I frequently get asked by clients and attendees at conferences, “are the guys doing this stuff really making that much money?” The short answer is yes. Why else would we have so many continual breaches, and see substantial growth in both breaches and attacks each and every year? Add to this a cybercrime underground worth around $400 billion annually (about $1 billion in Australia)!
So my answer to clients is if cybercrims were not profiting from these attacks and breaches, there wouldn’t be any!
If we look at the Target breach for example, the estimated number of cards successfully sold on the black market before they were cancelled was 1-3 million cards.
With the median card price on the underground around $18-$55.70 USD, hackers likely generated $53.7 million from the 2 million cards sold if at the mid-range price of $26.85.
There is forever a flood of new credit cards on the underground. Below is a dump of the current available credit cards for just one of the many sites out there dealing in stolen information, the average cost of a card is $5.00
Pretty much everything is for sale, such as cpanels (logins to the hosting control panels for websites)
And of course you can get Paypal and eBay accounts…..and plenty more!
The other area of cybercrime people ask me about is spam. I often get told “I am constantly receiving emails from Nigeria, or scam emails, surely my email address isn’t worth that much?” Well, you would be surprised to know that some scammers are making anywhere up to $20K a month, yes I said $20k. Over the years there have even been reports of guys who make between $1k-$2.5k per day! With the average number of SPAM emails detected by Symantec last year topping 239 billion per day, it’s big business.
Here’s another screenshot from one of the many sites that sells stolen accounts, notice the below, 500 Gmail accounts will set you back around $160.00
Last year saw the rise of CryptoLocker, and now a massive ransomware industry making oodles of cash for cybercrims. If we look at the end of last year a report by Dell Secureworks advised that the creators of CryptoLocker alone made as much as $30 million in a mere 100 days.
If we look at the global CryptoLocker infection rate from October 22 to November 1 2013, there were around 31 thousand unique infection hits.
But these few components only form a drop in an ocean of attacks…
Cyber Espionage was again another one of the main attacks that occurred last year, particularly from the Chinese government (more info can be found here) again, providing a massive revenue stream not just for spies, and state sponsored hackers, but for potential malicious employees / insiders trying to make a few bucks.
Botnets are reportedly making around $10 billion dollars a year for cybercrims, according to a report by the European Network and Information Security Agency, and we have the large degree of other attacks, such as Scammers, Mobile Threats, Individual Fraud, Data Mining and of course Cybercrime-as-a-service.
The terms “Attack-as-a-Service,” “Malware-as-a-Service,” and “Fraud-as-a-Service” are used to qualify models of sale in which cybercriminals sell or rent their colleagues hacking service (Hacking-as-a-Service) and malicious code, to conduct illegal activities. The concept is revolutionary, the black market offers entire infrastructures to service malware (e.g.bullet-proof hosting or rent compromised machines belonging to huge botnets), and outsourcing and partnerships services, including software development, hacking services, and of course customer support.
The majority of these services are presented in the underground economy, based on a subscription or flat-rate fee model, making them convenient and attractive. The principal cost of arranging criminal activities are shared between all customers. This way service providers could increase their earnings, and clients benefit from a sensible reduction of their expenditure with the knowledge needed to manage illegal businesses.
I’ve only touched on a few of the many many types of attacks that are occurring daily.
So let me put this in perspective for you, using a fictitious case study with a worst case scenario.
Say you are a manufacturing company named TechCorp (fictitious and does not relate to any real world businesses with the same name), located across multiple countries including the US. You have a large research and development arm to the company (R&D), and deal with financial transactions via your website and through other methods such as phone. You also, like many companies have a lot of competition in the industry. You have a 1,000 users. Here’s how it plays out…
TechCorp is targeted by an attacker, the hacker starts off by creating a botnet and subsequent attack server for his attacks. This server is also responsible for Command and Control (C&C) for the botnet, phishing campaigns and malware distribution. The hacker also creates some malware and uses a crypting service to continually tweak his malware so it is not detected by antivirus / endpoint products. When it reaches FUD (Fully Un-detectable) its ready for use.
From there the malware is sent back to the phishing server ready to be combined in a spear phishing campaign as a malicous attachment and is then sent to the organisation. Once the malware has reached FUD state, it usually has a life span of between 12-24 hours before it may become detected, so for optimum results, it needs to be used/leveraged as fast as possible.
The attacker launches his campaign against TechCorp, and an end user activates the malicious malware attachment, thus installing a backdoor bot control and providing an attacker access to the corporate network (his initial entry point from where he will launch the rest of his attacks).
The attacker furthers his attack on the network by escalating his privileges, and deploying his malware to all machines. Once the malware deploys the bot component the malware is removed, however all machines are in control of an attacker and are members of his botnet and subsequent C&C network.
From here the attacker compromises the servers on the network and starts exfiltrating company data, such as databases and file shares. Simultaneously the malware/botnet control on all the machines is using keyloggers to grab the users credentials and personally identifiable information for various internal and external sites and services.
The combination of these two simultaneous attacks and data gathering, is that the attacker now has the company’s HR and financial data for the company itself and its clients. Customer data, databases, users corporate and private credentials (such as webmail, internet banking, eBay, Paypal etc) have been collected. All of this data then gets exfiltrated back to the C&C server or other file storage server. All of the data exfiltrated from the network is sold on the underground, and after this data has been exfiled, the attacker deploys a variant of CryptoLocker, thus requiring the company to pay more to salvage its data.
