Cybercriminal Business Models: They Are Out-Innovating the Rest of Us

Posted on December 10, 2019

Cybercriminals are constantly looking for ways to monetize data they have gained access to. Over time, they have developed a criminal ecosystem, with some of them focusing on specific capabilities or developments, and then selling their product to others. This has allowed rapid flexibility across different business models, as data is transitioned into dollars. Furthermore, their motivations will also determine which business model they use (i.e., criminal, hacktivist or nation state). This criminal ecosystem includes some traditional functions like services, tools, customer satisfaction, but it also has unique functions like secret/private forums, dark web portals acting as clearing houses and money laundering. The final part of the revenue model is operationalizing it.

We can see the criminal’s economic evolution in retail, where first they attacked the payment data (primary credit cards). Once payment cards were better protected, they shifted to stealing PII for identity theft. From there, they pivoted to gift cards and loyalty reward points. All these represent data that can be covered into an income stream.

Some sample methods/models are:

PII to enable identity theft
Credit card theft
Gift card theft/compromise
Reward points theft/compromise
Gaming assets theft and resale
Streaming (live content) theft and resale
Account Takeover fraud
Health Insurance fraud
Synthetic Identities for financial fraud
Ransomware
DDoS extortion attacks
Warranty theft/compromise
Insider trading based on stealing sensitive data
Tax return compromise
Wire fraud (largely social engineering-based)
Media content theft and resale (i.e., news sites)
Click jacking
Coupon abuse
Automated bot purchase of high-demand items for resale

You can think about the functions being broken out into steps or phases. First is targeting and reconnaissance. This could be done by purchasing demographic information on the elderly to target them, or you could pick an industry like local government for ransomware. Next, you must attack the target using things like All-In-One (AIO) bot tools (covered in the Akamai State of the Internet report on Retail) or social engineering (covered in the Akamai State of the Internet report on Financial Services). Once you have access, you need to execute your payload based on your revenue model (i.e., encrypt for ransomware of exfiltrate the data for sale later). Finally, you need to convert what you have into money, often through the use of something like bitcoin or money mules. Each one of these can be done by one person/team or as individual tasks that are sold to the next person in the chain.

Some of the more popular methods criminals are using today to execute these methods or models include credential stuffing automated with bots, IoT based DDoS attacks, JavaScript skimming/form-jacking, and of course, the ever-faithful phishing.

As we think about what criminals are attacking today, it is important to think through what they will go after next. We have protected our e-commerce websites, for example, but have we moved those same protections to the APIs we are building? This requires that we think through the value of our data and determine the impact to brand confidence, direct financial loss and long-term litigation costs if the data is compromised. Then protect it accordingly.

Hackers & Threats

PII application security phishing

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.