Do you suspect that your partner is cheating on you and want to find out the truth by installing spyware on their phone?
Or, perhaps you are a student who wants to get out of an online classroom so you can play an online game with friends?
How about some Zoom raiding for a mere Rs 50-100?
Or, are you a person who wishes to hack into someone’s phone or laptop, and steal their financial details?
Crimeware-as-a-Service (CaaS) allows you to do all this and more.
CaaS is any computer programme or set of programmes designed to facilitate illegal activities online.
Whether it is spyware or phishing kits, browser hijackers or keyloggers, CaaS brings it all to your fingertips if you are in the mind for indulging in criminal activities online.
Like software-as-a-service (SaaS), CaaS has emerged as a well-orchestrated ecosystem for cybercriminals.
Pankit Desai, co-founder and chief executive officer of the security firm Sequretek, points out that it is the rise of core competencies among cybercriminals that has led to a wave of CaaS attacks in recent times.
“Earlier, the same person who would write code would distribute it, too.
"But this restricts your ability to reach out to more people.
"Now, those who have a core competency in developing, focus on that, while those who are good at distribution stick to that, and then there are those who manage the money,” explains Desai.
Ease of operation
CaaS enables criminals to carry out sweeping attacks that do not require advanced technical skills.
Most such attacks can be automated, making tracking nearly impossible. Hence, crime detection and bringing criminals to book become extremely challenging.
This adds to the ease of operation of CaaS, according to a report by Kaspersky Lab, a multinational cybersecurity and anti-virus provider.
The other challenge is that since these players work from different countries, finding them is a complicated exercise, and especially so in countries where law enforcement capabilities are low, says Desai.
Sourajeet Majumder, an independent security researcher, explains that “CaaS was first defined sometime in 2008, but the reason for its recent uptick has been the ease of availability.
"Earlier, one would need to be aware of the dark web to get such access, but now links to CaaS providers are available on platforms such as Telegram.”
Majumder points out that there are now several forums where you can post what you need, and cybercriminals then contact you.
“The interesting part is that you can subscribe to their services and a team of hackers will do what you want them to, and the payment is done via cryptocurrency or bitcoins,” says Majumder.
This means that anyone with money and the intention can launch a cyber-attack.
“A lot of cases have come up in recent times where a person has installed spyware in the phone of the spouse or the partner. Also rampant are cases of Zoom raiding, where a student can pay as little as Rs 50-100 to create a disturbance, which would eventually make the teacher end the class,” Majumder adds.
Multi-billion-dollar industryCybercrime has become a multi-billion-dollar industry, and hence it has begun appealing to traditional crime syndicates who want to diversify their activities by using the virtual ecosystem for communication and money exchange, and also to commit cybercrimes.
Cybersecurity experts reckon that the total net cost of cybercrime is expected to grow by 15 per cent a year over the next five years, reaching $10.5 trillion annually by 2025 — up hugely from $3 trillion in 2015, according to a report by Interpol’s ASEAN Cyberthreat Assessment, 2021.
What makes CaaS really worrisome is the fact that the model has now become highly specialised and well-oiled.
“Players are specialised in their area. I would hazard a guess that the majority of attacks we hear of are being driven by CaaS players.
"The payment mode in most of these cases is crypto or bitcoins, and to avoid getting traced, needs good networking in the digital payments ecosystem,” says Desai.
According to Kaspersky Lab, CaaS is extremely pervasive because of its low entry barriers.
In fact, after the US and Germany, India is the third-most affected country by Emotet Trojan, a dangerous malware, which attacks enterprise data.
Emotet Trojan uses a CaaS model to infect banks, where a cybercrime agency is able to run their operations by renting infected servers from Emotet.
CaaS also got a shot in the arm during the pandemic, when people began working from home and networks had to support a disparate system across cities.
Additionally, companies started to move to the cloud.
“The more spread out we are, the easier it is for cybercriminals to attack, and that is what happened — especially in the first wave, when several companies were struggling to get the physical devices to their employees,” adds Desai.
Apart from CaaS, which is creating a community of crime online, several other cybercrime trends are on the rise, too.
Cryptojacking is where a cybercriminal makes use of people’s devices like smartphones, laptops, and so on, to mine for cryptocurrency.
According to a Kaspersky study, cryptojacking, too, is increasing in India.
In fact, the country is a leading target for cryptojackers across the Asia-Pacific region, with such incidents in India at five times the global average.
“We have been seeing the cybercrime rate grow steadily since the past few years, only a small part of which may be attributed to conflict situations.
"The reason for such a sharp rise is low awareness and lack of investment in advanced technologies for cybersecurity,” says a Kaspersky spokesperson.