Threat Intelligence

Cybercrime as a Service

Pierluigi Paganini
August 7, 2013 by
Pierluigi Paganini

Reading about cybercrime, it is very easy to find terms such as attacks-as-a-service, malware-as-a-service and fraud-as-s-Service, that are commonly used to describe the practice of facilitating illegal activities for cybercriminals through the provisioning of services. Security experts working for principal security firms have observed a radical change in the way cybercriminals monetize their activities; instead of earning directly from the sale of illegal products such as malware and exploit kits, the cybercriminals are evolving to respond to a demand in rapid and constant growth.

Cybercriminals in fact offer everything necessary to arrange a cyber fraud or to conduct a cyber attack; the offer is very articulated and includes malicious code and also the infrastructure to control the spreading and operation of the malware (e.g., bullet-proof hosting or rental of compromised machines belonging to huge botnets).

These models of sale defined as cybercrime-as-a-service represent the natural evolution of the offer in the underground, criminals can extend their activities to cyberspace easily and without great investment. The diffusion of such a sales model allows cybercriminals without considerable technical expertise to operate; they just need to have money to acquire all they need, including tools and services.

A recent research showed that 17% of European citizens have been victims of identity theft, costing an average of £1,076; the study revealed that there is a strict correlation between the increase of cyber attacks against private citizens and businesses and the availability of tools, exploit kits, and services sold on the black market.

As said on various occasions, the approach to fraudulent activities is becoming even more complete and efficient. When we debated in the past about fraud-as-a-service schemes, we identified the various components for the supply chain management outsourcing/partnerships for illegal services (e.g., hacking services, hosting), software development, distribution of malicious agents, and, of course, customer support. In many cases, post-sales service has also been observed; cybercriminals are able to remain in direct contact with the customers to collect information from the field and suggestions for improving their services.

Most services offered in the underground are characterized by their ease of use and a strong customer orientation. They typically have a user-friendly administration console and dashboard for the control of profits.

The cost of arrangements for criminal activities is shared between all customers, thanks to a model based on a subscription or flat-rate fee, making cybercriminal services convenient and attractive. In this scenario, service providers could increase their earnings and clients benefit from a sensible reduction in terms of the expense and knowledge needed to manage the illegal business.

The security community is aware of the immense possibilities of cybercrime, an underground economy that is able to support those models of sales and that is reaching extraordinary figures.

The cloud computing paradigm has brought numerous advantages to IT industry but also new interesting opportunities for cybercriminals, with the term "attacks-as-a-service" referring to the ability of criminal organizations to offer hacking services, in the majority of cases exploiting cloud-based architectures.

Cybercriminals offer botnet and related command and control servers hosted on cloud architectures for lease or sale; the compromised machines could be used to steal information from the victims (e.g., banking credentials, sensitive information) or to launch massive DDoS attacks against specific targets.

The black market offers a huge quantity of options such as the anonymization services to hide the identity of attackers or different model of sale such as pay-per-execution of malware on a compromised machine or the renting of the infected PC for a limited period of time.

Crimeware-as-a-Service (Black Market)

Crimeware-as-a-service includes the identification and the design of the exploits used for the illegal operations, such as cyber espionage or sabotage. The category may also include development of tools and software to support the attack (e.g., keyloggers, bots) and to avoid malicious code detection (e.g., crypters, polymorphic builders). In many cases, criminal organizations also provide the hardware necessary for financial fraud such as card skimming; these devices are considered products in this category of illegal services. The underground provides various families of malicious code available for either sale or rent. The most popular are:

  • Malware services
  • Exploits
  • Professional services

Malware Services

On the black market, it is possible to acquire numerous variants of malware. Many underground forums offer any kind of customization for well-known agents such as the Zeus Trojan. Criminals could decide to pay for a specific customization or to acquire the source code once released; this second option is ideal when there is a meaningful expertise in malware coding within the criminal gangs.

Typical examples of malware services sold are:

  • Spyware services for the provisioning of malicious software designed to spy on victims and gather sensitive information. The proposed applications are numerous and include any kind of technology from mobile to desktop.
  • Rootkit services for the provisioning of malicious software designed to hide the presence of malware from the normal methods of detection and enable continued privileged access to victims.
  • Ransomware services for the sale of applications that restrict the victim from using his machine until a specific action (usually payment of a ransom).
  • Professional services include the outsourcing of development of exploits for specific vulnerabilities, an activity that requires a technical expertise.



