In today‘s installment of #BSidesMunich2025 – NEINth Edition, we focus on the cybercrime trend: Fraud-as-a-Service (FaaS). This business model enables cybercriminals to sell ready-made fraud tools and services—from phishing kits to identity theft packages—on dark web marketplaces.
What makes FaaS especially dangerous is its accessibility. Much like legitimate SAAS platforms, FAAS offers tiered pricing, customer support, and even subscription models. With minimal technical skill, bad actors can launch large-scale attacks using prebuilt kits.
By lowering the barrier to entry, younger fraudsters have entered the scene. And, the democratization of cybercrime has led to a surge in fraud cases across sectors like banking, e-commerce, and logistics. According to Germany’s Federal Criminal Police Office (BKA), cybercrime incidents have grown steadily, with organized digital fraud becoming a key threat vector.
Fraud as a Services poses a unique challenge for our technical community: FaaS attacks often exploit business logic vulnerabilities—the kind that traditional security frameworks overlook. In response, OWASP has introduced the OWASP BLADE Framework. Modeled after MITRE ATT&CK, it provides a systematic way to identify common fraud types and offers methods on how to defend. Examples include gift card, scalping and carding among others.
As FaaS continues to scale, fueled by AI and automation, organizations must rethink their fraud prevention strategies. It’s no longer just about firewalls and antivirus—it’s about understanding the economics and TTPs of cybercrime-as-a-service.
For an example of a security weakness that could end up a FAAS kit, check out Konstantin Wedige’s, “Kobold Letters and Other Mischief…” from last year’s BSides Munich! https://www.youtube.com/watch?v=ko9cwRM3BZU
Sources:
https://www.thomsonreuters.com/en-us/posts/corporates/faas-new-fraudsters/
https://www.bka.de/DE/AktuelleInformationen/StatistikenLagebilder/Lagebilder/Cybercrime/cybercrime_node.html
https://2025.bsidesmunich.org