Pierluigi Paganini August 19, 2013

Security expert Dancho Danchev profiled one of the numerous hacking services offered in the underground highlighting new trends in the cybercrime ecosystem.

With the term attack-as-a-service model is indicated the practice to outsource all the phases of an attack to specialists instead to rent tools and architecture to conduct personally the illegal activities (Malware-as-a-Service). Danchev has recently profiled a newly launched underground service that could allow for cybercriminals to automate the penetration testing process against any target. The providers of the hacking service sustain that using their own exploitation techniques are practically able to compromise any website.

As usual the authors of this service provide an excellent marketing model, they propose a demo for the attack useful to penetrate several vulnerable websites.

The model on sale for service is very attractive, hackers analyze in a first phase the target for a very cheap price (5$) and only in the presence of vulnerabilities they hack it for a price nearly 50$, of course for large architectures to attack the prices soar from $1000 to 50000.

This type of hacking services is an example of unethically pen-testing activity, the criminals seem to not use any automated tool neither Google services to discover vulnerabilities, another singularity is that they do not operate against website and service of their country, a habit already seen in the sale of Kins and Zeus malware.

Following the key features proposed by Danchev in his post:

• the service offers a demo of the hacking process for several (vulnerable) Web sites
• the price for scanning a single Web site is $5, and if a scanned Web site can be hacked using the service, the price becomes $50
• the instructions of the service state that – “We don’t touch our (country’s) Web sites, and our law enforcement doesn’t touch us”
• the service doesn’t utilize Google for finding vulnerable Web sites on a mass scale, instead it allows the cybercriminal to manually enter the Web site about to get unethically pen-tested
• even if the service cannot automatically hack into the Web site (based on what the service claims are private techniques for exploitation) the specially displayed output is supposed to increase the probability for a successful compromise
• the service also offers consultation for hacking into any given Web site, with the prices varying between $1000 to $50,000
• the service successfully detects Microsoft SQL Server, Oracle, MS Access

Following an image of the profiles hacking service:

At the moment the impact of the specific service is limited due its actual inability cause widespread damage but the availability of a huge quantity of tools and hacking services represents an alarming reality that is causing a sensible increase in blended, automated attacks.

Recently FireHost Secure cloud hosting company issued Q2 2013 Superfecta report that revealed the concerning growth for automated attacks against web applications.

The same Danchev already profiled other DIY tools such as Google Dorks Web site exploitation tools, brute forcing applications and stealth Apache module for backdoor distribution, the greater the number of these tools on the market and the greater the number of cyber criminals who provide for the complete outsourcing of attacks.

According last McAfee report “Cybercrime-as-a-Service” security experts observed a sensible increase for attack-as-a-service proposal, the study profiled as example Password cracking services and Denial-of-services.

“If the budget allows, a budding cybercriminal can skip the process of conducting research, building appropriate tools, and developing an infrastructure to launch a cyberattack by choosing a service that will outsource the entire process.” the report states.

No doubts that hacking services will catch in the medium term a good portion of the offer for cybercriminals on the underground.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cybercrime, hacking services)