The workstations are then used in DDoS campaigns, and once the hacker has made all the cash he possibly can from this company compromise, he sells the botnet or rents it out, further expanding his revenue.
Meanwhile the company is left in ruins.
As you can see in the above example there are many different types of data that can be exfiltrated from an organisation and sold on the blackmarket, and the results can, and usually are, devastating.
Ponemon have just released their annual cost of data breach findings and for companies in Australia the average per capita cost of a data breach increased from $141 to $145. The total average cost paid by a company due to a data breach increased from $2.72 million to $2.80 million, with 5% more customers found to be abandoning the company following the data breach.
Will your organisation encounter a data breach in the next 24 months? According to the Ponemon report the results show that a probability of a material data breach happening over the next two years involving a minimum of 10,000 records is nearly 18%. In addition to overall aggregated results they found that the probability or likelihood of data breach varies considerably by industry. Retail companies have the highest estimated probability of occurrence at 21.3% while transportation has less than a 1% likelihood of having a breach.
So there is only an 18% chance of my company having a breach, that’s low yeah? Are you willing to take the risk, and fork out the average breach cost of $2.8 million, plus the flow on effects of customer abandonment?
There are things you can do to stop your organisation lining the pockets of cybercrims and ensuring you are not in that 18%!
Deploy defence-in-depth strategies
Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls as well as gateway antivirus, intrusion prevention systems (IPS), website vulnerability protection, such as a WAF with malware protection, and web security gateway solutions throughout the network. Don’t just rely on one product.
Ensure you are performing regular, scheduled penetration tests
You should be performing pen tests at least annually to ensure no risks are present to your infrastructure.
Monitor for network incursion attempts, vulnerabilities, and brand abuse
Receive alerts for new vulnerabilities and threats across vendor platforms for proactive remediation. Track brand abuse via domain alerting and fictitious website reporting
Antivirus on endpoints is not enough
On endpoints it is important to have the latest versions of antivirus/endpoint software installed. Deploy and use a comprehensive endpoint security product that includes additional layers of protection including device control, application control settings, behavioural prevention capabilities and web protection. We recommend Webroot Secure Anywhere.
Use encryption to protect sensitive data
Implement and enforce a security policy whereby any sensitive data is encrypted. Access to sensitive information should be restricted.
This should include a Data Loss Protection (DLP) solution. Ensure that customer data is encrypted as well. This not only serves to prevent data breaches, but can also help mitigate the damage of potential data leaks from within an organisation.
DLP to help prevent data breaches: Implement a DLP solution that can discover where sensitive data resides, monitor its use, and protect it from loss. Data loss prevention should be implemented to monitor the flow of information as it leaves the organisation over the network, and monitor traffic to external devices or websites.
- DLP should be configured to identify and block suspicious copying or downloading of sensitive data;
- DLP should also be used to identify confidential or sensitive data assets on network file systems and computers.
Ensure all devices allowed on company networks have adequate security protections
If a bring your own device (BYOD) policy is in place, ensure a minimal security profile is established for any devices that are allowed access to the network.
Implement a removable media policy
Where practical, restrict unauthorised devices such as external portable hard-drives and other removable media. Such devices can both introduce malware and facilitate intellectual property breaches, whether intentional or unintentional. If external media devices are permitted, automatically scan them for viruses upon connection to the network and use a DLP solution to monitor and restrict copying confidential data to unencrypted external storage devices.
Be aggressive in your updating and patching
Update, patch, and migrate from outdated and insecure browsers, applications, and browser plug-ins. Keep virus and intrusion prevention definitions at the latest available versions using vendors’ automatic update mechanisms. Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organisation.
Enforce an effective password policy
Ensure passwords are strong; at least 10 characters long and include a mixture of letters and numbers, symbols and spaces. Encourage users to avoid re-using the same passwords on multiple websites and sharing of passwords with others should be forbidden. Passwords should be changed regularly, at least every 90 days.
Ensure regular backups are available
Create and maintain regular backups of critical systems, as well as endpoints. In the event of a security or data emergency, backups should be easily accessible to minimise downtime of services and employee productivity.
Restrict email attachments
Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be included as email attachments. Ensure that mail servers are adequately protected by security software and that email is thoroughly scanned.
Ensure that you have infection and incident response procedures in place
- Keep your security vendor contact information handy, know who you will call, and what steps you will take if you have one or more infected systems;
- Ensure that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss;
- Make use of post-infection detection capabilities from web gateway, endpoint security solutions and firewalls to identify infected systems;
- Isolate infected computers to prevent the risk of further infection within the organisation, and restore using trusted backup media;
- If network services are exploited by malicious code or some other threat, disable or block access to those services until a patch is applied.
Educate users on basic security protocols
- Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses;
- Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends;
- Deploy web browser URL reputation plug-in solutions that display the reputation of websites from searches;
- Only download software (if allowed) from corporate shares or directly from the vendor website;
- If Windows users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (fake antivirus infections), educate users to close or quit the browser using Alt-F4, CTRL+W or the task manager;
- Tell your users to stop clicking on things!
If you would like more information on our services, please feel free to get in touch!
Till next time,