Cybercrime Supply Chain 2025: Attack Resources
Matt Piscitello
This post is a continuation of a series of articles that highlight topics from Interisle’s Cybercrime Supply Chain 2025 report. This article will cover attack resources leveraged by cybercriminals.
What are Attack Resources?
Attack resources are the tools, infrastructure, and exploits that cybercriminals use to gain unauthorized access to a system. Cybercriminals use public repositories, the dark web, and social media sites to host offerings of malicious files and scripts and infrastructure in the same way that legitimate businesses do (think Amazon Web Services or Microsoft Office). These Crime as a Service (CaaS) operators allow other cybercriminals to perpetrate fraud by impersonating well-known organizations (banks, hospitals) or brands (retail outlets, for example). All the cybercrime supply chain elements—malware, messaging, fake sites, naming, and hosting—are offered as a commercial service that distributes profit through subscriber or affiliate business models, making attack resources accessible and convenient.
Attack Kits
Attack kits are a set of files and scripts that provide a criminal with the tools to conduct an attack quickly and easily. Attack kits are usually leveraged for specific types of cybercrime.
Exploit kits provide malicious software that takes advantage of software vulnerabilities in a user-attended device (e.g., a mobile phone or laptop), an operating system, or an application (e.g., a browser or document productivity software).
Phishing kits typically include web pages and forms where Internet users are lured to sites that impersonate a known organization or brand. Some of these kits are ready-made to spoof the actual web pages from those orgs or brands.
Crime as a Service (CaaS)
The business side of cybercrime has adopted the subscriber model of legitimate services for phishing, malware, and ransomware attacks. These services typically use spam infrastructures as delivery systems. Some criminal enterprises have been identified as operating CaaS worldwide from China, Russia, North Korea, the Middle East (Iran), and Africa (Nigeria).
These services share several common characteristics. Typically offered in dark web marketplaces, they provide buyers with ready-made attack campaigns on a subscription or pay-per-use basis, in many cases assisting with cash-out payment methods as well. This lowers the barriers to entry for criminal activity and makes the cybercrime business broadly accessible to low-skilled attackers.
The types of service models include:
Phishing as a Service (PhaaS): includes fake login, a spam infrastructure, and automated tools for sending phishing emails, SMS scam texts, stolen data management, domain name registration, and hosting malicious sites.
Fraud as a Service (FaaS): A cybercrime business model in which criminals offer tools, services, and expertise to other malicious actors to facilitate fraudulent activities for a fee.
Malware as a Service (MaaS): Allows customers to conduct surveillance, data exfiltration, adware, financial fraud, or extortion campaigns.
Ransomware as a Service (RaaS) is a commercial online extortion business.
Spam as a Service (SaaS) offers a commercial, automated email campaign.
To understand more about Attack Resources, Attack Kids, and CaaS offerings, as well as methods of disrupting and mitigating them, check out Interisle’s Cybercrime Supply Chain 2025 Study.
Interisle’s study was sponsored by the Anti Phishing Working Group (APWG), the Coalition Against Unsolicited Commercial Email (CAUCE), and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG). Collectively, these organizations represent thousands of cybersecurity, public advocacy, service providers, and industry professionals worldwide.