Next thing to worry about: Cybercrime as a service

Placeholder Image for Article Template

You've heard of software as a service and infrastructure as a service. Now you need to pay close attention to cybercrime as a service, one of the more insidious -- and burgeoning -- forms of organized attack.

Many of the recent high-profile data breaches at retailers like Target, and Nieman-Marcus leveraged off-the-shelf Internet-based cybercrime kits, according to McAfee Labs' latest quarterly report. That increased simplicity and availability could mean dangers for federal agencies' networks and facilities.

"If cybercriminals could execute such large-scale attacks on retailers – particularly Target – they could attempt the same against government agencies," Patrick Flynn, McAfee’s director for homeland/national security, told FCW in an email. "The administrators of federal sites that are citizen-facing and store large amounts of personal information need to be especially vigilant. Ironically, attackers taking advantage of cybercrime as a service don’t need anywhere near the same expertise.”

Hacking for dummies, indeed.

Just as typical cloud--as-a-service and infrastructure-as-a-service capabilities bring operational efficiencies to more enterprises, cloud-based malware can bring more sophisticated attack skills within the reach of a larger pool of possibly less-talented hackers.

The attacks against major retailers exposed the data of hundreds of thousands of the store's customers to electronic thieves that hacked into its point-of-sale terminals. McAfee called the Target breach one of the biggest of all time.

The attacks, while enormous, weren't unprecedented. What made the latest round different was not only the size of the thefts, but that they were apparently done with pre-packaged tools tailored to the specific job.

"During the last few years we have seen a notable rise in the malware families POSCardStealer, Dexter, Alina, vSkimmer, ProjectHook, and others, many of which are available for purchase online," said the report.

McAfee said Target uses a custom-built POS application, which means that the attackers could not learn the system offline, via readily available leaks of commercial POS applications. McAfee said that although the malware that attacked Target was based on a known entity called BlackPOS, it had several customized capabilities that allowed it to behave in a certain way once inside Target's environment.

McAfee analysts said the attacks were "far from advanced," but noted that the off-the-shelf, family of BlackPOS malware shows that such packages can easily be modified and redistributed with little programming skill or knowledge of malware functionality. In the past, BlackPOS source code has also been incorporated into Zeus/Citadel, Gh0st, Poison Ivy, and many other kits, showing that almost anyone can employ, modify and use them for nefarious purposes.

“Cybercriminals don’t have to be technical experts to get the job done,” Flynn said. “In fact, they only need a credit card.”

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Wed, Mar 12, 2014 IDTheftResearcher

Crime as a Service (CaaS) is nothing new; "murders for hire" arrangements are similar. An extreme example of cyber CaaS: 12 yr old Canadian hacker paid in video games.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group