The emergence of Cybercrime-as-a-Service (CaaS) is a critical evolution in the cybercrime landscape. A key area of research on CaaS is where and how the supply of CaaS is being matched with demand. Next to underground marketplaces and custom websites, cybercrime forums provide an important channel for CaaS suppliers to attract customers. Our study presents the first comprehensive and longitudinal analysis of types of CaaS supply and demand on a cybercrime forum. We develop a classifier to identify supply and demand for each type and measure their relative prevalence and apply this to a dataset spanning 11 years of posts on Hack Forums, one of the largest and oldest ongoing English-language cybercrime forum on the surface web. Of 28 known CaaS types, we only found evidence for only 9 of these in the forum.We saw no dramatic shifts in these offerings over time, not even after major underground marketplaces were being seized by law enforcement. Around 16% of first posts of the threads in the ‘Market’ section of the forum offers CaaS, whereas only 3% is focused on product-type criminal offerings. Within the types of CaaS, ‘bot/botnet as a service’, ‘reputation escalation as a service’ and ‘traffic as a service’ categories make up the majority (over 60%) for whole period in terms of both supply and demand. At least half of each CaaS offerings directs potential buyers to an instant messaging app or private message for transacting privately. In sum, we find that forums do in fact provide a channel for CaaS supply and demand to meet, but we see only a fraction of the CaaS landscape and there is no evidence in our data for the supposed growth of CaaS over time. We reflect on the implications of our findings for developing effective disruption strategies by law enforcement. @en

One of the many facets of cybercrime consists in transactions of malicious software, fraudulent information, and other potentially harmful goods and services via underground marketplaces. A portion of these goods comprises the illegal trading of consumer products such as vouchers, coupons, and loyalty program accounts that are later used to commit business fraud. Despite its well-known existence, the impact of this type of business fraud has not been analyzed in depth before. By leveraging longitudinal data from 8 major underground markets from 2011-2017, we identify, classify and quantify different types of business fraud to then analyze the characteristics of the companies who suffered from them. Moreover, we investigate factors that influence the impact of business fraud on these companies. Our results show that cybercriminals prefer selling products of well-established companies, while smaller companies appear to suffer higher revenue losses. Stolen accounts are the most transacted items, while pirated software together with loyalty programs create the heaviest revenue losses. The estimated criminal revenues are relatively low, at under $600,000 in total for the whole period; but the total revenue losses amounted to $7.5 million. @en

Many cybercriminal entrepreneurs lack the skills and techniques to provision certain parts of their business model, leading them to outsource these parts to specialized criminal vendors. Online anonymous markets, from Silk Road to AlphaBay, have been used to search for these products and contract with their criminal vendors. While one listing of a product generates high sales numbers, another identical listing fails to sell. In this paper, we investigate which factors determine the performance of cybercrime products.
To answer this question, we analyze scraped data on the business-to-business cybercrime segments of AlphaBay (2015-2017), consist- ing of 7,543 listings from 1,339 vendors, sold at least 126,934 times. We construct new variables to capture product differentiators and price. We capture the influence of vendor characteristics by identifying five distinct vendor profiles based on latent profile analysis of six properties. We leverage these product and vendor characteristics to empirically predict the performance of cybercrime products, whilst controlling for the lifespan and type of solution. Consistent with earlier insights into carding forums, we identify prevalent product differentiators to be influencing the relative success of a product. While all these product differentiators do correlate significantly with product performance, their explanatory power is lower than that of vendor profiles. When outsourcing, the vendor seems to be of more importance to the buyers than product differentiators.@en

Researchers have observed the increasing commoditization of cybercrime, that is, the offering of capabilities, services, and resources as commodities by specialized suppliers in the underground economy. Commoditization enables outsourcing, thus lowering entry barriers for aspiring criminals, and potentially driving further growth in cybercrime. While there is evidence in the literature of specific examples of cybercrime commoditization, the overall phenomenon is much less understood. Which parts of cybercrime value chains are successfully commoditized, and which are not? What kind of revenue do criminal business-to-business (B2B) services generate and how fast are they growing? We use longitudinal data from eight online anonymous marketplaces over six years, from the original Silk Road to AlphaBay, and track the evolution of commoditization on these markets. We develop a conceptual model of the value chain components for dominant criminal business models. We then identify the market supply for these components over time. We find evidence of commoditization in most components, but the outsourcing options are highly restricted and transaction volume is often modest. Cash-out services feature the most listings and generate the largest revenue. Consistent with behavior observed in the context of narcotic sales, we also find a significant amount of revenue in retail cybercrime, i.e., business-to-consumer (B2C) rather than business to-business. We conservatively estimate the overall revenue for cybercrime commodities on online anonymous markets to be at least US $15M between 2011-2017. While there is growth, commoditization is a spottier phenomenon than previously assumed. @en