Everyday we hear about another hacking incident. These attacks have become so common that people are becoming numb to them. Who was attacked, the amount of data or money stolen, or where they it originated are almost trivial at this point. I believe it is time to start to understand the motivations behind the most common attacks in order to protect against them. I am bad at keeping secrets so I will spoil the ending; the reason is money. Let’s look at how these high-tech heists cash in.
Flooding the news headlines as of late has been the attack method of Ransomware. As a friendly bit of advice, the FBI will never lock your computer and ask for money.
What is happening?
Ransomware is an attack that first and most importantly encrypts key files on a computer. This encryption key is then made available after transfer of funds, most commonly bitcoin, to an offshore account of the threat actors choosing.
Why it works
This attack is extremely effective, despite being quite easy to prevent, as it prays on the following.
- Faulty or incomplete system backups. If you can restore your data to the time right before it got encrypted, you don’t have to pay. Regardless of government, commercial, or residential it has been proven that far too many do not have adequate backup solutions in place.
- Outdated software and poor environment design. I combine these as they both deal with current state of systems. For all systems make sure the operating systems and applications are ROUTINELY updated, especially in regards to known security issues. This isn’t a once a year thing. Do not put your databases or critical data on systems accessible directly from untrusted sources, elaboration not needed.
- Poorly trained staff or users. The most common and weakest link in any environment is the human element. If they are not aware of what a phishing email looks like, or that they should not click on pop-ups then problems will soon arise, I guarantee it. Security awareness training is worth is weight in gold.
How is it profitable?
This is an amazing source of income for organized crime. These attacks are automatic and require very little actual labor cost to implement. The targets do majority of the work by clicking on links, or leaving access to their environment wide open for an automated attack. Once implemented the target has two choices, pay or lose their data. The threat actor does not really care which, they do not pay much attention to who they are targeting this is purely a statistical approach. The more systems are effected the more instances where they will get paid. If you doubt how much successful they are, many new variations of Ransomware now provide a convenient chat sessions, where you can talk directly with the threat actors, in real time. They actually have customer services reps that are there to make the process smoother. Though they are stealing money from you, they want it to be a seamless experience. There is nothing worse for business then a complicated process for resolution or that the goods are not delivered as promised. People are often shocked to find that in most cases, the data is recovered after the ransom is met. It’s because of this and the overwhelming number of cases that law enforcement often recommends just paying the price.
Disturbed Denial of Service that is used for hacktivism (a topic for another day) or more commonly for profit. It is an attack that shuts down access to critical systems by flooding it with traffic. This often leads to systems being slow, nonresponsive sites or worse offline.
What is happening?
A threat actor will dump large amounts of traffic to key point in order to overwhelm them. The traffic commonly originates from large botnets. These botnets are large groups of machines (bots) that have been affected with malicious programs. These bots can range from servers to the new internet connected fridge you just bought. Once a command is sent out to the botnet all these machines will start sending traffic to the target. Its harmless when a few bots send out traffic, but when it becomes millions of bots, ouch. While it can be perceived as relatively harmless, the botnets are in fact one of the most fear weapons in existence. This is because it cannot be destroyed. The command servers or programs can be stopped or shutdown, but the delivery systems is too large and too diverse to be stopped. It will always be a digital loaded weapon.
Why is it works
Much like ransomware, this attack targets availability. Often the time of the attacks are picked to maximize the damage done and to motivate to meet the demands of the attacker. By choosing critical windows of time, they force the targets to have to make quick decisions under stress, which increases the odds of payout. It does not matter the speed nor the count of the systems, the gateway is what is being attacked. It is the narrow chokepoints of entry that exist in every application or process that a DDOS attack capitalize on.
How is it profitable?
The ability to utilize a large existing workforce (botnets) to deliver an attack to a very specific target is scary. What is more chilling is that anyone can have access to this attack method for an hourly rate. Currently the average cost is between $20 to $40 an hour. And if you think it’s only available to those who live in the “dark web”, I apologize for bringing bad news. You can search for DDOS for hire and numerous options will be presented. For the threat actor, its comes down do cost benefit analysis. How much can I spend an hour, and for how long in order to get them to give up. It is that simple. By applying great pressure and the critical time, these criminals can quickly and efficiently hold your business hostage.
Smash ‘N Grab
Be it credit card information or personal identifiable information (PII), digital records are actively traded on the black market. The supply and demand for this underground economy is fueled by virtual thievery.
What is happening?
Either by attacking the users through social engineering, or by exploiting vulnerabilities of a program or system, threat actors gain access to the targets most critical data. These attacks are not stealthy nor do they try to be that discreet. They probe the environment for any opening and once found move in to quickly acquire the goods. Once found the info is quickly extracted and that’s it. These attacks are often prone to repeat attempts as the first attempts are not only successful, but unnoticed.
Why it works?
There are two reasons for the success of these attacks the driver and the enabler.
- Driver- PII and CC data will always be in demand. If there is a buyer, there will always be a seller, and in turn product needs to be obtained.
- Enabler- In general, despite being very aware of the possibility of attack, business do not adequately protect their information. It is easy to steal when you leave the doors and windows open.
How is it profitable?
With the access to targets being in high availability, threat actors only have to concern themselves with the market demand for what they have. While an active credit card number with all needed information may go for under $20 each, a PII record can go for quite less. Even in volume, it does not drive much in the way of profit. The real money is made with what is done with the newly acquired records. Fraud, commerce and insurance, is a trillion-dollar industry. By taking advantage of the convenient “pay now, verify later” mentality that exits our virtual society, threat actors have created a very large revenue stream. This attack method will not be leaving anytime soon either. These has been going on for so long, that companies are putting the expected loses due to fraud into their budget and then passing the cost down to end users, who were the actual victims of identity theft to begin. This attack works, because its more cost effective for a business to increase the cost of goods, than to implement the correct solutions to protect the customer’s information.
Conclusion and Call to Action
It does not matter who was recently attacked or where it came from. It is important to start to understand why they occur and that these attacks will continue to happen. We can start to see that there are threat actors that are driven by the same numbers and metrics that a traditional business is. When it comes down to it, they are looking to make a profit, and for them business is good.
To learn more about this topic and many others regarding information security, sign up for our newsletter below or check out our other blogs, white papers or pod cast series.