While the volume of cyberthreats declined slightly last year, their sophistication increased, according to a new report from Websense Security Labs.
For example, they've picked up some techniques from the spam industry.
"The spammers would take an email and modify it 100,000 times to make it look a little different," said Bob Hansmann, director of product security at Websense. "The bad guys are doing that as well, where they morph or polymorth the attack."
This helps them evade signature-based defenses, he said.
Websense, which collects 5 billion pieces of data daily from over 900 million endpoints around the globe, saw a decline of 5.1 percent in the number of threats last year, down to 3.96 billion.
However, the total cybercriminal population "at least doubled" said Hansmann.
"The number of people creating these attacks are growing, growing at a rate you wouldn't expect," he said.
The reason? It's become much easier for criminals with no technical background to launch sophisticated and profitable cyberattacks with little or no physical risk and relatively low odds of getting caught.
One indicator that attackers are reusing pre-existing tools and infrastructure was in the form of botnet usage.
According to Websense, the average price of an exploit kit is now between $800 and $1,500 a month, and the number of these kits tripled last year, keeping prices low.
In addition, the criminals are developing areas of specialization, Hansmann said, and offering their services through the malware marketplace.
In 99.3 percent of all the malware, the Command and Control site had already been used before by other malware, he said.
"These guys aren't creating brand-new infrastructure," he said. "'I'll rent this, I'll rent that, and I'll tweak just this one thing... So even extremely new rookie-type threat actors can now put together very sophisticated, hard-to-detect attacks."
And they're spreading their servers to more countries, he added.
"Command and Control servers used to have maybe a dozen countries to host in -- others didn't have the kind of communications that a C&C needs," he said. "But many countries have invested in the Internet, and the bad guys have said, hey, we have new countries where we can go host stuff."
And now the authorities have to work with new jurisdictions, some of which many not yet have the infrastructure in place to go after cybercrime.
The total number of C&Cs has doubled last year, from 1.1 billion to 2.2 billion, he added.
While some high-profile botnets were, in fact, taken down last year by authorities, it didn't stop the problem.
"As many as we took down, they just came back in new places," he said.