Myths about Attackers of Small Organisations
Small organisations often mistakenly assume that hackers won’t be interested in a small organisation, because they don’t have the revenues that larger organisations do. They often ask, “Why do I need this costly, time-consuming protection? What’s a hacker or cyber-criminal going to do to my small organisation? What do I have of value that they would spend time attacking my business instead of a larger enterprise?”
This idea is a myth. In fact, small organisations can often be more vulnerable to cyber-security attacks than larger ones. It’s important to understand the misconceptions that can mistakenly lead to hacking attacks.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
- Introduction
- Read this article to learn:
- Myth 1: Attackers are hackers
- Myth 2: There can't be much money in it
- Myth 3: Everyone participating in underground economies is a criminal
- Myth 4: Small Organisations have nothing of value
- Myth 5: Your Business Won't be Targeted
- Myth 6: Why would attackers want to harm my business?
- Myth 7: Attackers must be highly skilled
- Myth 8: The costs are too high compared to benefits
- Myth 9: Hackers work alone and develop their own simple tools
- Myth 10: Attackers work for themselves
- Myth 11: Email accounts are harmless and can't be monetised
- Myth 12: Email data cannot be monetised
- Myth 13: Attackers can't make money from my email address
- Myth 14: Accounts can be blocked before attackers monetise them
- Myth 15: Attackers can't be sharing my data
- Myth 16: My information is secure, I can't be blackmailed
- Myth 17: Ransomware only works on unpatched devices
- Conclusion to myths believed by Small Organisations about attackers and hackers
Introduction
In this episode, we're looking at hackers, the myths around them and their motivations in attacking small organisations.
When we talk to small organisations, many ask: Why do I need all this costly or time-consuming protection? What's a hacker or cyber-criminal going to do with my small organisation? What have I got of value that they should spend time attacking us, instead of a larger organisation?
"One of the longest running forms of fraud is the technical support fraud."
Read this article to learn:
- Why small businesses are vulnerable to hackers
- Who are cyber-attackers and what tools do they use?
- The truth behind widely held ‘myths’ about hackers
- How do hackers and cyber-criminals make money?
Myth 1: Attackers are hackers
A cyber-attacker isn’t necessarily a hacker who ‘breaks into’ your systems. One of the longest running forms of fraud is the technical support fraud , where the only thing an attacker needs is a telephone line.
The attacker calls up a small business and claims to be from Microsoft, the company’s Internet Service Provider or someone else from a widely used service. After introducing the service, they supposedly represent, the attacker says they have identified unusual or malicious activity. This is the hook to get the person from the business to carry out a simple ‘test’ which will invariably show that there is indeed a problem with the user’s computer.
In another type of call, the scammer asks the business to search for the word ‘virus’ in a command prompt, and the result looks very bad. Over a decade ago, there was a common scam call where the business owner was asked to look for a particular file which used the skull and crossbones icon – unsurprisingly this made it very easy for the caller to convince the business that something was wrong, when it wasn’t.
These calls are all designed to persuade users to install a program to apparently ‘fix’ the problem. Of course, the fix is fake, and must also be paid for immediately using a credit card.
In these cases, there is no need for hacking or any computer technology. In today's world the scammer might ask the user to give them remote access to a machine to “fix” the problem and will install malware directly or ask the user to download and install a file that uses malware to control the device remotely.
Myth 2: There can't be much money in it
The underground economy refers to a hidden economy for the buying and selling of illegal products, services and tools. It is growingly quickly, with activity increasing year on year.
The underground marketplace has thousands of specialist products – some real, some fake – and everything is fair game. It’s possible to buy almost any type of tool with guaranteed success. Buyers can find tools that simulate attacks, hire someone to launch a cyber-attack on someone they don’t like, or to find people who will do anything from hacking a banking app to launching an attack on a competitor’s website.
Many products on the underground economy are non-existent or fake. Buyers are asked to pay for these products using bitcoin, and the seller can’t be traced once the buyer realises that they have been duped.
Innocent people can be caught up in the underground economy, and even find themselves committing cybercrime. Increasingly in today’s economy, people want to make money in non-traditional ways, and might respond to media ads offering part-time work from home. Too often, people are offered work as an “account manager” – managing bank accounts and moving money between them. This is commonly seen where criminals enlist innocent people to clean money for them. There are many related job opportunities that involve innocent people becoming money mules for cybercriminals.
In the current economic climate, we are seeing more people become desperate for money , meaning more people are getting involved in cybercrime, through innocently applying for part-time work, or getting involved in scams from foreign countries.
Cybercriminals in the underground economy can find value in every action or piece of information collected, no matter how small. For example, an email address isn’t worth very much, but one million verified email addresses will be worth more than 50m unverified addresses. These verified addresses will be used by thousands of attackers to send out spam and phishing messages, and each time the list is used, there will be a payment involved.
