Fraud as a Service (FaaS): Everything You Need to Know
The 2017 LexisNexis® True Cost of Fraud report makes for sobering reading. After surveying nearly 1,200 risk and fraud executives, the report concluded that fraud in retail, commerce, lending and financial sectors cost these industries more than 2.5 times the dollar amount of the actual fraud. Up to 31 percent to 43 percent of monthly transactions involved fraud attempts.
It gets worse. According to PwC’s 2018 Global Economic Crime and Fraud Survey, 49 percent of organizations globally said they had been a victim of fraud and economic crime.
What is FaaS?
In CSO Online, Daniel Cohen of the Online Threats Managed Services group at RSA says that FaaS offerings range from: “DDoS attacks and botnet rentals to stolen payment cards, healthcare records, and social media accounts for sale in just a single click. And with the increasing demand and competition in the deep web, some cybercriminals are making customer service guarantees a key differentiator for their services with try-before-you-buy options and returns for ‘faulty’ merchandise such as bad payment cards.”
However, FaaS is not just a blanket definition for digital fraud. While it does utilize techniques like phishing, whaling, insider fraud, SQL injection, and ATM-skimming, the concept more accurately refers to an insidious invasion of cyber criminals in an organized manner by:
- Utilizing a global network of criminals for international fraudulent collaboration through underground forums
- Creating a Dark Web platform from which FaaS activities take place
- Making fraud a profitable product that can be sold on
- Developing a network of services to aid fraudsters in committing digital crimes and converting stolen goods into cash
The FaaS model will gain traction in 2019 as it provides would-be cybercriminals with the means and opportunity to develop their own fraud businesses, at low cost and with little knowledge. The product itself can be acquired on the Dark Web; supporting services can be bought or rented; and the underground platform provides a supportive network of like-minded criminal collaborators.
FaaS as a Global Network
FaaS organizations operate in a similar manner to any other organization: there are menial workers, money mules, researchers, contractors, Dark Web hackers, technical specialists, managers and team leaders. While undoubtedly not quite so lavishly opulent, one might nevertheless imagine the Deep Web of organized cybercrime as the equivalent digital location of a James Bond movie. In fact, the Bond movie SPECTRE presented a global terrorist organization that could well have been a precursor to criminal syndicates in the Dark Web.
FaaS as a Dark Web Platform
More prosaically, FaaS is likely the criminal heir to cloud services that have enabled fraudsters to take underhanded advantage of the same services people use in their private lives and online businesses every day. Once simply a way to share everyday life with friends and family, Facebook is now one of many popular hunting grounds for criminals hoping to snare victims and steal their personal information.
It was bound to happen, opined The Weekly Geek as far back as 2010: "... on-demand, web-based fraud that mirrors the efficiency, sophistication, and universality of Software-as-a-Service (SaaS)." The Geek extracts some interesting takeaways from a whitepaper presented by Rick Van Luvender, Director of First Data’s InfoSec Incident Response Center:
- Today’s criminals are not operating out of seedy boiler rooms. They are sophisticated and smart
- Even though it is “underground,” the fraud-based economy is subject to the same supply-and-demand pressures of any other economy
- The most popular items for sale on the underground are credit cards, inexpensive to buy with a high profit potential
- At the center of FaaS are online fraud forums that operate in a very similar manner to legitimate online marketplaces. These forums utilize specialists to brainstorm news ideas to harvest data
The result: "Just as corporate IT managers have come to rely on the Internet to satisfy on-demand software needs in the form of Software as a Service (SaaS), so has the underground economy developed a similar infrastructure for delivering Fraud as a Service (FaaS)."
FaaS as a Profitable Product
FaaS is not just about instituting attacks to defraud large organizations. Indeed, it has become a profitable product to sell to other fraudsters. According to Hacker News, underground forums sell malicious code, hacking services and bullet-proof hosting at reasonable prices and even rent out entire botnets. The Zeus malware, freely available on the Internet, was improved and upgraded by developers who designed a commercial demo website for would-be buyers and, without blushing, published a dedicated Facebook page to the toolkit’s latest version (the page has since been shut down).
FaaS as a Network of Services
It’s not just raw code that is being distributed by fraudsters. Says Eric Geier at eSecurity Planet: “There are also numerous other associated services out there that are required to carry out a large successful attack such as malware quality assurance (QA) (yes, it's true), distribution, and search engine optimization (SEO). All these goods and services can come together to make a cookie-cutter process for the attack originator while also making it nearly impossible to catch them due to all the third-party providers involved.”
