How Crime-As-A-Service Turned Hacking Into A Subscription Business

A number of devastating and widely reported cyber attacks against UK retailers in recent weeks have once again exposed the fact that the impact of cybercrime on our lives is growing.

As of writing, Marks and Spencer hasn’t processed online orders for several weeks, following an attack in April estimated to have cost it $400 million. And the Co-Op group of over 2,500 stores is recovering from an attack in which customer data was stolen, and shelves were left bare.

There are a few reasons retailers are often easy prey for cybercriminals. They handle lots of sensitive customer data, and they’re very sensitive to supply chain disruption, meaning their operations can be brought to a costly halt by disrupting suppliers.

On top of that, their infrastructure sprawls across online retail, mobile apps, and the point-of-sale terminals, tills and tablets of bricks ‘n’ mortar, giving criminals lots of potential ways in.

With politicians raising fears that the escalation of this activity could result in serious threats to the food supply chain, it’s becoming urgent to understand the factors behind the rise in these attacks.

One thing that’s becoming increasingly clear is that cybersecurity is no longer simply about making sure IT departments keep our firewalls and anti-malware up-to-date.

I believe that these attacks tell us that cybersecurity is becoming less about technology and more about people. And this means that the way we defend ourselves has to change, too.

Cyber Crime As-A-Service

Not too long ago, at least a small amount of technical know-how was needed by anyone who wanted to launch a cyberattack and disrupt the operations of a business.

Today, though, an underground economy exists where anyone with the funds can access tools and expertise that can bring businesses to the ground.

Referred to by security experts as crime-as-a-service, this involves the developers of hacker tools and apps charging via a subscription model, like any other software developer.

Effectively, this means that just about anyone sitting behind a VPN can carry out a crime anonymously anywhere in the world. It’s a “democratization” of cybercrime.

The motivation is usually money. Two of the most common attacks are ransomware attacks, where data is encrypted and a ransom is paid to have it returned, and denial-of-service attacks, which flood systems with data, causing them to stop working properly.

The increasing accessibility of these tools is a factor in the growing number of attacks. The hacker group suspected of carrying out the Marks and Spencer attack is reported to have used a CaaS platform known as DragonForce.

But another factor is a change in strategy. Increasingly, rather than targeting technology, criminals are striking directly at the weakest link in the cybersecurity chain, which is usually us humans.

The Weakest Link?

Although the details haven’t been released and investigations are still ongoing, it’s strongly suspected that the Marks and Spencer cyber attack was carried out through social engineering.

With modern cloud security infrastructure being relatively robust, humans, who can be lazy, forgetful and tired, are generally the weakest link. Why would a hacker spend the vast amount of computing power and resources it would take to brute-force into a system and steal or encrypt data when they can just trick or bribe a human into letting them in?

Surveys suggest that email and social media phishing were a factor in more than half of 2024’s ransomware attacks and that 67% of people believe the rise of generative AI has increased their fear of ransomware.

As well as human incompetence and our trusting nature, cybercriminals are increasingly exploiting our greed. In fact, 53 percent of organizations reported cybercrime by insiders in 2024. One high-profile recent example is the $20 million attempted extortion of cryptocurrency exchange Coinbase, where support staff are accused of taking bribes in exchange for giving criminals access.

Criminals believe that retailers are big, rich targets that move slowly to respond to threats and are likely to comply with ransom demands rather than suffer business disruption.

By targeting people with permission to access their systems, then all that IT spending on cyber security infrastructure—firewalls, secure email gateways, network security, access control, security tools—becomes irrelevant, and their criminal activities become a lot simpler.

Facing An Evolving Threat

So, how can businesses, and we as professionals, employees and individuals, most effectively respond to this change?

The first step could be to think about adopting a more human-centric security strategy. This means developing a culture of cyber-awareness that’s active at all levels, from the boardroom to the shop floor.

By understanding what criminals look for, how they try to gain access, and what’s at stake if they succeed, everyone’s awareness increases.

Particular attention should be paid to ensuring everyone understands the growing threat of generative AI-powered deepfake crime.

When it comes to this, as well as understanding the wider picture of where threats might exist in an organization, it’s human skills that will be most valuable.

This means that effectively communicating the importance of cyber vigilance, achieving buy-in, and understanding what makes us vulnerable to bribery and corruption are critical skills in the cybersecurity toolbox.

Critically, when implementing these changes, the focus should be on limiting opportunities for threat actors to cause damage rather than monitoring the activities of individuals in a way that damages trust. Balancing this also requires skilled human judgment.

Make no mistake, with 43% of UK companies reporting an attempted cyber attack last year, the threat is greater than ever, and the penalties for making mistakes are severe.

But by switching to understanding, predicting and improving the behavior of humans rather than just technology, all businesses can reduce their chances of becoming victims.