NESTA Crime Online - University of Brighton Repository
NESTA Crime Online - University of Brighton Repository
NESTA Crime Online - University of Brighton Repository
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Crime</strong>ware-as-a-Service (CaaS): Parallel to the concept <strong>of</strong> s<strong>of</strong>tware-as-a-service, 224<br />
crimeware-as-a-service is rapidly gaining attention in the underground economy. Using<br />
CaaS, criminals can now rent malware and hosting services along with any patches<br />
needed to defeat security s<strong>of</strong>tware. The final user only needs to have a target and to<br />
identify the type <strong>of</strong> data they seek to steal, while the technical work can be hired. The<br />
emergence <strong>of</strong> CaaS releases criminals from having to deal with the technical challenges<br />
<strong>of</strong> cybercrime. Under this business model, everything can be rented, from crimeware<br />
toolkits to pay-per-infection services.<br />
a) <strong>Crime</strong>ware toolkits <strong>of</strong>fer <strong>of</strong>f-the-shelf tools that allow criminals to gather and sort out<br />
the data stolen, minimising the need for coding skills to operate them. 225 One director <strong>of</strong><br />
security strategies for a major corporation said “for subscriptions starting as low as $20<br />
(£13.40) per month, such enterprises sell "fully managed exploit engines" that spyware<br />
distributors and spammers can use to infiltrate systems worldwide. 226<br />
b) The pay-per-infection model emulates the ‘pay-as-you-go’ approach, based on actual<br />
usage rates. These businesses sell other criminals code that enables them to infect<br />
websites with malware or spyware. One interviewee found a website that was initially<br />
charging !40 (£35) each time the spyware was downloaded to personal machines;<br />
however, the site <strong>of</strong>fered more favourable rates when the traffic increased. 227<br />
Business models are not independent from each other; they <strong>of</strong>ten combine. For<br />
instance, the swarming model – where participants work together on a common goal -<br />
can also include crime-as-a service elements. Many sources have discussed and made<br />
224 S<strong>of</strong>tware as a service (SaaS) is a model <strong>of</strong> s<strong>of</strong>tware delivery where an application is hosted as a service<br />
provided to customers across the Internet. This model is centred on separating s<strong>of</strong>tware possession and<br />
ownership from its use. Turner, M., Budgen, D., and Brereton, P. (2003). Turning s<strong>of</strong>tware into a service.<br />
Computer, 36(10), pp 38-44 (October).<br />
225 Finjan, (2008), Web Security Trends Reports, Q1.<br />
226 Gunter Ollmann, at IBM's Internet Security Systems X-Force team quoted at:<br />
www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=90<br />
15588.<br />
227 Finjan, (2007), eCriminal eCommerce and the Web Models and Techniques Used to Support it, Baptie<br />
<strong>Online</strong>; by Tim Warner, UK Country Manager, Finjan.<br />
Page 79