This same principle applies to everything from passwords to lists of victims who have fallen for scams and compromised devices. There is money in numbers.
Myth 3: Everyone participating in underground economies is a criminal
Money mules are a massive problem because people are tricked into thinking that they've got a legitimate job. The job listing promised that they would be an independent financial consultant, but all they’re really doing is money laundering for criminals.
Job listings often state that the applicant will receive 10% commission on all deals, and this fee is worthwhile to criminals because they need a way to convert ill-gotten gains into money they can use in the real world. When criminals use currencies like Bitcoin or money mules where one mule passes funds to another mule and so on, the money becomes harder to trace, which is what the criminals want to achieve.
Whether it's fake products or real products, there is a whole service industry now on the underground, criminals are selling to other criminals because they realised that rather than fight each other, it's easier to each take a niche role in the whole supply chain. And then because criminals aren’t having to fight, they can constantly improve everything so that the level of skill that's needed to participate in this kind of trade has become much lower.
Whether it's fake or real products, there's a whole service industry now on the underground. Criminals are selling to other criminals. Rather than fight each other, it's easier to each take a niche role in the whole supply chain
This idea is perfectly demonstrated by the fact that anyone can sign up for ransomware-as-a-service, and pay nothing now, on the basis that the service provider will get their cut. All a user has to provide is an email address list. Since that’s all would be criminals need to get going, there is no need for any real technical skill.
Furthermore, there's always a chance that criminals will steal from other criminals. The term “there's no honour among thieves” is common and there's always that risk. But generally, there seems to be a common understanding that they're better off collaborating with each other than competing. Especially since there are billions of potential customers – meaning there's enough to go around, they don't need to compete.
Myth 4: Small Organisations have nothing of value
It's a complete myth that small businesses have got nothing of value; they've got everything criminals want. They have bank accounts, assets, computers, service accounts, and customers with email addresses.
So, whether it's fraud, extortion, theft, or repurposing assets for their own criminal use, small businesses are a perfect target for criminals. Not only do they tend to be less robustly protected than larger businesses, many of them will also have larger businesses as clients.
This means a small business could be a gateway for an attacker to target larger businesses, using things like invoice fraud, or simply emptying their bank accounts. Because of this, small businesses are a more attractive target for many cyber-criminals, and there are more than one million small businesses operating in the UK.
Myth 5: Your Business Won't be Targeted
For most cyber-criminals, life is a numbers game. So, if they send out X number of messages, they can expect Y percentage of those messages will be successful.
It is the same approach that any sales and marketing team of any business takes on a daily basis. They know that as long as they achieve the numbers in the right way, they will be able to get the revenues they want, and the numbers will work in their favour. It's as simple as that.
In most cases criminals don’t target a specific small business. Perhaps the business responded to a particular message for a free eBook and downloaded it from a website that was compromised, and the email address entered was added to a list that went on to be sold thousands of times and received thousands of spam or phishing messages over the next few years. Alternatively, it could be that an automated tool ‘pinged’ the business network or website IP address and the router responded in a way it shouldn’t have done, and now cyber-criminals know that the router or server is an easy target.
This type of attack is a numbers game, and rarely anything personal. Every time a small business’ devices or assets (email, web server, router, etc) responds in a particular way that business can end up on additional lists, which are sold many times over. Incidentally, this is why the worst thing businesses can do is to pay a criminal or hacker – once a business owner is identified as a “payer” that information will be shared, and the business will be targeted even more often.
Myth 6: Why would attackers want to harm my business?
If we understand that the small business has many points of value, it’s easier to understand why hackers would want to attack a small business.
Criminals and cyber attackers are simply looking to get money from a business. If this means causing the business some pain by infecting their network with malware or anything else, that’s what they will do. The goal isn’t to cause harm but, rather, to convert any assets they can access into cash.
Myth 7: Attackers must be highly skilled
It’s natural to think that attackers must be very skilled to attack a company’s IT systems, especially since there's a global skills shortage in cyber security.
We have already established that attackers don’t need to be hackers, and some attacks don’t require any hacking skills whatsoever to infect someone's machine. It's a case of being able to talk to people and convince them. It's the same way a burglar doesn't need to come and pick locks in a house when they can just turn up posing as a gas engineer and say they're investigating a report of the smell of gas, ask if they can check the meter, and gain access to the property.
It's all about how the attacker presents themselves and then the little bit of information that a person gives them can start with a phone call followed by a message, either by text, email, or social media based on that call, and it builds up. So, it's very easy to be attacked and fall victim to these people because it's not just technology, there's the whole psychological side to it that makes it work.
