Small Organisation owners and employees often base the whole of their security posture on the belief that as a Small Organisation hackers and attackers will not be interested in them as they don't have the revenues that large Organisations have. In this episode we explain why this, and other myths are wrong and should be ignored as basis for managing cyber security risks.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Introduction to hacker myths held by Small Organisations
In this episode, we're looking at hackers,the myths aroundthem and their motivations inattacking Small Organisations.
When we talk to Small Organisations, manyoften ask: Why do I need all thiscostly or time-consumingprotection? What's a hacker or cyber-criminal going to do with my Small Organisation? What have I got of valuethat they should spend time attacking my organisation instead of a larger organisation?
In exploring some of these questions we look into who theattackersare, their tools, how they make money and the impact they have on Small Organisations.As we go through these myths it will be easy to understand that they are related and impact each other, which makes the responses easier.
Myth: Attackers are Hackers
One of the longest running forms of fraud is the technical support frauds, wherethe only thing an attackerneedsis a telephone line. They ring up a Small Organisation and claim to be from Microsoft or their internet service provider or someone else from a service that is likely to be used.After introducing theservicethey supposedly represent, theysay they've spotted malicious or unusual activity. This is the hook to get theperson from theOrganisation to do a little test where the resultwill identifythat there's something wrong - even though thereactuallyisn't.
There isanother type of callwhere thescammerasksthe Organisation to do a search for the word virus in a command prompt and the result looks really bad. I remember one from over a decade ago where they asked Organisations to lookfora particular file and the icon was skull and crossbones, and it would convince people that something was indeed wrong when it wasn't. This was all aimed getting users to install a fake fix. Not only that, but the fix hadto be paid forimmediatelyby using a credit card.
It was that simple, there was literally no need for any computer technology or hacking by the criminals, this is something that is known not only as scamming, or conning, but social engineering. In today's world some technology may be included as well, where they ask for remote access to your machine to fix the problem and they'll install malware directly or ask the user to install the malware to be able to control the device remotely.
Myth: There can't be much money in it
The underground economy (the term usedby expertsto describe the criminal economy for buying and selling illegal products, services and tools) has been growing really quickly with activitycontinuing to rise year on year.
There is a lot of specialism in everything now - whether theproductsare real or fake - and basically everything is fair game as far as criminals are concerned.It is possible tobuy almost any type of tool wherethe customerwill get guarantees ofitssuccess.It is possible tosimulate attacks, hiresomeone to attacktargetingpeopletheydon't like,or tofind people whowouldbe happy to do almost anything, from attacking banking websites to competitor websites.
Althoughitspossible tobuy almost anything and everything, there are also scams where there are no productsor justfake products;some only sellingto customersusingBitcoins. Activityhas been growingfurtherbecause there're a lot more toolsavailablethan there used to be.This has partly grown becausethere are a lot of people in today's environment looking touse other forms of income generation.
However, even if people aren't using the underground economy to intentionally get into cybercrime, some are getting into it innocently where they see adverts in the media for working part-time from home.They are asked tobecomean account managerwhere the only activityinvolvedis managing bank accounts and transferring money from one account into another. This is basically where criminals are enlisting innocent people to clean their money for them. There are many similar related types of so-called part-time jobs where innocent people become money mules for cybercriminals.
Because of the current economic climate where people are more desperate for money, there may be more people getting into crime whether it is scams from foreign countries or innocent people trying to earn a living.
This means that every activity or information collected no matter how small has a collective value to someone in the underground economy. For example, an email address is not worthvery much, butone millionverifiedemail address are worth more than 50 millionun-verifiedones. Theseverified ones will be used by thousands of attackers to send out spam and phishing messages, and each time the total list is used there will be a paymentinvolved in using the list. This same principle applies to everything from passwords to victims who have fallen for scams to compromised devices. There is money in numbers.
Myth: Everyone participating in the underground economies are criminals
Yes, the money mules are a massive problem because people are tricked into thinkingthatthey've got a legitimate job. It's advertised in proper job listings thatthey would bean independent financial consultant,butallthey’rereally doing is money laundering for the criminals. Whenpeople readtheseads -which often say that theyget to keep 10% of all the deals - they just sendoverthecommissionbecause they need some way of converting their ill-gotten gains into something that they can use in the real world. Whether they use currencies like Bitcoin or use money mules where one money mule goes to another money mule and so on, it all becomes harder to trace, which is what theywant to achieve.
Whether it's fake products or real products, there is a whole service industry now on the underground. Criminals are selling to other criminals because they realised that rather than fight each other, it's easier to each take a niche role in the whole supply chain
And then, because they're not having to fight, they can constantly improve everything and the level of skill that's needed has become much lower.
