With small businesses increasingly holding large quantities of sensitive customer data, SMEs have become a key target for cybercriminals in recent years. According to the Federation of Small Businesses 41% of small businesses fell victim to cyber attacks last year.
Fortunately, as this problem grows, small business owners are starting to become aware of their own vulnerability to attacks and many are taking action against them. However, what many small business owners do not realise is that they are running illegal cybercrime operations from their own legitimate websites.
The recently published whitepaper ‘Cybercrime Exposed’, uncovered some shocking truths about cybercriminals. They are not a disparate group of cyber geeks, working separately and haphazardly, but an entire ecosystem of well-practiced experts operating businesses in their own right.
As cloud computing has evolved to enable business owners to offer a range of services remotely, the term ‘as-a-service’ has arisen to accommodate this. This usually refers to services including ‘software-as-a-service’, ‘infrastructure-as-a-service’ and ‘platform-as-a-service’, however this trend has reached the illegal cyber trade, and criminals are now offering cybercrime-as-a-service:
1 Hacking-as-a-service: In its simplest form, cybercriminals will simply hack a computer, or a number of computers for an agreed price. With hacking-as-a-service, even the least tech-savvy can gain access to sensitive data such as bank credentials, credit card data, and login details, while people with a grudge to bear, such as ex-employees are able to pay to outsource a business-damaging attack.
2 Crimeware-as-a-service: This service also allows people with limited tech experience to pay to become cybercriminal masterminds. Cybercrime-as-a-service is the sale of the tools required to launch an attack, ranging from developing code to gain access to websites, to checking malicious files against a range of security software and revealing which security protection is vulnerable to an attack. This particular service also includes translation services, so that criminals can scam victims in foreign countries.
3 Research-as-a-service: For those who simply need to know theaddresses of potential victims, or information that will support their attacks, the research can be outsourced. These illicit business owners also sell huge lists of email addresses that can be filtered based on geographic region, or even profession.
4 Infrastructure-as-a-service: While the illegal trades listed 1-3 rely on selling expertise to make money; there is also a service available that offers the equipment required for an attack. This ranges from renting out a whole network of infected computers, known as a botnet, to leasing out platforms that enable attacks, such as mail relays that facilitate unsolicited emails.
Small business cybercrime facilitators
Despite operating in the illegal underworld, these cybercrime traders do not shy away from the open online world, and are in fact operating right under small business owners’ noses.
As with any business, they require a place to promote their services and many are choosing the forums and comment sections of small business websites to do this. Cybercrime traders take full advantage of the fact that many of the accessible areas on small business websites are largely left unmonitored and forgotten by small business owners. As such, website functions such as comment and review sections and open forums are being used as free advertising space for cybercrime traders.
Moreover, for small business owners that operate open marketplace or ecommerce sites, their legitimate service could be violated by cybercriminals, directly selling their illegal services.
For absolutely no cost cybercrime traders can be found on Google search by amateur hackers looking for black market services. However, other would-be-cybercriminals are not the only people that can view these brazen adverts. Customers who happen to stumble across such deals will associate the adverts with the website and as such, will question the legitimacy of the small business as a whole.
While relying on the resources of small business owners, as well as losing them custom, these cybercrime traders are making big money from their illicit trade.
The whitepaper uncovered a number of lucrative deals, such as the sale of credit card details for £65 each and email addresses for entire geographic regions for £570. However, research-as-a-service vulnerabilities are by far the biggest money-making enterprise, with Apple iOS exploits selling for as much as £160,000.
How to beat the experts
Operating a legitimate small business comes with enough challenges, so you certainly can’t afford to lose trade while cybercriminals get rich. First things first, put a company-wide security plan in place so that all your employees are aware of the agreed procedure for dealing with and avoiding threats. Allowing cybercriminals to sell your own customers’ details or company IP on your own site, would be a double blow, so make sure that all sensitive data is protected.
Vigilance is key – make a habit of checking your website for these dodgy trades on a regular basis to ensure that your honest small business isn’t tarred with the same brush as these unethical traders.