The sad fact is that the expertise needed nowadays is not that great. The tools available to hackers (which we'll cover shortly) are developed so users do not have to be experts in hacking or attacking to be able to utilise them to attack a target. Although there are some expert hackers around, most attackers use tools that do most of the work for them, with tools being developed as a suite with everything a user needs for that type of attack – meaning they don't have to be an expert, they just have to pay for the tools.
Myth 8: The costs are too high compared to benefits
Another aspect of attacks that small business owners tend to forget is that there are many countries with economies where people have very few options of employment and income generation. In some of those countries, there are very few options left open to city workers than to work for criminals using these tools to attack people abroad.
"It's amazing how some of the available tools have developed ... sales services for them have developed like commercial organisation tools."
These criminals are going to where the money is, and the money is in the wealthier countries - not those with high poverty levels. So, even though small businesses may not get attacked by criminals within their own country, there's a great chance that they could get attacked by criminals from foreign countries where the standards of living are lower.
In many cases, these attackers are targeting businesses which are not in their home country, because the wealth is seen to be in foreign countries. In addition, attackers know that if they get caught attacking people within their own countries, there will be greater stigma and penalty than if they attack businesses and people overseas. In some cases, local law enforcement may be easier to bribe or intimidate, when criminals make infinitely more money. Some research has shown that these criminals don't feel that they are doing anything wrong by taking money from people in countries that have more money than they do.
Myth 9: Hackers work alone and develop their own simple tools
It's amazing how some of the available tools have developed, in some cases even offering after-sales services just as might be seen with commercial business tools. Yes, they are criminals and may not be able to trust each other, however, some of the criminal's tools provide guarantees that they will be able to evade certain anti-malware products or certain firewalls, certain routers. They come with guarantees that users will be able to achieve certain results.
It's interesting that there has been a growth in easy-to-use tools that have taken away the expertise that was once required. Using many attack tools is now as easy as selecting options from a menu and then ‘drag and drop’ to install those tools. All the criminal needs to do is invest some time or buy a resource from one service, then take it to another service and share the proceeds.
This means that it has been getting easier and easier for non-technical people to get involved in these sorts of criminal activities. This includes activities such as phishing, spreading malware, or running a botnet, because there are so many different roles that desperate people can get involved with. The growth in recent years has been surprising and shocking.
"...whether it's phishing, spreading malware, running a botnet ... there are so many different types of roles that desperate people can get involved with."
Myth 10: Attackers work for themselves
Criminals have found ways to monetise every part of their supply chain, from people harvesting emails, to the ones sending out the spam infecting machines, others making the calls and using the remote access trojans, others snooping around and stealing, and others infecting with ransomware and making the demands.
It's really sad that a business can be infected with ransomware and be given a number to ring a help desk that will guide them on how to pay to get their unlock codes. These scams are very well organised. Sometimes it feels like it's much easier to talk to criminals on their help desk than it is to call legitimate service providers, which is a crying shame.
Myth 11: Email accounts are harmless and can't be monetised
There’s almost nothing that a small business has got that could not be attacked, in some way, shape, or form. As long as it's electronic data, there's absolutely nothing criminals can’t use - as mentioned earlier, the fact that businesses have their user accounts, bank accounts, email accounts, all the different social media accounts, and service accounts makes it easier. In today's world, we have online accounts for absolutely everything, and all of these can be used in the same way that if an email account is hacked, it can be used to spread messages to other people.
I had an email recently from someone I know. In that email was an email attachment and the attachment itself was an email message. The main email message told me to open the attachment for the file I requested. I hadn't requested any file and the fact that there was an email within an email made me suspicious. So, I replied and asked, is this from the person it is supposedly from? And what is the attachment? I do not open email attachments like this. Was it you, or have you been hacked? The response quickly came back, saying, I've been hacked. That person is a security professional, and this story illustrates how easily this can happen. We all need to be suspicious and cautious to be able pick out things that are not right. But it seems it is easier for attackers to use a compromised account.
I've had LinkedIn messages from respected people in the House of Lords where a message from their account provides a link for me to explore a project. That too was from someone who had managed to gain access to a legitimate account. The attackers want to use the credibility and goodwill of someone respected, be it service provider, a Lord, a cybersecurity training company to spread malware to other people.
Myth 12: Email data cannot be monetised
We once received a phone call from someone saying that my boss was apparently trapped with no money in a foreign country, and desperately needed money to be transferred to him. The person on the phone asked us if he was okay. We said, “Yes, he’s sitting in the corner!”
It turned out this person’s email had been hacked, and the criminals were trying to monetise it by sending messages to everyone on his address list, saying he's in trouble, send money now, knowing that a certain percentage of people will likely try and help out.
If it's a plausible story, once someone has access to a user’s business email account, they can go through the history and they can see who it has been invoicing, how much, who the suppliers are, what the company buys, how much they pay, etc.