    Infection/spreading services ~$100 per 1K installs

    Crimeware upgrade modules e.g. Zeus modules, as an example, range anywhere from $500 to $10K

    Remote access Trojans (RATs) Features include targeted attacks, with screen shot and webcam feed capabilities. Examples include Gh0st Rat, Poison Ivy and Turkojan ($250).

From Citadel to KINS

In early 2012, security experts discovered the commercial distribution of the Zeus Trojan, a popular malware designed as an open project that can be customized with new features to meet customer demands. The Zeus Trojan is used by cybercriminals to steal banking information by logging keystrokes and form grabbing. It is spread mainly through phishing and drive-by downloads schemes. Many underground forums proposed an interesting model of sales based on direct contact with customers through forums and social networks used to collect information on bugs and request information regarding the commercial development of new features.

The products were purchased in packages that provide ongoing support and evolutionary maintenance of source code to respond to customer needs. The most popular example of malware distribution was the Citadel, a Zeus offshoot, a web store advertised on several members-only forums that offered malicious hacker developments.

Figure 1 - Citadel Malware

The authors of Citadel proposed a common platform for content sharing based on a social network model. In fact, they offered to provide:

  • A social network for customers, Citadel CRM Store, to allow users to be active players in the in product development.
  • Reporting bugs and other errors in software with a ticketing system.
  • Code sharing platform that allows each client to share its module and software code with others creating new modules or improvements.
  • Promoting public proposals for software improvements and new features.
  • Efficient Jabber instant message communication channel.

The model introduced is an excellent example of malware-as-a-service, in particular for malware whose source code has been divulged in the underground. Groups of developers usually operate in the autonomous communities that take charge improving the illegal product to meet business needs.

Following is a portion of Citadel description provided by the "Krebs on Security" blog:

The basic Citadel package—a bot builder and botnet administration panel—retails for $2,399 + a $125 monthly "rent," but some of its most innovative features are sold as a la carte add-ons. Among those is a $395 software module that allows botmasters to sign up for a service which automatically updates the bot malware to evade the last antivirus signatures. The updates are deployed via a separate Jabber instant message bot, and each update costs an extra $15.

Citadel also boasts a feature that hints at its creator's location(s). According to the authors, if the malware detects that the victim's machine is using a Russian or Ukrainian keyboard, it will shut itself down. This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan's creators if there are no local victims.

Just one year later, in early 2013, RSA discovered traces of a new banking Trojan named KINS. Security experts have followed the evolution of the malware in the underground community and they have found an announcement on the Russian black market for the new Trojan toolkit.

The advertisement for the sale of KINS has been published on a closed Russian-speaking underground forum. According to RSA experts, the KINS trojan could have an impact on the banking ecosystem superior to its predecessors Spyeye and Zeus; it is the first public offer of similar malware since the Citadel malicious code was retired from cybercriminal commerce at the end of 2012.

"This is the first actual commercial Trojan we've seen in a while, since Citadel was taken off the market. We haven't seen anything serious enough on the part of malware developers. This is the first time something might materialize into a real, commercial banking Trojan" declared Limor Kessem, cybercrime specialist at RSA.

Is the KINS Trojan linked to other malware such as Zeus or SpyEye?

The advertisement for KINS found by RSA experts claims that the malicious code is a totally new project that is not derived from re-engineering of other malware source code.

KINS has a modular structure. The basic offer includes a bootkit, a dropper, DLLs and Zeus-compatible Web injects. The authors sell KINS for $5,000 in its basic configuration and offer additional modules and plug-ins for $2,000 apiece.

Figure 2 - KINS ad on the black market

The bootkit component is considered of the most interesting features, since none of KINS predecessors were equipped with a bootkit. It is a volume boot record (VBR) designed to cover presence of the Trojan that will take hold of the infected computer from a much deeper level. The following key features are highlighted by RSA:

  • KINS Trojan architecture is built like Zeus/SpyEye, with a main file and DLL-based plug-ins.
  • KINS is compatible with Zeus web injections, the same as SpyEye.
  • KINS Trojan comes with the anti-rapport plug-in that was featured in SpyEye.
  • KINS will work with RDP (like SpyEye).
  • KINS Trojan does not require technical savvy—much as Zeus doesn't.
  • Users in USSR countries will not be infected by KINS—a feature that was first introduced by Citadel in January 2012.
  • Keeping KINS away from Trojan trackers—a problem that plagued SpyEye
  • Spread via popular exploit packs such as Neutrino, using one of the most sophisticated packs out there.
  • A bootkit in store—the Trojan will take hold of the infected computer from a much deeper level, its volume boot record (VBR).
  • KINS will easily infect machines running Win8 and x64 operating systems.

