Cybercrime as a Service: A Scoping Review

TL;DR

This paper reviews the concept of Cybercrime as a Service (CaaS), analyzing 195 sources to understand its scope, development, and future implications for cybercrime and security.

Contribution

It provides a comprehensive scoping review of CaaS, highlighting its current state, methodological approaches, and predicted future trends in cybercrime services.

Findings

CaaS lowers entry barriers for cybercriminals

Increases attack sophistication and resilience

Potential use by organized crime and extremist groups

Abstract

Cloud computing has drastically altered the ways in which it is possible to deliver information technologies in a service-led structure, however, this has also been reflected in the cybercrime domain. Cybercrime as a Service is an economic model where a technically skilled actor offers a given cyberattack as an end-to-end service to non-technical actors who pay a subscription fee for said service. The services, which can vary in scope, targets, and delivery modes, include everything from the vulnerability discoveries, delivery of the attack, and the attack itself to financial rewards to the subscriber. In this scoping literature review, we analysed 195 articles from both academic and grey literature with a view of investigating the services articles studied, the methodological approach the how the CaaS model is predicted to develop in the future. Our review indicates that with further commercialisation of the model will further lower the barrier of entry to the cybercrime realm, increase sophistication of the attacks and increase resilience of the service providers and their ecosystem which will result in harder shutdowns of services by the authorities. Furthermore, as the model becomes more accessible, groups such as organised crime groups, extremist actors may use them as well, which may have implications for criminal activity in both cyber and physical domains.