This can best be exampled by the fact thatanyonecan just sign up for a "ransomware-as-a-service" pay nothing now, on the basis thatthe service provider will get theircut and alla userhasto provideis an email address list. And that's allwould be criminalsneed to get going,there is noneedforanyreal technical skill.
Furthermore, there's always a chance that the criminals will steal from other criminals. The term “there's no honour among thieves” is common and there's always that risk. But generally, there seems to be a common understanding that they're better off collaborating with each other than competing. Especially since there are billions of potential customers meaning there's enough to go around, they don't need to compete.
Myth: Small Organisations have nothing of value
It's a complete myth that Small Organisations have got nothing of value;they've got everything criminalswant-they have bank accounts, assets, computers, service accounts, and customers with email addresses. So, whether it's fraud, extortion, theft,orrepurposing assets for their owncriminaluse, Small Organisations are perfect for criminals. This is because not only do they not tend to be as robustly protected aslarger Organisations, but many of their clients may belarger Organisations.
This means that apart from not being as effectively protected as larger organisations,Small Organisations are a steppingstone into the larger Organisations to be used for things like invoice fraud and other types of fraudulent activities, as well as emptying their bank accounts.Because of this,Small Organisation are a more attractive target for a lot of cyber-criminals, and because there are over a million Small Organisations in the UK for example, they're more likely to be hit by criminals.
Myth: The belief that there is no reason why I would be targeted
Following on from that, in practical terms, the approach most criminals usually take is that it's a numbers game. So, if they send out X number of messages then Y amount will be successful.
It is the same approachthatany sales and marketing team of any Organisation takes on a daily basis. They know that as long as they achieve the numbers in the right way, they will be able to get the revenues they want, and the numbers will work in their favour. It's as simple as that.
So, although in most cases it's not thata Small Organisation istargetedin particular, it might be thatthe organisationresponded to a particular email campaign for a free eBook and the website hostingfor itis compromisedcausing innocentOrganisations toget included on to an email list. This list thengetssold several thousands of times, each resulting in the sending of a spam or phishing type message over a period of a few years. Or it might be that an automated tool pingedtheOrganisationnetworkor website IP address, andtherouter responded in a way that it shouldn't have done. Nowattackersknow your router or server are worth targeting.As a result ofthat response,this router or server will becontinuously targeted for along time. It is a numbers game, nothing personal.
With these things being a numbers game, every timea Small Organisations devicesorotherassets (email, web server, router, etc.) respond in a particular way, they end up onfurtherlists which are also sold many times over. The worst thingany Small Organisationcan do is to pay a criminal, because oncethey have been paid,they are identified as being a payerand therefore gettargeted even moreoften.
Myth: Why would attackers want to harm my Organisation?
After understanding that theirSmall Organisationhas many points of value, ownersoftenmove tothenaskwhy would hackers want to harm myOrganisation? I'm just a Small Organisation?
Basically,what they're lookingto understandis how can theycan convince a organisationto give them money? And if it means givingthe organisationa bit of pain via ransomware,or anything else,that's what they'll do.The goal is not necessarily to cause harm, but how they can convert any assets they have access to into cash.
Myth: Attackers must be highly skilled
In terms of expertise, Small Organisationsoftenthink thattheattacker hasto be very skilled to be able to attack them and since there's a skill shortage in cyber security all over the world, there's no way they'll be skilled enough to be able to attackthem successfully.
The first myth we covered about attackers being hackers demonstratedthat not all attacks require any hacking skills whatsoever to infect someone's machine. It's simply a case of being able to talk to people and convince them. It's the same way a burglar doesn't need to come and pick locksin a houseif they can just turn up posing as a gas engineer, say they're investigating a report of the smell of gas and can they checkthemeter. They are now in the property,it's the same.
It's all about how they present themselves and then the little bit of information thata persongivesthem can start with a phone call followed by a message, either by text, email, or social media based on that call, and it builds up. So, it's very easy to be attacked and fall victim to these people because it's not just technology, there's the whole psychological side to it that makes it work.
The sad fact is that the expertise needednowadays is not thatgreat. The tools available to hackers (whichwe'll cover shortly) are developed sousersdonot have to be experts inhacking or attackingto be able toutilise them toattacka target. Although obviously,there are some expert hackers around, most attackersusetoolswhichdomost ofthe work for them,due to the tools beingdevelopedas a suitewitheverythingauserneeds for that type of attack – meaningtheydon't have to be an expert, they just have to pay for the tools.
Myth: The costs are too high compared to the benefits
Anotheraspect of attacksSmall Organisationownerstendto forgetis that there are many countries with economies wherepeople havevery fewoptionsofemployment andincomegeneration. In some of those countriesthere are very few optionsleftopen to city workers thantowork forcriminalsusing these tools to attack people abroad.
"It's amazing how some of the available tools have developed ... sales services for themhave developed like commercial organisation tools."
