While the dollar doesn’t go as far as it used to, cybercrime mayhem is surprisingly cheap — as little as $5 a hack. This sort of attack has been dubbed “cybercrime as a service.” It’s an emerging cybersecurity threat that involves a hacker being hired on the dark web by a third party to hack a specific target.

Cybercrime as a service is a worrying trend. It broadens the potential risks for your business and its key employees, creating financial, operational and reputational risks. Understanding this threat better prepares you to take the right steps to protect what matters and minimize your risks. Here’s what to know.

About Cybercrime as a Service

In today’s tech-savvy world, many things that used to be thought of as end products now operate more like an ongoing service. You used to go to a store to rent movies and buy music. Now you subscribe to online services that stream the same media on-demand to your computer. Similarly, software once came in a box with floppy disks and a book of instructions. Now companies offer complete software solutions online, supporting the app itself with regular updates and access to tutorials, help guides and customer service reps.

The term cybercrime as a service (CaaS) is a play on this concept of software as a service (SaaS). Despite increased digital literacy, the technical knowhow needed to overcome the modern cybersecurity defenses of commercial computer networks is still a highly specialized skill. However, the demand for nefarious computer hacks is huge. Hackers did the obvious thing and started offering access to their skillset for a fee. This practice first appeared a while ago, but it is now far more prevalent and accessible than it used to be.

A whole underground ecosystem of websites and services is now available on the dark web to help ordinary internet users facilitate complex hacks of organizations and individuals. Hackers-for-hire can post promotional ads on dark web forums and directories advertising their services. Illicit escrow services stand by, ready to hold onto a customer’s funds for a commissioned hack until the services are rendered by the hacker. Review sites even exist that let such cybercrime customers provide public feedback on the work quality of a particular hacker.

About the Dark Web

All this activity takes place on something called the dark web. Many people have heard the term, but it can be helpful to have a better understanding of what cybersecurity professionals are talking about when they bring it up.

The Surface Web

It can help to think of the internet as a bit like a metaphorical iceberg. Some of it is visible above water. This part of the web is called the surface web or open web. It’s everything that appears in search engines, like all public web pages for businesses and organizations, personal blogs, forums, directories and so forth. However, a lot more content is required behind the scenes to keep this surface-level internet running. This other part of the internet is called the deep web.

The Deep Web

Like the part of an iceberg below the surface, the deep web is much larger than what is visible on the surface. The deep web includes things like the encrypted data kept behind email logins and website paywalls, secure systems for governments, militaries and medical systems, and even systems like the technical utility infrastructure that keeps the internet itself up and running.

The deep web internet was originally designed to be separate from the surface web to more easily secure sensitive data. However, there are no regulations preventing ordinary people or groups from making a website available using the deep web’s infrastructure. These deep web sites form a network referred to as the dark web.

The Dark Web

The dark web is a small part of the deep web that runs on thousands of computer relays hosted by volunteers all over the globe. This setup sends every internet traffic request through numerous relays, anonymizing both internet users and the sites they are visiting. Many privacy advocates use the dark web to host personal and organizational websites, blogs and forums. These special dark web sites are known as .onion sites and they’re accessible through special web browsers, such as the Tor Project web browser.

Because the dark web is an anonymous, unlisted and unregulated part of the internet’s core infrastructure, it attracts users seeking to use that privacy and anonymity for illicit purposes, such as selling illegal goods and services. In itself, it’s not the dark web which is illegal, it’s the illegal activity which takes place on it that’s the problem. Further, due to the anonymity this part of the global internet offers, there’s not a lot that can be done about it. Tracking down specific hackers is a resource-intensive endeavor, so law enforcement has to choose its battles. Typically, most of these resources go to monitoring of major cross-border criminal activity, with little attention paid to small-time hackers-for-hire.

In essence, this is the dark web—privacy-focused legal website owners and their site visitors, small-time hackers and major crime syndicates operating semi-openly and law enforcement keeping an eye on what it can from the sidelines. This all makes the dark web risky for regular internet users who can fall victim to hacks themselves if they download the wrong file or interact with the wrong crowd.

Tracking Cybercrime as a Service Scams on the Dark Web

With the logistics limiting the reach of law enforcement, private cybersecurity enterprises and industry professionals typically fill the void, monitoring for threats that could affect ordinary businesses and computer users. A lot of good comes from these efforts. Many of recommendations about security updates and software patches pushed out to users by IT professionals come about as a result of this monitoring of dark web activity. General tips and advice on cybersecurity are another result familiar to business owners.

Industry reports on cybercrime activity also come about as part of these dark web investigations. A report published in Cyber Defense Magazine reveals details about hacking-for-hire and how it operates as a sort of cybercrime as a service:

1. Website Take-Down Hacks for $5 to $500

A working website is crucial for most businesses operating today. When a website goes down, new potential clients and customers can’t see or buy your products or services, while existing clients and customers can’t access customer service information, customer/client login areas or online help. The problem can impact sales, bog down cybersecurity resources and have a negative impact on a business’s reputation.

Yet websites are very vulnerable to attack. Taking a website offline for a few minutes to entire days is possible with something called a Distributed Denial of Service (DDoS) attack. A DDoS attack sends a very high volume of website traffic requests to a website’s server all at once. The server gets overwhelmed and the site goes offline.

