When you visualize a hacker, what do you see?
Do you envision a young computer enthusiast coding in their basement, pounding Red Bull? A futuristic robot plugged into hundreds of servers deep inside a secret warehouse in the desert? A person from another country sporting a shaved head, smoking a cigarette, banging away on their keyboard? Chris Hemsworth from the movie Blackhat? Okay, that last one might be a stretch…
As this question crossed your mind, chances are you didn’t picture a global executive working for a well-organized business, complete with a high-tech infrastructure and employees and partners all working together with a common goal of achieving the best ROI (return on investment) possible?
Over the past decade, hackers have evolved beyond the individual hobbyists once portrayed in popular movies. Today, they collectively operate as both competing and collaborating global businesses supported by a full-blown cybercrime supply chain capable of generating billions of dollars annually. It is this hardcore business-like mentality driven through finely tuned enterprise-like operations that has allowed the hacker community to perpetrate many of the massive, record-breaking data breaches we’ve seen in the headlines over the past few years.
If we are to dismantle this massive fraud network, we must first understand how it all works.
Their success in stealing billions of dollars and countless records from some of the world’s largest brands could suggest that the top hackers are demonstrating what’s possible. Or, their success could suggest that the best in the world are those whose methods remain undetected, unreported. Either way, the lure of big (“easy”) money has sent the business of fraud booming and cybersecurity professionals around the world scrambling to keep from crumbling under the pressure of pending doom.
With so many types of specialized hackers taking to their keyboards to exploit a growing number of unknown, undisclosed and unpatched vulnerabilities, fighting back against the hackers can feel like a never-ending uphill battle. Whether or not the cybersecurity professionals can win this battle has yet to be seen, though one thing has become abundantly clear — if we are to dismantle this massive fraud network, we must first understand how it all works.
Before the outbreak of big data breaches that have captured national and global attention, common sentiment about hackers was they were just seeking credit card data which they could either use themselves to buy stuff or sell to the highest bidder on the black market so they could buy stuff. While these two methods remain a major aspect of the business of fraud, it is clear that there is also a ton of value in the other data being accessed via these same attacks, namely account credentials.
Once an attacker gains access to a victim’s account credentials, he can typically see all of the sensitive data stored inside the victim’s account, including user name and address, phone, email, account details, methods of payment, financial and business contracts, intellectual property and more. This data is ripe for the picking — it just needs to be harvested, packaged, priced, sold and supported.
Maximizing profits is the focus of just about every business, and this is no different in the business of fraud. For today’s fraud business, achieving a positive ROI means focusing efforts on building efficiencies of scale that can return consistent results with minimal effort and money.
While there are some groups that aim for the big scores, these are few and far between. More often, these businesses will go after large groups of valuable account credentials, which can provide access to all sorts of information across the Internet: email accounts, social media accounts, mortgage accounts, tax portals, enterprise business systems, partner portals and more.
Who Will Buy The Data?
The initial compromise and extraction of credentials is just the start. This information isn’t always used by the people who originally performed the hacks and obtained the data. Rather, other hackers buy the information as a means to extract other valuable data from the individual or business, with the primary goal of making a quick buck. Different buyers have different skills and will focus on acquiring the data that will be of most value to them.
It is more important to protect your email account than it is to secure your credit card.
By and large, the transactions surrounding the stolen data are handled through deep web hacker forums dedicated to the listing and sale of this information. There are far too many of these black market sites to list, and they change all the time.
Suffice to say, the sellers know where to list their data and the buyers know how to get their hands on the information most valuable to them from the most reputable sources possible. Funny enough, the business of fraud is one driven by reputation. The better the data offered, the more repeat sales will be seen, coupled with higher prices.
What Will They Pay For It?
Prices fluctuate based on a variety of variables. This breakdown of the different costs of items stolen by hackers gives a clear picture of what is most valuable in today’s world of fraud:
Based on these figures, one thing has become evident: It is more important to protect your email account than it is to secure your credit card. Why? Because if your email account is compromised, there is so much more at risk versus a credit card. Think of all the items contained in your email account; for example, if you’ve ever sent a loan application by email, it has everything needed to open new credit accounts, get loans and create false identities. It is the gateway to fraud, and can create personal online destruction if not protected.
