In the barrage of cyber security news that has been making waves on international media recently, this heading somewhere in the swarm of websites would have easily missed your attention “Prices fall, services rise in malware-as-a-service market”.
There are criminal groups just waiting to sell their unique hacking skills to damage an organization, rather than using it just for fun few years ago as most of the hackers were doing. These groups see huge cash as companies would hire hackers to spy on a competition to gain a business advantage overnight or a disgruntled employee who wants to teach a lesson to his boss by formatting the server in a company that fired him.
One can hire a web root (the underground service provider) botnet of 1000 computers which can launch distributed denial of service for just under $100 and 10,000 computer botnet network will make you poorer by another $5000.
These services offer malwares which can convert a target computer into an anonymization proxies so that one can browse prohibited sites or launch attacks from an unsuspecting employees desktop which has been compromised.
There is a service which is called Capfire4 that has a web portal that offers the possibility to create customized version of malware, has an online console, and allows the buyer to control the networks which the malware has already compromised all in a trendy GUI. This service as of now offers remote control and password recovery based on what you pay through PayPal or bitcoin to maintain anonymity, most of these services are offered cloud based infamously referred to as dark cloud.
Imagine seeing one of your corporate network systems on this screen of an aspiring cybercriminal, when he logs into this online malware-as-a-service site.
The rule of hacking or malware as a service providers is simple, the more time it takes the more you end up paying. A simple DDoS would be just around $100 and complete control capabilities on a network with bots such as ZeuS would cost up to $20,000, all depending on who wants this service and how they want to utilize it, and where they want to inflict the damage, more the value is provided for a service one can be rest assured that an organization or entity is usually behind it.
Just as with legitimate and legal white hat hackers and IT/Network security professionals, various hackers also have their specialties and niche skills. There may be some who are more skilled in programming and writing viruses, Trojans or backdoors, just as there are IT security professionals who are skilled at writing signatures to detect such malware and are involved in antivirus/antimalware products. There may be others who are more skilled in identifying vulnerabilities in software or operating systems including mobile operating systems. There may be others who are masters at breaking into websites or networks.
This is as diverse as the list professional network security certifications IT professionals strive to acquire to make themselves more marketable, only that the certifications in the dark underground are based on market value of an hacker who has been successful with engagements similar to this and his/her rating within the hacker community.
The cloud based hacking/malware/Trojan as a service will only grow in size as days pass and when there are customers, who are active in buying these services.
No one can stop a criminal from engaging in an activity like this to steal or damage information from a company, but an effective security strategy to detect such attack in all corners of a corporate network surely will go a long way in keeping unwanted trouble at bay.