Cybercrime as a service - the crime thriller under the Christmas tree.

The Christmas holidays have been booked since summer, business projects are gradually coming to an end - and the family is relieved that you at least have a few days off over the holidays. The end of the year is being cosily prepared for, the anticipation of sleeping in is increasing, plans with loved ones are drawing closer - and the Advent calendar is drawing to a close. Simply beautiful. Work can wait until next year! At the same time, in a 1.5-room attic flat in a block of flats somewhere in Reda-Wiedenbrück, hacker Matthias thinks to himself: "Oh great, now I can take this department's computer hostage by encrypting it to extort a ransom, yippee!"

Matthias is clever, because he knows that many companies are unresponsive or less responsive on public holidays and people's minds are occupied with other things. This is reason enough for cyber criminals to take advantage of people's enthusiasm, curiosity and willingness to help. "Public holidays, holiday periods and weekends in particular have repeatedly been used for cyber attacks in the past, as many companies and organisations are less able to react. Now is the time to implement appropriate protective measures." BSI President Arne Schönbohm stressed back in the winter of 2021.

Cybercrime is constantly evolving.

The cybercrime landscape has developed into a very lucrative and highly organised business. With the as-a-service business model, cybercriminals now offer their services and hacking tools to anyone who is willing to pay or share the profits. This makes cybercrime accessible to any private individual who wants to launch a cyberattack - even you, even me and even at Christmas.

Internet criminals sell their services and offers via tidy and well-organised shops or marketplaces on the Darknet and in relevant forums. Public forums are also still very important for hacking today, as stolen data packages are also offered or auctioned here. As most hackers are particularly good at anonymising and protecting themselves, the public can usually only stand by and watch.

How do we actually define cybercrime?

Cybercrime has many faces and is constantly evolving. But by and large, all crimes that occur in the digital world fall under the umbrella term cybercrime. These crimes include blackmail, theft, defamation of character, distribution of illegal media, illegal trade, counterfeiting or espionage, all of which are mechanised and take place in the digital space. Cybercrime is fundamentally directed against assets or personal integrity. Phenomena such as cybergrooming, cyberstalking and cyberbullying - i.e. criminal acts of violence - also originate here and are growing in scale. And those who have sufficient means and contacts don't even have to get their own hands dirty and can place a targeted order for any of these crimes. For criminals, cybercrime as a service is just an extended form of software as a service, i.e. normal day-to-day business. Whew!

The German Federal Office for Information Security (BSI) explains the cybercrime-as-a-service model as follows:

"Cybercrime-as-a-Service (CCaaS; cybercrime as a service) describes a phenomenon area of cybercrime in which offences are committed by cyber criminals on an order-oriented basis or offences are facilitated in a service-oriented manner. For example, in the case of malware-as-a-service (MaaS), which is subordinate to CCaaS, a cybercriminal is provided with the malware for committing a crime by an outsider or a specialised attacker group in return for payment and may also be provided with updates and other similar services, just like the legal software industry. One type of MaaS is Ransomware-as-a-Service (RaaS), where the malware is often provided for a fee to encrypt an infected system, update the malware, handle ransom negotiations and payments and other extortion methods. The dissection of a cyber attack into individual services associated with CCaaS enables even less IT-savvy attackers to carry out technically sophisticated cyber attacks." (Source: BSI report "The state of IT security in Germany in 2022"

Ok, ok. But what does that mean for me and my Christmas?

Cyberattacks primarily affect companies, organisations and public institutions. However, cyber crooks and online fraudsters like Matthias are just waiting for the Christmas season to rip off private individuals as profitably as possible.

So anyone buying gifts online could well end up on a fake shop that suddenly offers items that are not available in other shops. Due to inflation, shoppers in Germany are also planning to shop more frugally and could therefore be misled by false savings offers and festive deals. If you don't trust a shop, check that the legal notice is correct and perhaps also whether the shop is verified or has been rated on independent rating platforms.