The Supply Chain
Obtaining the credentials is only the first step. As with most goods sold, they have to make their way through the supply chain before reaching the end consumer. This is where the cybercriminal supply chain comes into play. While the system can certainly be much more complex than is described below, when it comes to the business of fraud, there are typically four main types of hackers who each have their own specialties.
First, there are the hackers who specialize in acquiring the credentials. They will look for easy prey, oftentimes a third-party vendor that does business with the real target from whom they want to extract data. They will research these targets, probing high and low for vulnerabilities in their networks that can be exploited in order to steal the troves of valuable credentials. Techniques by these hackers vary, from phishing scams to social engineering and more, but the road to success is always reliant on taking advantage of system and human weaknesses wherever they can be found.
Second, there are the hackers who focus on selling the stolen credentials. This is done primarily through online hacker forums. These forums set the prices according to the value and longevity of the credentials and ads posted anonymously.
Next, there are the hackers who use the credentials to gain access to the consumable goods: credit card numbers, personally identifiable information, intellectual property, business contracts and more.
Mobile e-commerce fraud is affecting enterprises around the world — to the tune of billions of dollars annually.
Of course, there are the hackers who specialize in using the stolen information. They search unique ways to bypass fraud monitors that would otherwise block their use of information they’ve acquired. In the case of a stolen credit card number, this means utilizing the card details to purchase goods online that they can later sell. They will often lure unsuspecting people to serve as middlemen, getting them to agree (through payment or blackmail) to accept goods on their behalf, then forward them to the hackers so they can avoid detection for the crime.
Beyond the hackers and the end consumers of the stolen data, you’ll find a lot of people and organizations not directly involved in the hack but who indirectly support the hackers — sometimes unbeknownst to them. Whether advertising on hacker forums or establishing private networks for hackers to communicate and interact, they too are making some serious money just by being part of this “ecosystem.”
The business of fraud continues to grow and evolve every day. Companies continue to innovate and deliver new technologies that require credentials, and hackers continue to find these new platforms to exploit using new techniques to profit from the information they steal through the compromised credentials.
Sure, there are ways to protect user credentials so their accounts are safe, but individuals and companies fail miserably to follow the best practices and employ the appropriate technologies in the places that matter most — email for example. One effective and proven method to protect accounts is to turn on two-factor authentication wherever it is available. If it’s not clear how and where this can be accomplished, you can gain an initial view of how it can be applied to the most common web properties at www.turnon2fa.com.
Startling Growth In Mobile Fraud
Stolen credit cards on mobile devices are becoming harder to track, and mobile e-commerce fraud is affecting enterprises around the world — to the tune of billions of dollars annually.
But it’s not just about credit cards; mobile devices are home to a number of personal and business applications, many of which have access to sensitive, private or otherwise confidential information. With 19 percent of companies surveyed by TeleSign reporting that up to half of their fraud incidents were due to mobile, it’s clear this environment provides for a nice landscape for credential harvesting. And, given 1 in 4 business currently lack a requirement for log-in identification for mobile users, there is tremendous room for improvement.
Is There Hope?
Many businesses and groups are beginning to make big strides in developing new systems and techniques to block hackers in the places they work most. Governments are also taking steps to better assist their citizens on the wild frontier of the Internet. As two examples, the United States recently instituted a cybersecurity sprint to address vulnerabilities in key networks, and the U.K. is in the process of installing new regulations to better protect the financial sector and their customers.
These measures, while demonstrating a desire to tackle fraud, represent only one step of many that must be pursued with constant attention. Hackers have shown they have the upper hand and are adept at evolving to stay ahead of the security professionals. And, at the end of the day, the business of fraud will continue to develop. It is on all of us, as individuals, groups and organizations, to do our part in protecting ourselves and building a better, safer online experience for all.