Cybercriminal business models: the mutated offspring of the lean start-up?

As ransomware's popularity has risen, so too have competitors in the market and the creators have begun taking a professional approach.

While they are downright despicable, the unique circumstances in which cybercriminal businesses have developed share many similarities with the tech startup world.

Both have adapted to a highly pressurised and competitive technology environment in similar ways. However, the criminal world has mutated the now famous ‘lean’ business principles, which is renowned for giving startups an edge, and twisted them to create something which is unfortunately highly effective.

>See also: Defending against fileless malware 

Personalisation – It’s no secret that lean start-ups focus heavily on customer data and personalisation, collecting as much intelligence as possible, and using this to achieve a very specific goal.

Cybercrime is no different, except the goals they are trying to achieve are much more nefarious. Threat actors have become experts at using the data generated by people’s digital footprints to run vast targeted campaigns.

Advanced ‘fingerprinting’ techniques are capable of scanning a massive number of computers, collecting intelligence including location, installed software, cookies and people’s Internet Service Provider (ISP) to tailor threat delivery.

This is done on traffic-loads of millions. If this sounds familiar, it is the same approach used by the growing ranks of data-driven marketing technology companies. Imagine the Boston adtech cluster, but for the underground.

Agile – Lean start-up is obviously all about testing, learning and iterating products. This is the reason why so many labs and experiments exist, and why the scrum board holds an almost sacred place in the start-up.

>See also: New malware represents biggest threat to critical infrastructure

Cybercriminal culture has been practicing this for years, the very existence of polymorphic malware is proof of this. This software automatically evolves, changing its code continually to make sure it stays ahead of the cybersecurity industry.

The marketing team at a start-up could build entire valuations around a similar ability. It’s not just on the coding level that this agile approach is demonstrated. Exploit kits are now run through control panels which look like professional software and allow infection data to be monitored in real time. This allows for incremental changes to increase campaign success rates.

Specialist jobs outsourced to experts – Start-ups keep it lean and focussed by farming out non-core activity to outsourced consultancies and technology providers.

Cybercriminals employ specialist practitioners on a similar basis. A whole marketplace has evolved, encouraging a shady sub-sector for cybercrime services to flourish.

Need someone to drive traffic towards your compromised site, a place to buy custom-built malware or just good ‘old fashioned’ bulletproof hosting? Look no further than the multiplicity of forums and dark marketplaces online.

>See also: How does advanced malware act like AI?

These operate as a shop window for these, unfortunately quite skilled, contractors. Not only does this make sound business sense, but it also keeps the waters conveniently muddy, making it harder for law enforcement.

These factors have all combined to decrease the barrier to entry into cybercrime. With an easily accessible, yet flexible, technology-driven resource pool, little more than a laptop and a small amount of technical experience is needed to start a relatively sophisticated operation. It is not just the preserve of the few any more.

This has significantly increased the volume and variance of threats. In response, people and businesses need to adopt a layered approach to security, employing both an anti-virus for traditional threats, and anti-malware for the more advanced.

Second, people must be acutely aware of the threat posed by outdated software. Our data shows a serious increase in the amount of attempts to pour ransomware and malware through holes in everyday programs such as Java and Internet Explorer. If you want to be even more secure, anti-exploit software is available.

Third, watch out for the ads. In our experience, most high-volume attacks now come through malvertising, which is still not a threat vector with mainstream understanding.

>See also: 30% of malware attacks are zero day exploits – report finds

Essentially, these are malware and ransomware infected ads which hide on trusted news, dating and other high traffic sites. Various tools on the market, such as anti-exploit software, can be a great help here.

Finally, be aware of being manipulated. The most successful online crime is that which hacks people, and uses their weaknesses against them. Continually ask yourself questions – do you need to reply to that official looking IRS email? Do you really know that attractive Twitter follower badgering you with links? After all, if there’s one thing that takes the wind out of startups more than anything, it’s a lack of clicks…


Sourced by Justin Dolly, chief security officer and CSO at Malwarebytes

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...