The security landscape has evolved to a point where most IT threats occur with the intention of generating financial gain for their creators and financiers. Based on this premise, various attack or threat types have proliferated and evolved to affect a greater number of users and organizations.

The cybercrime "business model" is based on creating a value chain that offers new methods, for example cybercrime as a service, that is, the practice of facilitating illegal activities via services. In other words, anyone could acquire everything they need to organize frauds or cyberattacks, whatever their skills or technical knowledge.

Cybercrime services for the highest bidder

The services sales model represents the natural evolution of the offer into a market that is responding to a constantly growing demand. This means that IT threat developers, as well as those monetizing stolen data or kidnapping data, have begun to extend their portfolios, activities, and operations into a market that is requesting this type of service, whether it be to affect companies, industries, users, or even governments.

  • Fraud as a Service (FaaS)

In the cybercrime arena, one of the industries most affected by fraud is banking. A significant number of threats in the digital era have been developed to generate losses for the users, mainly in the credit and debit card sector, although fraud is not only limited to this transaction option.

Similarly, the range of threats goes from stealing cards, skimming and social engineering to attacks by phishing, and malware such as PoS (Point of Sale) and banking trojans – all with the intention of obtaining banking data. In this context, fraud as a service can be offered, from the sale of tools to carry out skimming to malicious codes especially developed to steal financial data, such as Zeus.

  • Malware as a Service (MaaS)

Additionally, some years ago malicious code began to be offered as a service, developed for specific activities and in parallel with exploit kits. Once they have infiltrated systems via vulnerabilities, they can insert malware to steal data and passwords, spy on users’ activities, send spam, and access and remotely control the infected equipment using an entire command and control (C&C) infrastructure.

This same principle has been used to begin to propagate ransomware, that is, malicious code designed to kidnap files or systems and ask for a payment to retrieve them, thus taking the principle of extortion, as applied to the digital environment, to a new level. Exploit kits or botnets such as Betabot have begun to diversify their malicious activities.

  • Ransomware as a Service (RaaS)

The main idea of ransomware as a service focuses on the fact that the people who develop this threat are not those who propagate it – their task is limited to developing tools that are capable of generating this type of malware automatically. Consequently, a different group of individuals is involved in using these tools to create than the group propagating it, whatever their skills or technical knowledge.

In this business model, both the developers of the tools for generating ransomware and the individuals who distribute it enjoy financial gains, in a "win-win" relationship. A well-known example of ransomware as a service is Tox.

  • Attacks as a Service (AaaS)

In the same context, attacks can be offered as a service. For example, different attacks such as distributed denials of service (DDoS) may be the result of a large number of infected systems belonging to a botnet, which are offered and hired out so that this type of attack can be carried out. Moreover, they can be used to propagate more malicious code, send unwanted mass mails, or even be used to mine bitcoins.

Cybercrime development and cybersecurity paradigms


As is apparent, there are a wide range of IT threats that can interact to offer new options to the cybercrime industry, and which are available to anyone who has enough resources to acquire them.

In the cybersecurity sector, it is important to emphasize that the new conditions that have been evolving over recent years bring two sides face to face: those responsible for protecting key assets in organizations, against specialized, organized groups who invest resources such as time and money in developing these cybercrime services, in a market which continues to need them.

In this context, data security management has gone from wondering whether the organization may or may not be affected to a focus that assumes that the organization will be attacked: it is only a matter of time before it occurs. So, from this perspective, protection measures can be proactive, that is, coming up with realistic scenarios in which data or other critical assets may be affected, so that the processes and data need to be protected through a holistic focus.

This also involves developing defensive, offensive, reactive, and proactive strategies, to try to avoid or resolve security incidents and reduce risk to an acceptable level, in line with each organization's risk aversion or propensity. The focus, moreover, takes security to be a process that cuts across the business’s essential activities and which needs to be improved on an ongoing basis.