Nova Scotia

How cybercriminals sell their skills so the average Joe can steal money

By offering up their services for a fee, cybercriminals make it possible for almost anyone with a computer and internet connection to steal money and personal information.

'It has lowered the bar for inexperienced actors to launch sophisticated cyberattacks'

Cybercriminals are selling their services online and have recently started dropping their prices, making it easier for people to pull off cyberattacks with little technical know-how. (Shutterstock/PR Image Factory)

Cybercriminals around the world are breaking down the technical barriers that prevent people with little computer knowledge from committing cybercrime.

By offering up their services for a fee, cybercriminals make it possible for almost anyone with a computer and internet connection to steal money and personal information.

"This is having a powerful effect on the world of crime because it has lowered the bar for inexperienced actors to launch sophisticated cyberattacks," said Dima Alhadidi, an assistant professor at the Canadian Institute for Cybersecurity at the University of New Brunswick. 

Cybercriminals craft malicious software for clients, including ransomware that encrypts targeted computers and makes data inaccessible unless the victim pays for a special code to decrypt it. Cybercriminals even rent out computing power to aid in criminal activity.

Customers looking to hire a cybercriminal can generally find them on the dark web, an encrypted network hidden from traditional search engines or browsers.

Dima Alhadidi is an assistant professor at the Canadian Institute for Cybersecurity at the University of New Brunswick. (Rob Blanchard/UNB)

There are even forums where people go to discuss the best websites to visit in order to buy malicious software, according to Staff Sgt. Gurinder Dhanoa with the RCMP federal policing cybercrime unit in Ottawa.

"It's lucrative, right. Individuals are making a vast amount of money in providing these services and individuals using these services are also making money doing these cyberactivities," said Dhanoa.  

Some of the cybercriminals selling their services are making more than $100,000 a year selling ransomware alone, according to Alhadidi.  

That tidy sum comes at a cost to Canadians who have their money stolen, who end up having to pay a ransom to access their own computers, or otherwise find themselves taken advantage of by cybercriminals trying out their new wares.   

The Canadian Anti-Fraud Centre said in 2018 Canadians lost $53,203,247.10 to email, internet and social networking fraud alone.  

The RCMP say some of the people looking for cybercrime services are involved with organized crime or foreign governments. (Dmitry A./Shutterstock)

"We're aware that organized crime and even maybe foreign state actors are utilizing these services to commit criminal activities or to look at intellectual properties," said Dhanoa.

Greed is driving the demand for cybercrime services and that in turn has led to more cybercrime, said Alhadidi.  

Florian Kerschbaum agrees. He's an associate professor in the school of computer science and executive director of the Cybersecurity and Privacy Institute at the University of Waterloo.

"Essentially what we have built is a supply chain for cybercrime and clearly that will scale up the amount of cybercrime that is performed," said Kerschbaum. "Ultimately all of the ways where people ... can make money out of you in their attacks, these are the very attacks that are becoming more and more common." 

Florian Kerschbaum is an associate professor in the school of computer science and executive director of the Cybersecurity and Privacy Institute at the University of Waterloo. (Submitted by Florian Kerschbaum)

Alhadidi said that growth is easy to spot. As more people step up to provide cybercrime services, the cost of those services has dropped. 

In 2016, a massive denial of service attack cost about $80-$100 an hour to perform. That kind of attack involves a network, website or internet device being targeted and flooded with internet traffic until the system can no longer function. 

In 2017, the price dropped to $15-$20 an hour, said Alhadidi. 

While ransomware kits will run you around $175, malware that steals personal information like credit card numbers can be bought for as little as $13.

The RCMP said it's not clear exactly how much cybercrime is being committed using tools that are sold or rented to people. Nor is it clear how many Canadians may be getting paid to create those tools. Alhadidi said the majority of the people offering these services appear to be located in eastern Europe.

The RCMP are starting up two new teams devoted to fighting cybercrime. This image depicts an RCMP 911 call centre. (Canadian Press)

"This is a issue we're seeing in other countries as well and we're working with other law enforcement agencies and collaborating with our international partners to identify these individuals that are offering these services," said Dhanoa. 

"We know they exist. It's to find their locations, and once we do we will arrest and prosecute them."         

Dhanoa admits that's a big task. 

He said cybercrime investigations are complex, highly technical and people developing cybercrime tools are working hard to avoid getting caught. For instance, he said, there's "multi-layered servers" that aim "to obfuscate their identity and their location."

Specialized technical staff analyze computer circuitry at the RCMP's highly restricted data forensics lab in Ottawa. (Dave Seglins/CBC)

The RCMP is putting more resources into the fight. Two new cybercrime teams will be formed in Toronto and Montreal. When those teams are up and running the RCMP will have about 69 officers dedicated to tackling cybercrime. Another two RCMP members will also be deployed abroad to help tackle international cybercrime.

Alhadidi believes it's only through international co-operation that police forces will be able to crack down on cybercriminals selling their services. 

Still, the rapid growth in the industry alarms her. 

"It worries me," said Alhadidi. "Since they get a lot of money, so they will be more and more motivated to do this kind of thing." 

ABOUT THE AUTHOR

David Burke

Reporter

David Burke is a reporter in Halifax who covers everything from politics to science. His reports have been featured on The National, World Report and As it Happens, as well as the Information Morning shows in Halifax and Cape Breton.