To have an idea of the cost of a bootkit, consider that the authors of Carberp Trojan offered it on the black market for $40,000, but KINS is the first commercial Trojan that comes with a built-in bootkit mode.


The underground also offers a huge quantity of exploits that take advantage of known vulnerabilities and zero-days; their cost depends on various factors, such as the target system and type of flaw identified. The cybercriminals could decide to acquire an exploit or to rent it; for example the CritX toolkit was recently offered for $150 per day. The following image from the McAfee report shows details of exploits related to various systems. An exploit judged as high impact is approximately three times as expensive as those classified as low/moderate.

Figure 3 - Exploits for sale (McAfee Report)

The offer for exploit packs has different options. Many include encryption services to avoid detection by defense mechanisms, other propose testing malicious code against the principal antivirus programs on the market. These services are very useful because they allow testing the beta version of malware without spreading it in the wild.

We mentioned earlier the low cost of cloud computing when compared with internal services, and an association with cybercrime. The prices quoted in the bottom right of Figure 7 undoubtedly validate that assertion. At a cost of $30 per month, and only $0.15 per check, the outsourced service proves not only cost effective but also efficient in terms of time spent. The implications of such a service are very clear: the bad guys have the opportunity to ensure that their malware is better and more likely to succeed, which will have significant ramifications for all Internet users.

Early in 2013, Solutionary's Security Engineering Research Team (SERT) published a study about an analysis of malware and exploit kits diffusion observed with its solution, ActiveGuard service platform. The analysis revealed that, despite the fact that there was a 15% drop in event volume in the categories of authentication security, distributed denial of service (DDoS) and reconnaissance, the cyber threat represented by exploit kits is increasing.

The report revealed the surprising efficiency of well-known vulnerabilities that are usually part of popular exploits sold in the underground; around 60% of the total is more than two years old, and 70% of the exploit kits analyzed (26) were released or created in Russia.

The most popular and pervasive exploit kit is BlackHole 2.0, which exploits fewer vulnerabilities than other kits do. Meanwhile, the most versatile of these is the Phoenix exploit kit, which supports 16 % percent of all vulnerabilities being exploited. Over 18% of the malware instances detected were directly attributed to the BlackHole exploit kit, which exploits known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.

Figure 4 - Exploit Kits (SERT)

Figure 5 - Popular Exploit kits

Professional Services

The cybercrime ecosystem provides also professional services such as code developing for malware and exploit kits designed to take advantage of a specific vulnerability. The outsourcing of malicious code development is not a new concept; cybercriminals have paid for the design of malware for different purposes. Other professional services available include translations of the content of phishing email or the content of phishing websites. The following table lists sample of some services and related prices, according researchers at Fortinet security firm.



Consulting services such as botnet setup $350-$400

Quality assurance vs. detection Crypters, scanners - $10 per month

Blackhat search engine optimization (SEO) $80 for 20K spammed backlinks

Inter-carrier money exchange and mule services 25% commission

CAPTCHA breaking ($1/1000 CAPTCHAs)—Done through recruited humans

Cybercrime Infrastructure-as-a-Service (Black market)

One of the most difficult and onerous tasks for novice cybercriminals is the delivery of exploits, since the activity need requires a wide network of compromised machines that can be used for the purpose. To assist criminals, the underground offers the possibility of renting a botnet to carry out illegal activities or renting entire platforms to host malicious content, such as bullet-proof hosting. The choice of a proper infrastructure is a critical aspect of criminal activities and it is strictly correlated with the nature of the attack that hackers need to carry out, from malicious content hosting to DDoS. It is relatively easy to rent a botnet in the underground; the offer usually provides many optional services and model of payment. A botnet could be used for sending spam, launching DoS, and distributing malware. The following image, provided by McAfee, shows the various costs for renting of botnet services and the various options available.