DDoS attacks are a standard tool hackers have used for years to take down specific websites. On the dark web, it’s possible to commission a hacker to initiate a DDoS attack against a site of your choice for as little as $5. Such a cheap hack will usually only take down a site for a short period of time. Once the website administrator realizes the problem, the site can usually be brought back online fairly quickly. However, continuous attacks that keep sites offline for 24 hours or longer are also possible. Hackers advertise these services for just $500.

2. Loyalty Points Hacks for $16 to $70

Across a number of industries, loyalty points are a key part of business product or service offerings. If there are problems with this customer rewards system, it can create a lot of problems. Ensuring valid points are accurately scored and correctly distributed can be a technical challenge. If customers lose points or have them stolen, trust can be lost. Most importantly, if counterfeit points are used on purchases, businesses can lose out on millions in revenue.

Because of the financial incentives, there’s a strong demand for hackers able to game loyalty points systems. These types of hacks-for-hire are another case where significant damage can be done for small sums of money. Hackers on the dark web have advertised the ability to deliver cybercrime customers 50,000 gaming loyalty points for only $16 and 200,000 frequent flyer miles for as little as $70. Other types of points are also available.

3. Personal Sabotage Hacks for $20 to $2500

In today’s world, nearly everyone stores much of their personal and private information in digital formats. While many cloud-based systems come with built-in security to limit broad-based attacks, a significant risk can still exist when a hacker sets their sights on a specific target.

Phishing, malware and email compromise scams can be used to obtain credentials the hacker can use to commit targeted malicious attacks. These hacks are often characterized as vendetta attacks — hackers can steal and expose private data, delete personal backups and alter stored information to cause frustration, embarrassment or worse.

The cost of such life disruption ranges widely, from a notorious group that used to offer online attacks for $20 to more sophisticated attacks that charge as much as $1500 to $2500 per target for more comprehensive personal sabotage attacks.

4. Personal Records Hacks for $120 to $200

In certain situations, background checks are common. Employers, landlords, banks and utility companies routinely request information about a person’s personal details, background or financial details to provide employment, lodging, loans or other basic services. The information provided is handled by law-abiding firms following well-defined rules and privacy guidelines. But personal records hackers aren’t bound by any such conventions.

Often, much of a person’s personal information is available online behind a thin veil of security. Whether through previous identity theft and data breach hauls or through a new targeted hack of a recordholder with information about a target, hackers can access information about a person’s life, background and finances. Worst of all, this sensitive information can be turned over to anyone willing to pay for it.

The going rate on the dark web for these sorts of illicit personal records hacks is fairly cheap, costing anywhere from $120 to $200. While anyone can become a victim of such a hack, high-net-worth individuals are a prime target, along with the young or elderly.

5. Spyware Malware Hacks for $240+

Computers log data for all sorts of legitimate reasons — file backups help protect records, crash reports help software companies improve products, location data helps search engines provide better results, and camera and microphone recordings help users create their own content. Unfortunately, logged data is also at risk from hackers, who may steal it, share it publicly or use it to spy on users.

Spyware is a type of malware computer virus that is specially designed to spy on users. It can infect networks, laptops and even phones. Hackers can use spyware to monitor a user’s activity, spy on chats and text messages, steal passwords, track geographic movements, make secret recordings and steal photos or other private data. Low-level spyware is a fairly common issue among computer users, but stakes can be much higher when a specific individual’s devices are targeted.

Some hackers specialized in these targeted spyware hacks, tricking users into installing the malware virus on their device with infected emails, downloads or website visits. Once installed, the hacker can use the user’s private data for any number of illicit purposes. Hackers have been found offering such services for sale on the dark web starting as low as $240.

6. Social Media Hacks for $300+

Social media is a fantastic tool for keeping up with friends, building community and connecting a business with its customers and clients. However, social media can also pose a risk — particularly when the account owner loses control to a hacker.

In these cases, hackers can post embarrassing or reputation-damaging information, hoaxes and more. Some hackers use stolen social media accounts to promote crypto scams or spread computer viruses. Because followers tend to trust posts from a familiar user, they may click on links they would otherwise skip or ignore coming from a stranger.

Unfortunately, hackers are quite good at hacking social media accounts, attempting to take over about 1 million accounts every day. Phishing attacks, credential-stuffing, email scams and more are used in social media hacks. To capitalize on their skillset, such hackers charge $300 and up for the targeted takeover of an individual’s or business’s social media accounts.

Protecting Your Assets, Operations and Reputation

If there’s one thing the emerging trend of cybercrime as a service reminds us of, it’s that cybersecurity is never boring. Hackers are always looking for new ways to gain access to your digital assets and cause problems for individuals and businesses. Selling these illicit services to less technically savvy criminals on the dark web is just their newest strategy.

Whether it’s through website takedowns, personal hacks or other means, these hacker-for-hire scams are costly for businesses like yours. Interference with websites, social media accounts and loyalty point systems costs companies millions in sales and lost opportunity every year. Personal hacks targeting executives can also be costly, creating problems in business dealings, relationships and more.

Protecting your business’s assets, operations and reputation with the right insurance is key. Coverage from Lockton Affinity’s CyberLock Defense is tailored to suit the risks of your industry and your business. To learn more about our industry-leading protection, click here.