I know of incidents where people have turned up and taken delivery of new computers that the company never ordered. There was someone waiting at the right time in the loading bays because they knew from the tracking codes when these were due to arrive. So, attackers were able to fraudulently get hold of computers where they happily collected them while the innocent company picked up the bill.
There are so many ways that criminals can make money once they’ve gained access to some information, whether it's accessing the email account or put a remote access trojan on the user’s machine and sniffing around. There’s no end to the possible activity and what they can get up to.
Myth 13: Attackers can't make money from my email address
The next myth is about email data. The buying and selling of data may be contents of hacked devices, email address lists, vulnerable websites with exploits, or lists of people who have been known to pay out, etc. All data depending on the volume, content, whose it is, what other data it can be connected to can be sold several times over. Additional value to the data can be created by understanding or predefining the use of the data. For example, any list of bank account details would be worth less than if the list of extremely wealthy business leaders.
The key thing is that this way of monetising data works best by being able to sell it many times over. This is the reason why when someone's email details are compromised it may never just be one issue that they end up having to deal with, or only one spam or phishing email they receive; it will be many, over a long period of time, as each new purchaser of that information makes use of it. That is what makes the monetisation of data of great value.
Myth 14: Accounts can be blocked before attackers monetise them
Let's have a look at some of the ways that these information assets can be used. The most obvious thing that attackers are after is cash, and the main way they would expect to get it is for people to pay it into an account that is controlled by them or someone they know.
To get cash into that account some attackers will attack professional businesses which expect to deal in transfers, like lawyers who do conveyancing (the buying and selling property for clients.) There, the attackers may intercept messages or send updated payment details of where the money is to be paid into. There have been lots of instances of the last few years where solicitors have been caught out by these sorts of attacks where attackers managed to hack into emails and knew what was going on and were able to redirect the payments to their own accounts.
Getting a business to pay directly into a managed account is one way of monetising account credential of a targeted small business. A second way to monetise is to go for cash substitutes, and there are several types of cash substitutes for criminals.
If an attacker takes over any type of shopping account, for example, they will be try to access and use the connected payment cards to order gift cards or similar types of payment cards which may be cash substitutes. Amazon vouchers, shopping vouchers are all such examples.
Any type of account, whatever online account anyone has, it's possible for attackers to use in some way, shape or form. Attackers will want to use them either for emailing, buying, and paying for things that they themselves don't want attributed to them as the services will be used for possible criminal activities.
Myth 15: Attackers can't be sharing my data
Another way to monetise data is for criminals to collate various bits of user data to carry out identity fraud.
This could be where someone takes out a mortgage or bank loan in the business’ name. Another way to monetise website logins is to add sub domains to the company website without the business being aware of this. Criminals can then use those pages for more attacks like phishing and website redirects, because they're using the reputation that’s been built up on the legitimate business website. Since they know that the new page is not blocked by security software, they're relying on the legitimate sub-domain. There are many ways that criminals can monetise data by paying for things they don't want to pay for using company business card details for hosting and processing services.
Other examples include PayPal scams where the attacker pretends to send a business some money, which they request the user sends back to them. And as the user does that, the attacker can actually cancel the first one and use a charge back.
The list is endless, once they gain a foothold, the attackers’ creativity is never ending. Many of these slightly more advanced attacks rely on connecting more than one piece of data about individuals or businesses.
Myth 16: My information is secure, I can't be blackmailed
Another example of data or information monetisation is where an attacker is looking for information that could be used to catch people out doing something embarrassing, perhaps doing something that they shouldn't be doing or feel guilty about. Maybe, buying things that they shouldn't be buying, or saying things that they shouldn't be saying. Here the monetisation is simple; it's blackmail.
If the attacker can access email attachments, or photos and other media files, that makes it easier. The data also provides an understanding of who is connected to whom and how can that be used and leverage. The bottom line is that there are many more ways to monetise accounts and data than most people think.
Myth 17: Ransomware only works on unpatched devices
"A ransomware attack can devastate the whole organisation."
Let's not forget ransomware, which can always just encrypt data directly and ask for the ransom. This will mess up a lot of small businesses, because if a business can't function day to day and access its data, its business activities will come to a halt. Without adequate backups and security protection a ransomware attack can devastate the entire business. Any ransomware, if it is not picked up by the anti-malware software can be installed on all devices if the user is logged in as an administrator.
Conclusion to myths believed by Small Organisations about attackers and hackers
As with many myths, there is always some element of believability, but all of these attacker myths are based on misconceptions. Small business may often not have the same level of expertise or security as larger businesses, so are possibly at more risk to attack than larger ones.
However, most attacks are usually random and based on a list purchased from other criminals who specialise in that activity. From the attacker’s point of view, they are often playing a numbers game, a certain number of people will always respond in the expected way.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.
Images from https://www.pixabay.com.