[caption id="" align="alignnone" width="613"]Click to Enlarge Click to Enlarge[/caption]

Figure 6 - Botnet services

Among the most requested services within the model dubbed cybercrime infrastructure-as-a-service there are the hosting services and spam services. Very often requested is bulletproof hosting, which are hosting services provided by some domain hosting or web hosting firms that allows their customer to upload and distribute any kind of material. The leniency of bulletproof hosting has been taken advantage of by spammers and providers of online gambling or pornography. A bulletproof host allows a content provider to bypass the laws or contractual terms of service regulating Internet content and service use in its own country of operation, as many of these "bulletproof hosts" are based "overseas." Bulletproof hosting provides various levels of service, based on the specification of the system provided, varying from a few tens to several hundreds of dollars per month. Spam services are also very popular services in the underground. The offer includes the availability of mail relay for sending of million emails. The availabilities of a great number of infected machines translate into the availability of valuable resources and services to be marketed by cybercrime gaining considerable profits.

Cybercriminals are offering malware-infected-hosts, also known as loads, in a model of sale that proposes the monetization of bot activities through its rent of the compromised systems. Of course, the services offered are totally customizable: Clients can choose the type of malware that infects the victims and their geographic location. It is possible, for example, to rent U.S.-based malware-infected hosts or machines in the European Union.

Security expert Dancho Danchev wrote about a newly launched underground service offering access to thousands of malware-infected machine for upsetting prices. A thousand U.S.-based hosts costs $200, while for a thousand EU-based hosts the price varies between $60 and $120, and the price for a thousand international mix types of hosts is $20.

The different prices applied are calculated based on purchasing power and long-term value of a malware-infected host. U.S. users are considered by cybercriminal organization the wealthiest. The pricing policy is very diffused, but in many cases the malicious services are sold to U.S. users at higher prices. I should add that probably there are also other considerations behind cost evaluation, such as the specific demand in limited areas and the cost to maintain alive a botnet in countries in which cyber security is more responsive.

A few months ago security researchers from Symantec discovered malware-infected computers rented as proxy servers on the black market. Cybercriminals using malware were able to turn infected computers into SOCKS proxy servers to which access is then sold; they used a compromised host to power a commercial proxy service that tunnels potentially malicious traffic through them.



Botnets and rentals [Direct denial of service (DDoS) $535 for 5 hours a day for one week], email spam ($40 / 20K emails) and web spam ($2/30 posts)

Onshore and offshore hosting—virtual private servers $6 per month

Bulletproof/fast flux hosting (VPNs and reverse proxies) $3 per month

Botnets: Features include broadcast command and control, keylogging, download, and spam. Examples include Zeus/ZBot ($700 for old version, $3,000 for the new) and Butterfly ($900)

Simplified botnets: Features include download and execute malicious code. Used primarily for rentals/crime-as-a-service. Example includes Bredolab (starts at $50)

Hacking-as-a-Service or Attack as a Service

Cybercriminals could decide to acquire or rent malicious code for the attack or entire infrastructures such as a botnet, but another possibility is to outsource all of the attack activities. This option allows cybercriminals with minimal technical expertise to conduct any kind of attack. Of course, this practice costs more than others, despite the fact that security experts have also found offers of free services provided as a demonstration. A cybercriminal could pay for a hacking service to avoid conducting research on the targets and skipping the acquisition of necessary tools and architectures for the offensive. One of the most popular services offered in the underground is password cracking. Dancho Danchev recently profiled a WordPress/Joomla brute-forcing and account verification tool; following are some sample screenshots of the web-based tool:

Figure 7 - WordPress/Joomla brute-forcing tool

"This tool is just the tip of the iceberg on an ever-green market segment within the cybercrime ecosystem that continues to push new releases capable of launching brute-forcing attacks against any given Web property," said Danchev. Danchev has highlighted in the underground the offer of similar tools, as very articulate, brute-forcing tools are very diffused, especially among the small gang of criminals and IT professionals that use them for testing purposes.

DDoS services are also very popular in the cybercrime ecosystem. They are very easy to arrange but the magnitude of an attack depends on the number of machines involved. To skip the recruiting phase and botnet management, and to accelerate the activities, usually cybercriminals pay for a DDoS service for a limited period of time. DDoS service providers offer structures able to target victims with a huge volume of traffic to interfere with their normal business operations. The following picture shows the price list for a "Cheap Professional DDOS Service." These services are usually very user-friendly, the attacker just needs to provide target references and choose the service to pay to start the attack.

Figure 8 - DDoS service offered in the underground (McAfee)

The cost for a DDoS is very cheap, just $5 per hour for an attack that could have a duration of 3 days.

