (a set of tools for launching phishing campaigns) that is designed to harvest Microsoft 365 accounts. Its subscription plan is $500 for the first three months, then $150 monthly.
Ransomware as a service
This is arguably the most popular type of cybercrime as a service. Ransomware is malicious software that encrypts data on infected computers, effectively taking the victim’s computer systems hostage. Hackers then demand a payment for decrypting (i.e., releasing) the data.
Ransomware as a service is commonly implemented in the form of “affiliate programs,” in which ransomware developers lend their malicious programs to affiliates (i.e., customers). Sometimes this is done by a ransomware manager, like in the case of a threat actor known as farnetwork.
Unlike the services described above, the ransomware-as-a-service business model is based on splitting the proceeds from successful attacks rather than subscription plans. In most cases, affiliates receive up to 85% of the ransom, and the rest is split between other parties involved.
The above text is from the website of a ransomware gang called LockBit. As part of its affiliate program, the gang receives 20% of ransom sums obtained by affiliates in successful attacks. LockBit also requires a deposit of 1 Bitcoin (about $43,000 at the time of writing) to enter their program.
There are, however, subscription-based services for ransomware builders, which are computer programs for creating ransomware. These are usually purchased by inexperienced hackers and the resulting ransomware that they sell tends to be of poor quality.
The screenshot above shows part of a message on an underground forum advertising a ransomware builder for $999 per month (or $9,999 as a one-off purchase).
Malware as a service
There are different types of malicious software offered for subscription fees on the dark web. Ransomware is one of them, but because it is such a big and unique market, we described it separately. Another popular type of malware offered as a service are information stealers, which, as their name suggests, are programs designed for stealing information from infected devices, such as cookies and passwords stored in the victim’s browsers.
Above is a post advertising an information stealer (machine translated from Russian). It mentions well organized log structure, convenient arrangement of browser folders and information in them, and collection of passwords in a single text file. The price is $199 per month, or $399 for three months.
Other types of programs offered under the MaaS model include loaders and backdoors.
Infrastructure as a service
This type of service includes renting out bulletproof servers, which are more resilient to complaints of illegal activities, potentially allowing criminal infrastructure to remain online for longer. Such servers can be used for phishing, mass scanning, and other attacks.
The post above advertises bulletproof servers for various purposes. A server for mass scanning is offered for $130 per month. One for phishing — for $69 per month. WHM in the green line stands for Web Host Manager and VPS means Virtual Private Server (one physical server can have multiple virtual ones).
Obfuscation as a service
The term obfuscation means making something obscure and unintelligible. In computer programs this means making computer code difficult to understand. Hackers do this to protect malware from being analyzed, reverse engineered, and detected. Below is a post on an underground forum advertising a service for obfuscating various types of malware.
Subscription to this service costs $2,000 per month (you can see it at the end of the subject line). However, one-off purchases are more common in this market: encrypting or obfuscating a single malicious file could cost about $30.
Underground Clouds of Logs (UCLs)
The big-sounding name denotes cloud-based platforms that provide access to databases (called logs) with compromised confidential information, which is typically obtained by information stealers (the types of programs we mentioned in “Malware as a service”). The Telegram messaging app is the most popular distribution method for the Underground Clouds of Logs. They can be downloaded directly from a Telegram channel in an archive or distributed via a file sharing service. On average, logs are updated weekly.
Information from UCLs can be used for various malicious activities, such as scamming or hacking into bank accounts, cryptocurrency wallets, VPN services, and corporate accounts.
The Telegram post above includes an archive with logs as a free sample and offers a variety of plans, from $50 per week to $2,100 for a lifetime access.
Wrap-up
In this article we described illegal services that are based on the X-as-a-service model, which sees cybercriminals pay a subscription to access some kind of service that they can then leverage as part of their malicious activities. Cybercriminals offer many other services based on other business models too. Such services include selling access to corporate networks, tailored attacks, and spying, to name but a few.
What is insidious about cybercrime as a service is that it enables people with little to no technical skills to enter the world of cybercrime, which results in more users around the world being harmed.
Cybercrime is a major threat, and it is important to be aware of it. A simple and effective way to protect yourself on the Internet is to practice good digital hygiene. Check out our article to learn about what you can do to stay safe online.
