How cybercriminals sell their skills so the average Joe can steal money
'It has lowered the bar for inexperienced actors to launch sophisticated cyberattacks'
Cybercriminals around the world are breaking down the technical barriers that prevent people with little computer knowledge from committing cybercrime.
By offering up their services for a fee, cybercriminals make it possible for almost anyone with a computer and internet connection to steal money and personal information.
"This is having a powerful effect on the world of crime because it has lowered the bar for inexperienced actors to launch sophisticated cyberattacks," said Dima Alhadidi, an assistant professor at the Canadian Institute for Cybersecurity at the University of New Brunswick.
Cybercriminals craft malicious software for clients, including ransomware that encrypts targeted computers and makes data inaccessible unless the victim pays for a special code to decrypt it. Cybercriminals even rent out computing power to aid in criminal activity.
Customers looking to hire a cybercriminal can generally find them on the dark web, an encrypted network hidden from traditional search engines or browsers.
There are even forums where people go to discuss the best websites to visit in order to buy malicious software, according to Staff Sgt. Gurinder Dhanoa with the RCMP federal policing cybercrime unit in Ottawa.
"It's lucrative, right. Individuals are making a vast amount of money in providing these services and individuals using these services are also making money doing these cyberactivities," said Dhanoa.
Some of the cybercriminals selling their services are making more than $100,000 a year selling ransomware alone, according to Alhadidi.
That tidy sum comes at a cost to Canadians who have their money stolen, who end up having to pay a ransom to access their own computers, or otherwise find themselves taken advantage of by cybercriminals trying out their new wares.
The Canadian Anti-Fraud Centre said in 2018 Canadians lost $53,203,247.10 to email, internet and social networking fraud alone.
"We're aware that organized crime and even maybe foreign state actors are utilizing these services to commit criminal activities or to look at intellectual properties," said Dhanoa.
Greed is driving the demand for cybercrime services and that in turn has led to more cybercrime, said Alhadidi.
Florian Kerschbaum agrees. He's an associate professor in the school of computer science and executive director of the Cybersecurity and Privacy Institute at the University of Waterloo.
"Essentially what we have built is a supply chain for cybercrime and clearly that will scale up the amount of cybercrime that is performed," said Kerschbaum. "Ultimately all of the ways where people ... can make money out of you in their attacks, these are the very attacks that are becoming more and more common."
Alhadidi said that growth is easy to spot. As more people step up to provide cybercrime services, the cost of those services has dropped.
In 2016, a massive denial of service attack cost about $80-$100 an hour to perform. That kind of attack involves a network, website or internet device being targeted and flooded with internet traffic until the system can no longer function.
In 2017, the price dropped to $15-$20 an hour, said Alhadidi.
While ransomware kits will run you around $175, malware that steals personal information like credit card numbers can be bought for as little as $13.
The RCMP said it's not clear exactly how much cybercrime is being committed using tools that are sold or rented to people. Nor is it clear how many Canadians may be getting paid to create those tools. Alhadidi said the majority of the people offering these services appear to be located in eastern Europe.
"This is a issue we're seeing in other countries as well and we're working with other law enforcement agencies and collaborating with our international partners to identify these individuals that are offering these services," said Dhanoa.
"We know they exist. It's to find their locations, and once we do we will arrest and prosecute them."
Dhanoa admits that's a big task.
He said cybercrime investigations are complex, highly technical and people developing cybercrime tools are working hard to avoid getting caught. For instance, he said, there's "multi-layered servers" that aim "to obfuscate their identity and their location."
The RCMP is putting more resources into the fight. Two new cybercrime teams will be formed in Toronto and Montreal. When those teams are up and running the RCMP will have about 69 officers dedicated to tackling cybercrime. Another two RCMP members will also be deployed abroad to help tackle international cybercrime.
Alhadidi believes it's only through international co-operation that police forces will be able to crack down on cybercriminals selling their services.
Still, the rapid growth in the industry alarms her.
"It worries me," said Alhadidi. "Since they get a lot of money, so they will be more and more motivated to do this kind of thing."