Author Kerry Matre says that to win in the marketplace and beat competition your organisation must innovate. Hackers are no different, and there is an entire marketplace out there trying to benefit financially from legitimate business. Understanding the value-chain of this underground economy helps to disrupt it and radically reduce risk.
Matre says, “What we found were mainly mature businesses that look a lot like ours. These organizations are profit driven. They want to use the fewest resources to get the greatest gain.
They have clearly defined motivations.”
- They compete in their marketplace on innovation, on quality, on price…
- They even have departments like HR, sales, marketing and even customer support.
- They have finance functions to launder money and even have access to legal resources.
- It is quite fascinating how similar their organisations are to ours.
Hackers follow the money – hacktivists want revenge
Perhaps for the first time, HPE has put the various forms of hacking into a quadrant chart with the two axis covering potential for payout and effort and risk.
This quadrant shows that ad fraud (hijacking ad clicks or serving fake ads to generate traffic – see iTWire article here) has the highest returns for the least effort – it's easy. Hacktivism has no return but is also very easy. Ransomware (extortion) is also relatively high on the return scale and of mid-difficulty.
HPE identifies the major risks as:
- Ad fraud: deliberately attempting to serve ads that have no potential to be viewed by a human user. Attackers set up a page of ads and have bots visit to generate fake traffic. Since it looks like the ads were viewed, the advertising network still gets paid.
- Credit card fraud: One of the largest headline-grabbing types of internet-based underground crime. It involves either skimming bankcard numbers and PINs from point-of-sale (POS) and automated teller machine (ATM) systems, or stealing data from back-end systems. Attackers make money selling the bankcard information. They can also make money creating physical cards from the stolen information. These enable “card present” and “card not present (CNP)” fraudulent purchases. These purchases are usually for easily sellable assets that can be used as “underground currency.”
- Payment system fraud/Bitcoin mining: Relatively new to the industry, this type of business involves stealing money through alternative payment systems including PayPal, Apple Pay, and Bitcoin. Attackers make money by stealing money directly or laundering the money once it has been taken.
- Bank fraud: This older business involves hacking into online banking systems and transferring money from one valid account to another account owned by the attacker. Money can be made through direct funds transfer and commonly via wire transfers, or by selling network and vulnerability information about the bank system. These types of businesses often incorporate in specific regions of the world, to inhibit or elude investigation and interdiction.
- Medical records fraud: This usually involves stealing personal identifiable information (PII) from electronic medical records, health information exchanges, and other health systems. The data is then sold for insurance fraud or identity theft purposes. Since this type of attack is newly emerging and some international attacks have been reported, it is likely that new forms of fraud will occur over time
- Identity theft: This involves stealing information about individuals' identities. Attackers make money by selling this information, including addresses, social security numbers, and credit information. The stolen information can be used to open lines of credit or to create other identities for use in other businesses listed above or simply as currency for the underground marketplace.
- Credential harvesting: This involves stealing user names and passwords, often via phishing emails containing links that serve a fake but seemingly legitimate webpage and capture user credentials for banking sites, etc. This information can then be sold to those involved in the businesses listed above. More often, these credentials are stolen in database thefts and then the dumps are sold in the underground.
- Bug bounty: Identifying application vulnerabilities has become a lucrative business with its own marketplace and players. Vendor and third-party programs (the ZDI, Bugcrowd, Microsoft®, United Airlines, etc.) operate in the white market to remediate vulnerabilities before they are exploited in the wild. Gray and black markets purchase vulnerabilities and full exploits for private use, often weaponisation (black) or to spy on private citizens suspected of crimes (grey).
- Extortion: This often targets higher-level employees or systems and datastores. Ransomware, installed on a system, prevents users from accessing their systems by either locking the computer screen or encrypting files with a password. The attacker demands a ransom in order to release the files. The ransom values may vary, ranging from US$500 to US$50,000 or even higher.
- IP theft: This involves stealing intellectual property. Such activity has been seen in the electronics industry (cell phones, tablets, etc.), as well as in the defence industry (war planes, weapons, etc.). It has even been seen in the entertainment industry (movies, software, etc.). Attackers make money by either being “employed” to infiltrate the organisation in order to obtain access to the targeted intellectual property and sell it to the target’s competitors.
Then there are the five main types of hackers.
Hackers also have SWOT moments
The 20-page free report (registration required) is interesting reading. There are many more insights into the nefarious, recidivist, hacker psyche.
I will skip to the summary:
The business of hacking is a business just like ours. If we think of it like a business, like a competitor, then we can prioritise the most effective efforts to disrupt it.
All enterprise security technologies are intended to slow attackers in some way, with varying degrees of effectiveness. Some are effective at deterring opportunistic attackers (patching) but are ineffective with targeted attackers. Others are successful at reducing attacks of one type (EMV chip and pin credit cards), but lead attackers to move to alternate attack vectors (mobile payments). It is our duty as a legitimate enterprise to introduce these technologies to disrupt the business of hacking on a continuous basis. It is critical that an enterprise determine which technologies will be most effective at disrupting the adversaries targeting their unique business.