Attack as a Service—the IM DDOSS Case

The attacks-as-a-service model has been observed by security firms for offering illegal offensive activities. Security experts at the Damballa security firm discovered in the past a group of Chinese hackers who was offering a service dubbed IM DDOSS; it was one of the first hacking services that could be rented. For criminals, it was very simple to subscribe to the service. By simply signing in, an attacker could attack any target; it must be considered that the dimension of the botnet managed by cybercriminals allowed them to conduct powerful offensives.

Figure 9 - IMDDOS Botnet (Damballa)

Damballa experts maintain that the site claims to only allow attacks against non-legitimate targets such as gambling sites and sites for the dissemination of pirated copies of software and media. Principal clients in this case are copyright holders that pay for attacks against illegal activities that damage their business. The IM DDOS site is written in Mandarin and is very easy to use: Users just have to select the target and the level of attacks against it and the service will do all the rest.

According to the report published by Damballa, domains used by authors of IM DDOS botnet were registered on March 20, 2010, and in April the authors started testing the architecture in China. The botnet grew at a staggering speed despite the fact that security experts consider the malicious code not very sophisticated. The botnet "reached a production peak activity by the second week of August of 25,000 unique recursive DNS lookups/hour to the command-and-control (CnC) servers," a traffic volume comparable to the Mariposa and Virut malicious architectures.

Despite the high performance of the service and the best level of organization offered to the clients, the price for an attack is cheap. It ranges from $150 and $400 and the authors of the service also offer to crack e-mail passwords in less than 48 hours.

In reality, the service providers have a very efficient offer, the prices for an attack on commission are very variable; it is also offering a series of services totally free with the intent to retain the customers.

Research-as-a-Service (Graymarket)

Research-as-a-Service is a unique category not necessary linked to illegal activities. The classic example is provided by commercial companies that sell knowledge of zero-day vulnerabilities to organizations that meet their eligibility criteria (e.g., law enforcement). Despite the legal implications of the sale of knowledge about zero-day vulnerabilities, the demand has grown at an impressive pace. The marketplace is open to private individuals and organizations that limit their sale to specific buyers, but it has to be considered that the intermediation role could also be assumed by individuals who sell such intellectual property to entity that not necessary respect same strict eligibility requirements with obvious consequences.

Many researchers, once they have found a new flaw, prefer to offer their knowledge through the exploit brokering services to be facilitated during the sale.

The prices for a zero-day vulnerability depend on different factors, such as the context of the sale. The knowledge of a flaw sold to an intelligence agency is surely more profitable than one sold to the industry; another factor could be the population of users impacted by the zero day. A flaw in commonly used software is considered very precious.

To the research-as-a-service belong also all the activities of on-demand information gathering independently for the purpose. Typically, these services are used by cybercriminals to gather information on targets or to conduct a spamming campaign. Many services offer differentiation on geographic base and on the category of targets. There are forums that specialize in the sale of email accounts for sectors such as defense or industry. Meanwhile, other commercialized lists also account for generic phishing attacks.

Recently "Krebs on Security" published an interesting post that highlighted the importance of properly protecting our email account. The author confirmed that, in the cybercrime underground, many sellers offer a collection of hacked email accounts and, in many cases the offer is profiled according to users' needs. The analysis of price lists provides interesting insights from security experts. The following data shows various offers and the cost of each account.

  • ITunes account for $8.
  •, and accounts for $6.
  • for $5.
  • Hosting provider for $4.
  • Wireless providers,,, and for $4.
  • Facebook and Twitter for $2.50.

The market for stolen credentials is very prolific, active accounts at,,,, and are sold for a price between $1 and $3.

Figure 10 - Hacked email offer (Krebson Security)

As explained, a hacked email account is very attractive for cyber espionage purposes to gather information on other accounts that are directly connected. It could be also used for spamming malicious code or to realize more or less tricky frauds based on social engineering techniques. As explained by Krebs, an individual could receive a message from his contact, the hacked email account, asking him to wire money somewhere, claiming the owner of the account was left without money in some part of the globe.


This article has described the trend in the underground to provide services, infrastructures, and tools to conduct illegal activities. The practice is very diffused and allows criminals to reduce time for an offensive, increasing their efficiency. The criminal underground daily offers new efficient services that could increase the capabilities of attackers. Offers are very complete and are able to respond to every need. As a result, the volume of cyber attacks is likely to increase; data from different security firms is confirming the forecast. The study of the dynamics of cybercrime ecosystem is critical to understand the evolution of cyber threats and evaluate proper countermeasures.


Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.