Cybercriminal Business Models: They Are Out-Innovating the Rest of Us

Posted on by Steve Winterfeld

Cybercriminals are constantly looking for ways to monetize data they have gained access to. Over time, they have developed a criminal ecosystem, with some of them focusing on specific capabilities or developments, and then selling their product to others. This has allowed rapid flexibility across different business models, as data is transitioned into dollars. Furthermore, their motivations will also determine which business model they use (i.e., criminal, hacktivist or nation state). This criminal ecosystem includes some traditional functions like services, tools, customer satisfaction, but it also has unique functions like secret/private forums, dark web portals acting as clearing houses and money laundering. The final part of the revenue model is operationalizing it.

We can see the criminal’s economic evolution in retail, where first they attacked the payment data (primary credit cards). Once payment cards were better protected, they shifted to stealing PII for identity theft. From there, they pivoted to gift cards and loyalty reward points. All these represent data that can be covered into an income stream. 

Some sample methods/models are:

  • PII to enable identity theft
  • Credit card theft  
  • Gift card theft/compromise
  • Reward points theft/compromise
  • Gaming assets theft and resale
  • Streaming (live content) theft and resale 
  • Account Takeover fraud
  • Health Insurance fraud
  • Synthetic Identities for financial fraud
  • Ransomware
  • DDoS extortion attacks
  • Warranty theft/compromise
  • Insider trading based on stealing sensitive data
  • Tax return compromise
  • Wire fraud (largely social engineering-based)
  • Media content theft and resale (i.e., news sites)
  • Click jacking
  • Coupon abuse 
  • Automated bot purchase of high-demand items for resale

You can think about the functions being broken out into steps or phases. First is targeting and reconnaissance. This could be done by purchasing demographic information on the elderly to target them, or you could pick an industry like local government for ransomware. Next, you must attack the target using things like All-In-One (AIO) bot tools (covered in the Akamai State of the Internet report on Retail) or social engineering (covered in the Akamai State of the Internet report on Financial Services). Once you have access, you need to execute your payload based on your revenue model (i.e., encrypt for ransomware of exfiltrate the data for sale later). Finally, you need to convert what you have into money, often through the use of something like bitcoin or money mules. Each one of these can be done by one person/team or as individual tasks that are sold to the next person in the chain.

Some of the more popular methods criminals are using today to execute these methods or models include credential stuffing automated with bots, IoT based DDoS attacks, JavaScript skimming/form-jacking, and of course, the ever-faithful phishing.

As we think about what criminals are attacking today, it is important to think through what they will go after next. We have protected our e-commerce websites, for example, but have we moved those same protections to the APIs we are building? This requires that we think through the value of our data and determine the impact to brand confidence, direct financial loss and long-term litigation costs if the data is compromised. Then protect it accordingly.

Steve Winterfeld

Advisory CISO , Akamai

Hackers & Threats

PII application security phishing

More Related To This

Share With Your Community