| Image Source: Checkpoint |
| There has been a massive increase in the availability, variety, and adoption of Cybercrime-as-a-Service (CaaS) tools. These services offer potential bad actors a low-cost, low-barrier entry into cybercrime by providing rentable, user-friendly tools and infrastructure for launching cyberattacks. Customer support is often included, allowing affiliates (cybercriminals) who rent these services to reach out to the developers for assistance. |
| No longer standalone operations, these services are often run by teams of threat actors, each with a distinct role to keep operations running smoothly and maintain the backend while still receiving regular payouts from affiliate-driven attacks. Originally a niche underground market, CaaS has transformed into a multi-billion-dollar global industry, making hacking accessible to potential criminals through subscription plans that start at $50. |
| Ransomware-as-a-Service (RaaS) |
| While many new players are making names for themselves in the RaaS market, older, more established ransomware developers have also created their own rentable ransomware infrastructure. These kits handle key aspects of a ransomware attack, including ransom notes, payment portals, data encryption, and malware maintenance. |
| RansomHub, though still newer to the scene, has quickly made a name for itself with its double-extortion tactics – stealing data before encrypting victims’ systems. These aggressive tactics, along with the affiliate’s larger-than-average share of the ransom payment, help this RaaS model continue to dominate the landscape. Some of the older, more well-known groups include Akira , known for targeting small-to-medium enterprises (SMEs) and critical infrastructure; Qilin, whose highly customizable platform frequently targets the healthcare and manufacturing sectors; and LockBit, which created a RaaS model that enabled faster, more automated attacks. |
| Phishing-as-a-Service (PhaaS) |
| Over time, the phishing landscape has become increasingly dominated by PhaaS kit providers. These providers offer services such as email templates, fake websites used to harvest credentials, and Adversary-in-the-Middle (AitM) technologies that not only capture credentials in real time but also steal session tokens, allowing threat actors to bypass multi-factor authentication prompts. |
| Some of the major players include EvilProxy, known for its session token-stealing capabilities that can grant access to accounts without the victim’s knowledge. Using AI to scrape targeted companies for signature styles, tone, and branding, Greatness aims to create lures that mirror legitimate brand messages and alerts. New kits, such as Kratos and Venom Stealer, specialize in ClickFix social engineering, which tricks users into pasting malicious commands directly into their terminals, often by posing as OS Update or CAPTCHA errors. |
| Malware-as-a-Service (MaaS) |
| MaaS encompasses a broader range of attacks. Some providers specialize in infostealer malware that steals data such as browser cookies, autofill data, clipboard information, cryptocurrency wallets, and credentials. Lumma Stealer is a popular infostealer that is regularly updated to evade endpoint detection and response (EDR) systems. Other providers, such as SocGholish , are known as initial access brokers (IABs). IABs gain access to networks and sell that access through criminal forums, auctions, or directly to other cybercriminals. These initial access attacks can also leave behind loaders, which, when installed on a device, can download, install, and execute additional malware, including infostealers, ransomware, and cryptominers. |
| Other types of MaaS include Distributed Denial-of-Service (DDoS) as a Service, which lets affiliates rent a botnet to overwhelm a website with traffic and take it offline. Deepfakes as a Service offers rentable AI tools that can clone an executive’s voice or face in real time for voice or video calls, often used to target high-value wire transfers. |
| Recommendations |
| Exercise caution with communications from known senders or legitimate platforms. Confirm requests from senders using contact information obtained from verified, official sources before taking action, such as clicking links or opening attachments. Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files. Enable multi-factor authentication (MFA) and keep systems and browsers up to date. If victimized, disconnect from the internet and run anti-virus/anti-malware scans. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes. Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks. Report malicious cyber activity to the NJCCIC and the FBI’s IC3. |
| Glossary |
| Adversary-in-the-Middle – The attacker secretly relays and possibly alters communications between two parties who believe they are communicating directly with each other. |
| Deepfake – Images, videos, or audio that have been edited or generated using artificial intelligence, AI-based tools, or audio-video editing software. |
| Distributed Denial-of-Service (DDoS) – A cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. |
| Malware – Software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of an information system. |
| Phishing – The use of convincing emails or other messages to trick us into opening harmful links or downloading malicious software. |
| Ransomware – A type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. |
| Session Token – A temporary digital key used to verify a user’s identity after login, enabling secure and continuous access to Web Applications. |