Avoiding Fuelling the Cyber-Crime Economy


We all know that the prices of key commodities such as oil, gold, steel and wheat don’t just impact individual business sectors as they fluctuate according to supply and demand:  they also power international trading markets and underpin the global economy. And it’s exactly the same with cyber-crime.

The prices of key commodities in the cyber-crime economy – such as stolen credentials, hacked accounts, or payment card details – not only reflect changes in supply and usage, but also influence the types of attack that criminals will favor.  After all, criminals are just as keen to maximise return on their investments and create ‘value’ as any legitimate business.

A recent report gave the current average prices during 2020 for some of these cyber-crime commodities on the Dark Web. Stolen credit-card details start at $12 each, and online banking details at $35. ‘Fullz’ (full identity) prices are typically $18, which is cheaper than just two years ago due to an oversupply of personally identifiable information following several high-profile breaches. A very basic malware-as-a-service attack against European or U.S. targets starts at $300, and a targeted DDoS attack starts at $10 per hour.

Extortion evolves

These prices help to explain one of the key shifts in cyber crime over the past two years:  the move away from ransomware to DDoS attacks for extortion. Ransomware has been around for decades, but on a relatively small scale, because most types of ransomware were unable to spread without users’ intervention. This meant attacks were limited in their scope to scrambling data on a few PCs or servers, unless the attacker got lucky.

But in 2017, the leak of the ‘EternalBlue’ exploit changed the game. Ransomware designed to take advantage of it – 2017’s WannaCry and NotPetya – could spread automatically to any vulnerable computer in an organization. All that was needed was a single user to open the malicious attachment, and the organization’s network could be paralyzed in minutes – making it much easier for criminals to monetize their attacks.

While this drove an 18-month bubble of ransomware attacks, it also forced organizations to patch against EternalBlue and deploy additional security measures, meaning attacks became less effective. Sophisticated malware like WannaCry and NotPetya cost time and money to develop, and major new exploits like EternalBlue are not common. As such, use of ransomware has declined, returning to its roots as a targeted attack tool.

DDoS deeds, done dirt cheap

DDoS attacks have replaced ransomware as the weapon of choice for extortion attempts. As mentioned earlier, a damaging attack is cheap to launch, using one of the many available DDoS-for-hire services at just $10 per hour or $60 for 24 hours (like any other business looking to attract customers, these services offer discounts to customers on bigger orders).

Why are DDoS attacks so cheap?  One of the key reasons is DDoS-for-hire service operators are increasingly using the scale and flexibility of public cloud services, just as legitimate organizations do. Link11’s researchshows the proportion of attacks using public clouds grew from 31% in H2 2018 to 51% in H2 2019. It’s easy to set up public cloud accounts using a $18 fake ID and a $12 stolen credit card, and simply hire out instances as needed to whoever wants to launch a malicious attack. When that credit card stops working, buy another.

Operating or renting these services is also very low-risk:  the World Economic Forum's ‘Global Risks Report 2020’ states that in the US, the likelihood of a cybercrime actor being caught and prosecuted is as low as 0.05%.  Yet the impact on the businesses targeted by attacks can be huge:  over $600,000 on average, according to Ponemon Institute´s Cost of Cyber Crime Study.

Further, the Covid-19 pandemic has made organizations more vulnerable than ever to the loss of online services, with the mass shift to home working and consumption of remote services – making DDoS attacks even more attractive as an extortion tool, as they cost so little, but have a strong ROI. This means any organization could find itself in attackers’ cross-hairs:  from banks and financial institutions to internet infrastructure, retailers, online gaming site, as well as public sector organizations and local governments.  If services are taken offline, or slowed to a crawl for just a few hours, employees’ normal work will be disrupted, customers won’t be able to transact, and revenues and reputation will take a hit. 

Make sure crime doesn’t pay

To avoid falling victim to the new wave of DDoS extortion attacks, and fuelling the cyber-crime economy through ransom payments, organizations need to defend their complex, decentralized and hybrid environments with cloud-based protection. This should route all traffic to the organization’s networks via an external cloud service, that identifies and filters out all malicious traffic instantly using AI techniques before an attack can impact on critical services – helping to ensure that those services are not disrupted.  Online crime may continue to be profitable for threat actors – but with the right defences, individual organizations can ensure that they’re not contributing.

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "https://ift.tt/3gNy0f3"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more