Other services available to criminals include money laundering, money mules, making friends with bent insiders at large corporations, pay-as-you-go infection and exploitation services, and virtual criminal markets.
If you wanted to start your own digital crime outfit, why do all (or any) of the work yourself when you could harness FaaS?
Ideally, such a hacker would operate through the Dark Web, but you can also find criminal compatriots on the surface web via forums and word of mouth. However, doing so is dangerous and illegal. Often, white hats pose as black hats on these sites.
How much will it cost you? Prices vary and you have to balance the risk; criminals are not known for their ethics. An article by Business Insider describing the prices you can expect to pay for hacking activities includes an interesting offering by one hacker to boost Yelp ratings — interesting because some online job boards on the surface web have been known to advertise for similar services, seeking freelancers to give their business a good rating. But using the Dark Web is no doubt more lucrative, more anonymous and more cost-effective, although much, much more risky.
Cybercrime as a Service (CaaS)
As is often the case on the Internet, the different of trending terms are sometimes confusing, even contradictory. Relevant to this article is that FaaS and Cybercrime as a Service (CaaS) acronyms are sometimes used interchangeably. FaaS is perhaps better described as an independent, specialized (and lucrative) segment in the CaaS business model. Strictly speaking, FaaS attacks are aimed primarily at financial industries and related service industries.
The acronym that may in the future become more widely used to describe FaaS activities generally is Cybercrime as a Service (CaaS.) We Live Security describes CaaS as “the practice of facilitating illegal activities via services. In other words, anyone could acquire everything they need to organize frauds or cyberattacks, whatever their skills or technical knowledge.” This criminal business model in fact includes FaaS as a specific offering, amongst others:
- Fraud as a Service (e.g. Zeus). Threats are aimed at obtaining banking data and range from stealing credit cards to social engineering attacks, and include offering fraud services
- Malware as a Service (e.g. Betabot). The sale of malware and exploit kits, including botnets
- Ransomware as a Service (e.g. Tox). Strictly two services: the first, tools created by developers to develop malware automatically, and the second, criminals that sell these tools
- Attacks as a Service. Employing hired guns who do all the dirty work
How to Combat FaaS
Writing for CSO Online, Charles Cooper suggests that new threats from as-a-service markets mean there "is the need to adjust to the morphing nature of the threat landscape. Attacks are going to come faster and more frequently than ever, and security practitioners need to treat this as the new normal. Otherwise, it’s the same blocking-and-tackling that’s helped enterprises deter attacks in the past."
In a whitepaper titled “The Industrialization of Fraud Demands a Dynamic Intelligence-driven Response,” Enterprise Management Associates suggested three core defenses:
- Harnessing dynamic intelligence
- Swift and concise response capabilities
- Defending identity and strengthening authentication
At the heart of these strategies are automation capabilities and advanced artificial intelligence, both of which may help in combating threats in the morphing threat landscape.
According to Information Age’s Nick Ismael, “The automation wave is the progression of technology and machine learning into intelligent software that can act to both identify and remediate incidents, leaving security professionals to tackle more complex and relevant issues.”
Where to Next?
In 2017 Barclays UK launched the Embarrassing Fraud Clinic. This was in response to research showing that a third (34 percent) of fraud cases went unreported to banks, and nearly three-quarters (72 percent) were not reported to the police, due to 1 in 4 Brits being too embarrassed by the incident.
Security awareness can relieve people of the stigma attached to being “caught out” by training them to be aware of how fraudsters operate. InfoSec Institute has created special learning modules in its AwareED and SecurityIQ learning portals.
The Dark Net’s Fraud as a Service (FaaS), CSO Online
Delivering Fraud-as-a-Service (FaaS), The Weekly Geek
Fraud Trends in 2010: Top Threats from a Growing Underground Economy, First Data
Fraud-as-a-Service of Zeus Malware advertised on social network, The Hacker News
Hiring Hackers and Buying Malware is Easy, eSecurity Planet
The cybercrime business model and its value chain, We Live Security
The rise and rise of Cybercrime as a service, CSO Online
Artificial intelligence is aiding the fight against cybercrime, Information Age
Hands-on threat intel training