Hackers For Hire: Now, Anyone Can Be a Cybercriminal
Once upon a time, cybercrime was the work of a few geniuses symbolized by a hooded silhouette and glamorized as vigilantes in dramas like Mr. Robot (IMDb 8.5/10). They assumed the role of super-heroes pretending to save humanity from corrupt capitalists and other perceived evils. Ah, those were the days. But the golden age of cybercrime has passed, and with it, the notion that only those deserving a hack will fall victim.
Today, technical skills are not required to achieve cybercriminal status. Anyone can join in by purchasing hacking as a service, just as you would any other type of labor. The official term is “Cybercrime-as-a-Service.”
According to MakeUseOf.com, “Cybercrime as a Service (CaaS) is the umbrella term used to describe an organized business model that involves malware developers, hackers, and other threat actors selling or loaning out their hacking tools and services to people on the dark web. This makes cybercrime weapons and services accessible to anyone who wants to launch a cyberattack—even those without technical knowledge.”
In short, anyone can launch an attack on anyone else—the more sophisticated the attack you want to launch, the more money you have to pay.
Cybercrime vendors are organized like legitimate businesses with familiar job roles such as engineers, leaders, developers, money mules, and tech support representatives. They post ads in underground forums for all sorts of cyberweapons, including malware kits, stolen accounts, device tracking, hackers for rent, and the like.
Here is a sample list of cybercrime services for sale or rent, according to the Armor Dark Market Report 2020:
- Generic ransomware: $1.99–6.50
- Unhacked Remote Desktop Protocol (RDP) servers: $9.99–25 per server
- Hacker university degree: $125
- Various malware: $2.68–80
- ATM skimmers: $700–1,500
- Card readers or writers: $149–990
- Phones: $179 for an iPhone 11 Max Pro
- Underground market vendor shop setup: €5,000–10,000
- Destruction of a target’s business: $185
- Rent access to popular software: $500 per month
- SMS spamming service: $18.99–19.99 for 1,000 SMS
- Bulletproof hosting (web hosting for content such as fraud, money laundering, and porn): $4–19 per month
- Telephony Denial of Service (TDoS) attacks: $132.30 for 7,000 calls in a 72-hour period
- Money transfer services: $1,000 for a $15,000 balance
A recent and typical case of CaaS is the new version of an old data stealer called “Xloader.” This malware is for sale at $49 per license, a tempting prospect for even the most inexperienced, poorly funded cybercriminals. Xloader steals login credentials, collects screenshots as you work, runs malicious programs in the background, and logs keystrokes as you type. And, if you think your Mac is safe, know that Xloader is quite adept at attacking both PCs and Macs, with a majority of the hacks happening right here in the USA.
So now you know about the arsenal of cyberweapons available. But what about the ammunition? No problem. Researchers and bug bounty hunters populate countless public databases of vulnerabilities with information ranging from weaknesses in your desktop PC or Mac to exploitable bugs in insulin pumps connected to the Internet. Examples are CVEdetails.com, Shodan, and Exploit-DB. Hackers and defenders have equal access to these well-intended, wide-open sources, which sets the stage for a race between the bad guys launching an attack and the good guys creating a “patch” for companies and their IT people to install. The shortage of cybersecurity workers by a count of 450,000+ in the USA and over 3.5 million worldwide isn’t helping defense efforts.
More than ever, individuals and companies must be vigilant by suspecting they have been penetrated and anticipating a cyber attack. When combined with sound advice, training, and best practices, such a mindset will naturally result in the correct actions. Remember, security is everyone’s job.