Cybercrime-as-a-service: the business model behind digital attacks

Cybercrime-as-a-service (CaaS) is the dark side of modern software development. While the SaaS business model offers low-cost and flexible solutions, CaaS provides similar benefits for cybercriminals.

Thanks to CaaS, executing data breaches or distributed denial-of-service attacks has never been easier, challenging companies to upgrade their security measures. This article will explain how CaaS works and who is behind it, before exploring practical security responses.

What is cybercrime-as-a-service (CaaS)

Cybercrime-as-a-service is a threat model in which vendors provide services or tools to enable attacks by third-party clients. CaaS vendors generally sell products via pay-per-use or subscription models and use dark web marketplaces to conceal transactions.

CaaS operations allow attacks by unskilled criminal groups, expanding the community of threat actors. They cover many cyber threats, including ransomware, DDoS attacks, and credential theft. This makes cybercrime-as-a-service a critical part of the global threat landscape.

How the service model works in cybercrime

Cybercrime-as-a-service (CaaS) functions similarly to conventional third-party applications or cloud services. This familiarity is one reason why CaaS is spreading rapidly. Once restricted to specialist hackers, advanced tools are now available to novice threat actors.

CaaS attacks follow a lifecycle that starts with purchasing and ends with successful cyber attacks:

Purchase

Vendors create kits that include the tools needed to mount cyber-attacks. They offer these products for sale via encrypted sites. Popular purchasing platforms include dark web marketplaces and encrypted communication tools like Telegram channels.

Buyers can choose between several different kits depending on their goals and budget. CaaS vendors typically offer ransomware-as-a-service kits, tools to spread malware, and phishing kits featuring templates for fake websites and login portals.

Purchases typically take place via hard-to-trace cryptocurrencies. Transactions could be one-off purchases, but subscriptions are common. Marketplaces also often apply escrow models to enforce standards and resolve disputes.

Deployment

Cybercriminals customize CaaS kits to suit their needs before deploying attacks via their favored method. Forms of deployment include:

• Drive-by downloads: Cybercrime services create credible websites to deceive victims and deploy downloads containing malicious payloads.
• Phishing emails. Automated kits send personalized phishing emails to mount targeted attacks on victims. Emails persuade victims to download infected attachments, provide login credentials via fake websites, or take other risky actions.
• Malvertising. CaaS kits deploy fake ads that are infected with malicious software. Malware spreads as users visit websites hosting the ads, enabling secondary data theft or ransomware attacks.

In the above deployment methods, off-the-shelf kits do the technical work (bypassing encryption, anonymizing attackers, or creating convincing fake assets).

CaaS kits also implant malicious tools on target systems. They seek ways to achieve lateral movement and discover sensitive data, often deploying credential theft tools to expand their reach. Backdoors also enable unskilled attackers to achieve persistence and execute sophisticated attacks.

Outcomes

After deploying threats and achieving persistence, cybercriminals can launch many types of cyberattacks.

For example, criminals use cybercrime services for gaining access to a target’s network security and implanting ransomware agents. These agents encrypt sensitive data or infrastructure until victims pay a ransom.

CaaS can also enable distributed denial-of-service (DDoS) attacks against network systems. Cybercriminals can extract data from cloud databases, use stolen financial credentials to make illicit transfers, or launch crypto-jacking attacks.

Who runs cybercrime-as-a-service operations?

Security experts estimate that cybercrime-as-a-service vendors earn over $23 billion annually, with an annual growth rate of over 12 percent. The market is increasingly complex, creating an ecosystem with many specialized roles.

Developers handle the production aspect of CaaS. For example, developers might create and update malware to stay ahead of cybersecurity measures. Other development teams focus on building botnets or exploit kits to target recently discovered vulnerabilities.

Affiliates tend to handle marketing and sales for developers. Marketers advertise CaaS products on the dark web and Telegram, along with prices and payment plans. Affiliates often earn commissions from successful attacks (sometimes as high as 30 percent).

Resellers operate independently from developers and affiliates. They sell products directly to customers, often those with less tech knowledge or awareness of the cybercrime landscape. Resellers may combine CaaS sales with tech support to attract buyers. They also buy in bulk and resell subscriptions at significant discounts.

Where does that leave the customers who actually purchase off-the-shelf CaaS products? Many buyers are new entrants to the cybercrime ecosystem. So-called “script kiddies” with few skills use CaaS kits to launch previously inaccessible attacks.

However, organized cybercriminals also rely on CaaS products to expand their operations. These criminals act like conventional businesses, seeking ways to cut costs and maximize revenues.