These criminals aregoing to where the money is - and the money is in the wealthier countries, less so thosewith highpovertylevels. So, even thoughSmall Organisationsmay not get attacked bycriminalswithintheirown country, there's a great chance thattheycould get attacked bycriminalsfrom foreign countries where the standards of living and incomes are lower.
In many cases, these attackers are targeting Organisations which are not in their home country, because the wealth isseen to bein foreign countries. Additionally, they know that if they get caught attacking people within their own countries there's going to be greater stigma and penalty than if they attack Organisations and people abroad, "nobody will care" is the attitude in some respects.There is also the factor that local law enforcement in foreign juristictions may be easier to bribe or intimidate, and criminals make infinitely more money.Some research has shown that thesecriminalsdon't feel that they are doing anything wrong by taking money from people in countries that havemore money than they do.
Myth: Hackers work alone and develop their own simple tools
It's amazing how some of the available tools have developed, so much that even the after sales services for themhave developed like commercial organisation tools. Yes, they are criminals and may not be able to trust each other. However, some of the criminal's tools provide guarantees that they will be able to evade certain anti-malware products or certain firewalls, certain routers. They come with guarantees thatusers will be able to achieve certain results.
It's interesting that there has been a growth ineasy-to-usetools which have taken away the expertise that was once required. Now many of these tools are set up for complete automation andthe userjust picksand chooses thendragsand drops. The organisation models too have been expanding to offer anyone with an interest to generate revenues. Allacriminalneedsto do is supply the time to buy or use one resource from one service take it to another service and share the income.
Just like some of the online graphicinterfacesout there,the userjust dragsand dropswhatevertheywant, and those tools produce the results. So, it has been getting easier and easier for nontechnical people to get involved in these sorts of criminal activities. That includes any aspect whether it's phishing, spreading malware, running a botnet, because there are so many different types of roles that desperate people can get involved with. It is surprising and shocking how it's been growing over the last few years.
Myth: Attackers only work for themselves
Criminals have found ways to monetiseevery part of their supply chain, from people harvesting emails, to the ones sending out the spam infecting machines, others making the calls and using the remote access trojans, others snooping around and stealing, and others infecting with ransomware and making the demands.
It's really sad thata Organisationcan be infected with ransomware andthey are given a number toring intoa help desk who will guidethemon how to pay to gettheirunlock codes, it'svery wellorganised now.Sometimes it feels like it's much easier to talk to criminals on their help desk than it is to call legitimate service providers right now, which is a crying shame.
Myth: Email accounts are harmless and can't be monetised
Attackers are targeting anything and everything, there's nothing that aSmallOrganisation has got that could not be used, in some way, shape, or form. As long as it's electronic data, there's absolutely nothingcriminals can’t use. As mentionedearlier,the fact that Organisations have their user accounts, bank accounts, email accounts, all the different social media accounts, and service accountsmakes it easier. In today's world, we have online accounts for absolutely everything, and all of these can be used in the same way that ifanemail account is hacked, it can be used to spread messages to other people.
I had an emailrecentlyfrom someone I know. In that email was an email attachment and the attachment itself was an email message. The main email message told me to open the attachment for the file I requested. I hadn't requested any file and the fact that there was an email within an email made me suspicious. So, I replied and asked, is this fromthe person it is supposedly from? And what is the attachment? I do not open email attachments like this. Was is it you, or have you been hacked? The response coming back saying, I've been hacked.That person is a security contact and illustrates how easy this can happen and that we all need to besuspicious and cautious to be ablepick out things that are not right. But it seems it is easier for attackers to use a compromised account.
That sort of thing that happens all the time, I have received in the past LinkedIn messages from respected people in the House of Lords where a message from their account provides a link for me to explore a project. That too was from someone who had managed to gain access to a legitimate account. The attackers want to use the credibility and goodwill of someone respected, be it service provider, a Lord, a cybersecurity training company to spread malware to other people.
Myth: Email data cannot be monetised
Wereceiveda phone call once from someone stating that my boss was apparently trapped, with no money in a foreign country and was desperately needing money to be transferred to him. And we got a phone call asking if he was okay. We said yes, he's sitting in the corner!It turned out his email had been hacked, and the criminals were trying to monetiseit by sending messages to everyone on his address list, saying he's in trouble, send moneynow,knowing that a certain percentageof peoplewill likely try and help out.
If it's a plausible story, once someone has access toa user’sorganisationemailaccount, they can go through the history and they can see whoit has beeninvoicing,how much,whothesuppliers are, whatthe companybuys, how much they pay, etc.
I know of incidents where people have turned up and taken delivery of new computers that the company never ordered. There was someone waiting at the right time in the loading bays because they knew from the tracking codes when these were due to arrive. So, attackers were able to fraudulently get hold of computers where they happily collected them while the innocent company picked up the bill.
