Cybercrime For Sale: Scam Kits and How to Protect Yourself

It's a common refrain in the cybersecurity world that cybercriminals are constantly innovating. Thanks to some particularly entrepreneurial scammers, many others no longer need to.

Would-be cybercriminals with very little technical knowledge or experience can now buy cybercrime kits, as stand-alone offerings or as a part of software subscriptions, which do an online scam's heavy lifting. These easy-to-use tools sold on the dark web contribute to rising cybercrime,1 which is expected to cost victims $8 trillion2 this year.

Here's what consumers should understand about this troubling trend and how to stay on guard.

What Is Malware-as-a-Service?

As bizarre as it may seem for cybercriminals to sell internet crime kits to less-skilled scammers, it's simply a dark web version of the legal software marketplace many people use. Software-as-a-service, or SaaS, is the increasingly common way consumers use software — you pay a subscription for something like Microsoft 365, Dropbox, or Zoom in exchange for access to the software, including its tools, resources and customer support.

Malware-as-a-service (MaaS), or crime-as-a-service (CaaS), works similarly. Users pay a monthly subscription, a one-time fee, or a portion of their scam profits to access the plug-and-play resources they need to launch their very own attacks.

Prices vary but can be surprisingly low. For example, remote access trojan/tools3 (RATs), which allow scammers to access and control devices remotely, can cost between $5 and $45 for a one-time set of tools. More sophisticated MaaS operate more like everyday SaaS. The "company" Eternity Project,4 for example, offers a variety of cybercrime tools for $90 to $490 and shares product updates and how-to videos for customers.

Ransomware and Phishing as MaaS

Wannabe scammers can find MaaS for just about any type of internet scam. But two of the most common are ransomware-as-a-service (RaaS) and phishing-as-a-service (PhaaS or PaaS).

RaaS

A ransomware attack when a cybercriminal gains access to a device or critical data and locks out the owner until they pay a ransom. Ransomware is one of the most common cybercrimes, according to Verizon, which reported a 13% jump in ransomware breaches5 in 2022. That figure held steady in 2023, with ransomware accounting for 24% of breaches.6 Experts connect7 the ease of access to RaaS with ransomware's rise.

RaaS can work in a few different ways.8 The RaaS creator may charge a monthly subscription for a flat fee, a monthly subscription plus profit sharing (often 20%-30% of users' scamming revenue), or a one-time license fee — or they may offer a pure profit-sharing model.

PhaaS

Phishing is another increasingly common online scam, wherein a cybercriminal sends an email or other message to a user pretending to be a reputable person or entity asking for sensitive information on a fraudulent website. Consumers may recognize this as a text message pretending to be the U.S. Postal Service asking for additional postage, confirmation of an address, or an email purportedly from an online retailer asking for a credit card update.

PhaaS is popular in part because of the variety and sophistication it offers. Some phishing kits9 include ready-made HTML templates for creating lots of fake websites that look like popular companies' sites and a script code that sends a victim's data to the criminal. The kits can vary, sometimes including a message to send to potential victims. The most sophisticated kits can include anti-detection tools and be a part of a full-fledged PhaaS offering with additional services, like bypassing multi-factor authorization security.10

Protecting Yourself from MaaS

The major takeaway for consumers about the rise of MaaS is to expect more scam attempts from less-skilled cybercriminals. The standard cybersecurity protections still apply, just more than ever: Don't trust any unexpected messages requesting personal or financial information — and strengthen your computer and network security with firewalls and strong passwords. Train everyone7 using your devices on cybersecurity procedures, whether they're family members or employees.

Given the popularity of RaaS and PhaaS, however, these specific practices can help further:

RaaS Protection Tips:8

• Perform regular data backups. If a cybercriminal tries to hold your data ransom, but you have a recent backup on hand, you can avoid paying the ransom with minimal losses. Store backups in different locations on separate devices and test them regularly.
• Segment your network. Use guest networks or additional Wi-Fi networks as needed to isolate devices so one breach doesn't expose all of your digital assets. VPNs also come in handy because it protects your online privacy, secures data, changes an IP address and, equally important, adds another protective layer. Think of like a near-impenetrable steel door after bad actors find the first way entranceway in.

PhaaS Protection Tips:9

• Avoid clicking on links in messages. When possible, type known URLs into a browser's address bar or open a trusted app.
• When logging into a website or entering sensitive information, look closely at the URL in the address bar. An apparent typo or suspicious character in the domain name could indicate that it's a fake.

Just because online scammers have easier access to cybercrime tools doesn't mean you are an easier target. With extra caution and good cybersecurity practices, you can keep cybercriminals — especially amateur ones — at bay.

Consider Signing Up for Credit Monitoring

Does remembering to regularly scan your credit report sound exhausting? Another option: Choose a service that will do the credit monitoring for you.

For example, as a Synovus Plus, Synovus Inspire, or Synovus Private Wealth customer, you can enroll in complimentary Financial Protection Services services through Carefull. Depending on the level of protection you have, Carefull will monitor your credit reports and notify you any time any changes are made. Carefull will also scan the web to make sure your personal information hasn't been compromised by checking websites, blogs, peer-to-peer networks. Carefull also offers full-service identity restoration if you become a victim of identity theft.

Learn more about how you can achieve peace of mind as a Synovus customer with Carefull.