Software-as-a-service (SaaS) has grown in popularity as a way to minimize complexity and maximize efficiencies.  Why host your own software when that means you will have to maintain it and buy hardware for it?  The growing trend is that companies are willing to host their software for you.  Companies are seeing that the economies around this make a lot of sense.

As I’ve said before, internet fraud seems to be run very much like a legitimate business would be run.  The bad actors try to optimize return on investment (ROI) and conversion rates in the same way legitimate businesses try to optimize them.  For example, just like an e-commerce company will attempt to tweak the text, images, etc. in an email to be sure that it is not caught by spam filters and customers open it, bad actors do exactly the same things with their phishing or 419 scam emails.  Just like a legitimate business, the bad actors want their emails to avoid spam filters and they want their potential “customers” to be intrigued enough to both open and respond to the email.

Phil Muncaster posted an article about how the bad actors are starting to take advantage of the same philosophies behind SaaS.  Phil calls this “Fraud-as-a-service” (FaaS?) and I see this as a continuation of how the bad actors mirror legitimate businesses in perpetrating their fraud.  The bad actors want to make their money as efficiently and economically as possible.  To do this, they have imitated the way legitimate businesses are optimizing their operations.

The examples I’ve seen of FaaS include where one bad actor will host a phish site for another bad actor, for a fee.  The data collected is sent to the “customer” (and likely kept by the service as well).  I’ve also seen cases where one group would collect passwords for a site and determine which are the most valuable.  The less valuable userID/password pairs would be sold to other groups.

All of this is just a way to make the business of fraud more efficient.  I’m sure there are other examples of bad actor efficiency.  If you have some, let me know.