There areso many ways that criminals can monetise once they've got access to some information, whether it's accessingtheemailaccountor put a remote access trojan ontheusersmachine and start sniffing around if they want to be patient, there's no end to the possible activity and what they can get up to.
Myth: Attackers can't make money from my email address
The next one is data. The buying and selling of data may include contents of hacked devices, email address lists, vulnerable websites with exploits, or lists of people who have been known to pay out, etc. All data depending on the volume, content, whose it is, what other data it can be connected to can be sold several times over. Additional value of the data can be created by understanding or predefining the use of the data. For example, any list of bank account details would be worth less than if the list was of extremely wealthy organisation leaders.
The key thing is that this way of monetising data works best by being able to sell it many times over. This is the reason why when someone's email details are compromised it may never just be oneissuethey end up having to deal with, or that is it only one spam or phishing email they receive; it will be many, over a long period of time, as each new purchaser of that information makes use of it. That is what makes the monetisation of data of great value.
Myth: Accounts can be blocked before attackers monetise them
Let's have a look at some of the ways that these information assets can be used. The most obvious thing that attackers are after is cash, and the main way they would expect to get it is for people to pay it into an account that is controlled by them or someone they know.
To get cash into that account some criminals will attack professional organisations which expect to deal in transfers, like lawyers who do conveyancing (the buying and selling property for clients.) There the attackers may intercept messages or send updated payment details of where the money is to be paid into. Therehave been lots of instances of the last few years where solicitors have been caught out by these sorts of attacks where criminals managed to hack into emails, understood what was going on and were therefore able to redirect the payments to their own accounts.
Getting a Organisation to pay directly into a managed account is one way of monetising account credential of a targeted Small Organisation. A second way to monetise is to go for cash substitutes, there're several types of cash substitutes for criminals.
If an attacker takes over any type of shopping account, for example, they will be looking for accessing and using the connected payment cards to order gift cards or similar types of payment cards which may be cash substitutes. Amazon vouchers, shopping vouchers are all such examples.
Those are some of the cash substitute examples.Any type of account, whatever online account anyone has,it's possible for attackers to use in some way, shape or form. Attackers will want to use them either for emailing, buying, and paying for things that they themselves don't want attributed to them as the services will be used for possible criminal activities.
Myth: Attackers can't be sharing my data
Another way to monetise data is for criminals to collate the various bits ofuserdata to be able to carry out identity fraud.
This could be where someone else takes out a mortgage or bank loan inthe organisation’name. Also, the other way to monetise website logins is to add sub domains tothe companywebsiteso that it isnot aware ofthis, and then useitfor more attacks like phishing, and website redirect because they're using the reputationthat’s beenbuilt up onthe legitimate organisationwebsite. As they know that it is not blocked by security software, they're relying onthe legitimatesub domain. There're many ways that criminals can monetise data by paying for things they don't want to pay for usingcompany organisationcard detailsforhosting and processing services.
Other examples include PayPal scams where they pretend to senda Organisation somemoney, which they requesta usersend back to them. And asthe userdoesthat, they actually cancel the first one and use a charge back.
The list is endless, once they go to their foothold, their creativity is never ending. Many of these slightly more advanced attacks rely on connecting more than one piece of data about individuals orOrganisations.
Myth: My information is secure, I can't be blackmailed
Another example of data or information monetisation is where they're looking for information that could be used as catching people out and be embarrassing, perhaps doing something that they shouldn't be doing or feeling guilty about it. This could include buying things that they shouldn't be buying, or saying things that they shouldn't be saying. Here the monetisation is simple - it's blackmail.
If they also have email attachments, or photos and other media files, that makes it easier. The data also provides an understanding of who is connected to whom and how can that be used and leverage. The bottom line is that there're many more ways to monetise accounts and data than most people think.
Myth: Ransomware only works on unpatched devices
"A ransomeware attack can devastate the whole organisation."
Let's not forget ransomware,whichcan always just encrypt data directlyandask for theransom.Thiswill mess up a lot of Small Organisations because ifa organisationcan't function day to day and accessitsdata,itsorganisation activities will come to a halt.
Without adequate backups and security protection a ransomware attack can devastate the entire organisation. Any ransomware, if it is not picked up bytheanti-malware software can be installed onalldevices ifthe user islogged in as an administrator.
Conclusion to myths believed by Small Organisations about attackers and hackers
Like with many myths, there is always some element of believability to them, but these attacker myths are inaccurately based on misconceptions that are not true. Small Organisation may often not have the same level of expertise or security as larger organisations so are possibly at more risk to attack than larger ones.
However, most attacks are usually random based on a list purchased from other criminals who specialise in that activity. And from their point of view, they are often playing a numbers game, a certain number of people will always respond in the expected way.