The Cybercrime Assembly Line

Light background with a graphic on the right side with three threat actors (one is rolling a large coin, the other is breaking into a computer, and another is interacting with login credentials. There is a dark yellow oval in the top left with the white text "Blog: and blue text below "The Cybercrime Assembly LIne."

Back in 2018, the Center for Strategic and International Studies came to the conclusion that cybercrime cost the world an approximate $600 billion annually, nearly 1% of global GDP. The cyber threat landscape has been constantly evolving, and the amount of money lost to cybercrime has only been increasing. According to IBM, the cost of data breaches has increased 12.7% in the last two years, and the number of cybercrime incidents has never been higher. Unfortunately, all evidence seems to point towards this tendency maintaining its course, as threat actors are always looking for ways to improve their attacks and gain in efficiency.

A factor that may be contributing to the sophistication of threat actors is the commodification of cybercrime. Just like legitimate modern supply chains, we are seeing a niche specialization and efficiency gains as a result of threat actors becoming proficient at one specific part of the cybercrime supply chain. The adoption and evolution of the “as a Service” (aaS) business model in the cybercrime industry has increased the ease of committing cybercrime; providing easier and convenient access to advanced tools and services to even the least evolved of threat actors.

Screenshot of a Phishing as a Service Provider's (LabHost's) membership signup page. The background is a dark navy with white text at the top "Lab Host" with smaller white text below it "Ready to start spamming?" There are buttons below it to select your location of North America or Worldwide, with Monthly Quarterly, and Yearly payment options. There are rectangles below it with descriptions inside for options to buy the Standard Plan or the Premium Plan.
LabHost is a Phishing as a Service provider, with a fully fledged infrastructure, enabling users to host a chosen phishing page and send spam emails to their victims, where they will be prompted to log-in to the impersonated service.

Anything as a Service

The expanding adoption of Ransomware as a Service (RaaS) allowed ransomware group LockBit to gain in notoriety and volume, to the point of being the most active ransomware in the world.  Following an aaS model, the LockBit ransomware is being used by affiliates and Initial Access Brokers (IAB) to infect a targeted organization and extract payments, after which the LockBit group may keep up to ¼ of the ransom payment. This division of labor allows each concerned party to refine their operation; with the RaaS operators focusing on improving and updating their malicious software, and affiliates/IABs to develop and optimize ways to penetrate systems.

Screenshot of LockBit 3.0 "blog." The page shows different 16 blocks that represent stolen data of its victims, and the information is blurred.
The LockBit 3.0 “Blog.” Hosted on the dark web, LockBit published the stolen data from their victims on this blog style page, that is unless the victim pays the ransom.

Following the same idea, it should come as no surprise to see the aaS model being adopted at large in other aspects of cybercrime; malicious actors offering Phishing as a Service, where threat actors can easily set-up phishing pages from various phishing kits offering on rented Virtual Private Servers (VPS); botnet operators renting their infrastructure in order to perform a Distributed Denial of Service (DDoS) attack on a targeted network (DDoS as a Service); Stealer Malware developers being able to focus on developing malware by following the Malware as a Service model, for example, the RedLine stealer malware; or even sometimes all of the above.

Screenshot of Eternity, a dark web hosted shop. The background is black. There are six circles with icons in them, with text below each one for "Stealer," "Miner," "Clipper," "Ransomware," "Worm+Dropper," and DDoS bot.
Eternity is a dark web hosted shop, providing what can essentially be described as “Cybercrime as a Service”, with offerings ranging from traditional malware to a DDoS service.
Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

This evolution in the cybercrime supply chain represents a major concern for everyone, and a growing challenge for the cybersecurity industry as a whole. The ease of use provided by those services, as well as a comprehensive support system provided by the service operators, may well lead to increased adoption of sophisticated tools as well as a new generation of threat actors attracted to the ease of use offered. The refinement of the tools available to threat actors, paired with the ease of (relatively) anonymous communication the Telegram message application provides, will undoubtedly lead to an increasing amount of advanced threats tomorrow’s organizations will have to face.

“Know thy enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.” – Sun Tzu, The Art of War

Cyber attacks are, and will remain, a major issue for today’s organizations. Being better prepared starts with knowledge; knowing how threat actors operate, their tactics and their techniques is of vital importance. This can help in being able to respond to the inevitable cyber attacks and mitigate their impact.

Screenshot of the Frappo Group's Telegram channel where administrators share updates. The background is navy. There are six messages discussing fixed issues and updates.
Frappo is yet another “Phishing as a Service” provider. The administrators are active on Telegram, where they publish updates related to their software, as well as manage a group chat where their users communicate (not pictured here).

Disrupt the Cybercrime Supply Chain with Flare

As threat actors’ methods develop in complexity, cyber teams need to stay ahead of them. Accelerate your organization’s threat identification speed by five times with Flare. Book a demo to learn how Flare can help your team.

Share This Article

Research Team

Flare’s research team conducts investigations and experiments in order to gather data, create new knowledge, and develop new ideas. This helps our team stay ahead of emerging threats and also add insight to our product roadmap.

Related Content