Malware-as-a-Service Part I: Cybercrime Getting Highly Organized

Posted by Emma Ban on 2015-08-14 13:00:00

… and what businesses can learn from this undeniable fact

Did you know that cybercrooks can expect to earn 1,425% return on investment from a 30-day malware infection campaign?

If the breathtaking figure reported by Trustwave researchers reflected your business ROI, you’d probably think ‘growth potential unlocked!’ But if you thought that you or your business might, at one point, be among those targeted by such a malware infection campaign, forcing you to feed that ROI, you’d probably start looking for ways to prevent such a gloomy perspective right away. Or at least, you should. Because cybercrime is more organized now, which means it’s more efficient at stealing digital assets and intellectual property on a grand scale, allowing cybercriminals to achieve such ROIs.

Where there’s profit potential, there’s business. And today, most cybercriminal groups are operating like normal businesses. They have organizational charts and even Human Resources departments, they address various black market verticals, and trade various types of commodities, from stolen end-user and company data, to malicious code and criminal services like hacking into corporate networks. Noteworthy, the trade of the latter two commodities has led to a business model called ‘malware-as-a-service (MaaS)’, which demonstrates the increasing levels of sophistication, creativity and maturity within this market.

In order to get a better understanding of the cybercrime landscape, we have to look at it from a business perspective. In this article series, we’ll look at various aspects of the online black market, with a focus on the ‘malware as a service’ business concept, and what targeted organizations can learn from it.  

MaaS: a thriving business model

In recent years, just as businesses have started to adopt the ‘as-a-service’ business model, cybercriminals have found applicability for it as well. Malware-as-a-service (MaaS) is the business delivery model that today’s online black market relies heavily upon.To be fair, cybercrime has always been a very lucrative business. But in time, realizing the amazing profit potential, these bad guys have been innovating the way they’ve been doing business, so as to make it more efficient. And innovation came from both technological advancements – new consumer trends like social media, mobile applications and cloud services being turned into attack vectors – and new business models that proved successful in the legitimate business world. Particularly, the as-a-service models that are all about reducing overall costs and increasing efficiencies by outsourcing non-core competencies.

Using the MaaS model, anyone who is willing to commit a crime on line is now able to launch attacks on internet users and corporations anywhere in the world. And they don’t even need to have the necessary equipment or skills to do that. They can easily pay others to do it, or rent out the necessary tools. But how do they find the “others” and how do they actually go about renting or buying the right tools, in this covert market?

Let’s look at roles and responsibilities, communication and transaction channels. They will show just how organized cybercrime can get. 

MaaS: roles and responsibilities

A recent report by RAND Corporation’s National Security Research Division, Markets for Cybercrime Tools and Stolen Data, states that :

The black market, once a varied landscape of discrete, ad hoc networks of individuals motivated by ego and notoriety, has now become a burgeoning powerhouse of highly organized groups.”

Enterprise-level organized, we may add.


Malware as a service MaaS roles



An example at hand of a “corporate” player within the online black market is industry pioneer, Innovative Marketing, the Ukrainian group behind the notorious fake AV computer virus. They operated as a legitimate company, with C-level positions and an HR department recruiting student talent. They were shut down by the authorities in 2010, after eight years of activity, but the example is living proof that people are actually choosing cybercrime as a profession, and that cyber criminals are as organized, as well-resourced, and as successful as many organizations.

According to the Cyber Defense Review, some of the most successful and well-resourced organized cyber criminals groups are the Russian ones – examples: SpamIt, GlavMed, Chronopay. Other groups whose actions have been notoriously ravaging the online world originate in China, Ghana and Nigeria.




Whether they choose to become freelancers, or part of bigger groups sharing skills with others, the online black market professionals can be subject-matter experts (example: malware creators or cryptanalysts), administrators, intermediaries, brokers and vendors, money mules, and buyers or observers (without skills). Interestingly, as noted in the above-mentioned RAND report, these participants can 

“occupy different levels in the hierarchy of the marketplace, and those at the higher levels typically receive higher compensation. Moving up into the higher and harder-to-access tiers of the market requires extensive vetting that can hinge on personal relationships.”       


MaaS: communication channels


Since they’re operating in the virtual world, it’s easy for them to hide their real identities behind virtual ones. And of course, the means of communication are virtual as well. They can be open, semi-private or private, depending on market tiers and participants’ “seats” in this market hierarchy. Online stores, forums, chat rooms, Internet Relay Chat (IRC), instant messaging (IM) apps, and emails, are the most common means of communication. Some are easy to find, while others can be found and accessed by invitation only, and based on a complex vetting process.

Malware as a service_MaaS_communication_channels


MaaS: lessons from organized cybercrime

As you can see, these underground structures can be very complex and sophisticated, but very successful as well. Looking at some of the biggest data breaches that happened recently, this level of organization is clearly paying off. Although we can only speculate how big the online black market is (in terms of revenue).

What we can do is roughly estimate how much cybercriminal activities can cost their targets. A recent research paper by Juniper, The Future of Cybercrime and Security, says that with rapid digitization of consumers’ lives and enterprise records, the cost of data breaches will amount to $2.1 trillion globally by 2019. It also highlights that the increased professionalism of cybercrime will lead to fewer but more successful attacks on companies and consumers, and that the majority of these breaches will come from existing IT and network infrastructure.

If you thought this section was about business lessons to improve your ROI – it’s not (although, with the impressive figure presented at the beginning of this article, who can blame you?). It’s about mitigating these imminent breaches and avoid corresponding costs, by applying the cybercrime business’ best practices:

  • Collaborating like the cybercrooks are doing, by sharing information about attackers’ tools and tactics, in order to respond in a much more organized way, and hence more efficiently.


  • Thoroughly assessing your IT infrastructure – every physical object connected to the internet – to find possible weak points/entry points. Just as hackers find them and exploit them.


Stay tuned for Malware as a Service Part II to learn how cybercriminals operate on the black market, what commodities they exchange (Trojans, botnets, exploit kits etc.), costs and distribution channels. 

Subscrine to OEM Hub


Find me on:

Emma Ban

Emma Ban is a Content Writer at Bitdefender. Having worked in the industry for more than three years, in both B2C and B2B areas, she has a deep understanding of the online threats that put at risk the security of both consumers and corporations. Thus, her main focus is to provide insights into security technology trends that enable safe environments for companies and their employees. She thoroughly enjoys traveling and has a special interest in fashion technology.

Topics: Threats