It also happens that accounts of sellers are hacked and used to offer and sell goods that don't even exist - for example via the giants Amazon, Zalando or eBay. The result is then the same as with a fake shop: there is no trace of the purchased goods or of your money.

Even the Christmas post is no longer what it used to be! By clicking on the joyful, electronic festive greetings, you could receive a very special gift: a ransomware attack. The problem here is that it is often not so easy to distinguish between legitimate and dubious greetings. If in doubt, you should therefore not even open the Christmas greetings - and send cards by post instead.

Fake appeals for donations can also reach you by email or via other communication channels. This is particularly nasty, as people's good nature is deliberately exploited during the festive season.

When cybercrime becomes reality

Fake profiles on dating portals that strike at the time of hope are particularly nasty, but unfortunately not uncommon either. If you are looking for true love or a cuddly partner online, you may well fall for a fraudulent fake love who steals your time and trust in order to get a Christmas bonus with your money. So pay more attention to red flags when dating, don't send any of your bank details and don't transfer money to someone who has just met you and has huge money problems. Really. It's shocking what people lie to and do to other people in this regard.

Anyone who documents too many details of their life on Facebook, Instagram and the like is also at risk. Your Instagram story from the ski resort may tell a professional burglar that you are not at home. Ironically, this professional burglar could already have a clear idea of what you are up to thanks to the complete documentation of your new achievements. Sounds far-fetched? Unfortunately, it has happened too often for that.

Are hackers soulless criminals?

Because cyber criminals usually act alone and in their familiar surroundings - without putting themselves in a position where they could be caught or recognised, have to run away or hide or even have to watch out for someone else - they do not experience their crimes as real crimes. Anyone who has to pay a fine or serve a prison sentence for a serious violent offence always relives their crime and in most cases, sooner or later, experiences feelings such as shame, remorse or pity. Cybercrime is different. This is because the perpetrators do not see their victims, they have no awareness of the suffering they cause, the livelihoods they destroy and the lasting fear they spread.

In addition, there is the feeling of power and domination when a hacker paralyses and controls systems. This means that, in case of doubt, the perpetrators actually feel really good and miles superior to others when they can control something that they should never have been able to control. The powerlessness of affected individuals, companies and authorities can give you as a hacker an enormous push to want to become even bigger and stronger. A guilty conscience therefore often has no chance of developing or becoming a loyal companion. On the contrary. Hackers often don't know why they should stop.

So how can you protect yourself from so much digital mischief?

It sounds a bit harsh. But first and foremost, switch on your "common sense" and trust it if an advertising promise, a dating chat, an email or a new online shop seems suspicious to you.

We live in a time when the word "cyber war" is already in the dictionary. And it is not only this fact that indicates that this Internet is not just a passing trend. How can it be that we use so much technology but know so little about it and its security? What can we do to prevent cybercrime from spoiling our mood, wiping out our livelihoods or jeopardising our democracy? Work with it. Because cybercrime is real. And that's why we should, of course, organise regular awareness training sessions with our employees, but also with our parents and children. We should do a lot more educational work, ask questions, exchange ideas - and create emergency plans.

We need better protective measures, continuous monitoring, more back-ups, more secure passwords - and we need to react faster and better in an emergency. We need to take care of vulnerabilities, directly and correctly.

No one has the right to exploit the advancing digital network to enrich themselves to the detriment of others. Neither today nor in the future. Not even Matthias.

If you notice a security incident, don't hesitate to contact our IT emergency assistance team for immediate help - even if you just suspect it.

Emergency number +49 (0) 21 56 / 97 49 110

Making the digital world a safer place together? Click here for our current job vacancies.

And click here for our security services.

PS: You can find more information on the threat of cybercrime in Germany in this report from the BSI. This report takes stock for the period from 1 June 2021 to 31 May 2022 and also assesses the IT security situation in the context of the Russian war of aggression against Ukraine.

Cybercrime as a service - the thriller under the Christmas tree.