The following article is a paper written by Alex Elam, an aspiring Cyber Security Analyst with a degree in Biochemistry (Biotech/Biohacking Specialist).
According to Spanning Cloud Apps (2022), 30,000 websites are hacked every day and over 60%of organizations in the world have experienced some form of cyber-attack. Spanning Cloud Apps also claims that the average attack has cost businesses around $4.24 million per attack. These exploitations are known as cybercrime. Cybercrime is defined as any illegal activity that uses a computer during its commission. Five of the most common types of cyber-crime are phishing, cyber extortion, data breach, identity theft, and crypto currency theft (Kaspersky, n.d.). Nearly Everyone with an email address has been the target of phishing by now. Phishing is when an attacker poses as a legitimate entity and sends emails to targets which contain links to malicious websites. Other forms of phishing occur via SMS text messaging (smishing) and phone calls (vishing). There are special types of phishing called spear phishing and whaling. Spear phishing targets a specific individual. This type of phishing usually requires some special research for the attacker to seem more legitimate. Dumpster diving is one way an attacker can gain information of a specific target. If an attacker goes through a target’s trash and finds out who that target is used to communicating with, the attacker will have a much greater chance of convincing the target that the attacker is a legitimate entity. Whaling is just spear phishing for someone who has access to data or financial accounts with great value such as CEOs or politicians. Facebook and Google fell victim to a phishing attack which cost the companies $100 million over a period of two years. The scheme began when the attacker created a fake company which posed as a legitimate company based in Taiwan called Quanta Computer which Facebook and Google regularly do business with. After establishing the fake company, the attacker then sent Facebook and Google a series of fake invoices between 2013 and 2015. Since the fakes were so convincing, the accounting departments of these two companies paid the sums without giving it a second thought. With invoice scams like this, an attacker usually has access to the target’s network for weeks or months before the invoice attack is carried out. This allows the attacker to gain understanding of what normal transactions and finances look like from the view of the target company. Attackers typically use malware to gain this valuable insight which is usually accomplished through phishing. The Facebook / Google case could be classified as spear phishing since the attacker specifically targeted the finance teams.
Ultimately Facebook and Google recovered most of the money they lost and the person in charge of the scheme, Evaldas Rimasauskas, was arrested and sentenced to 30 years in prison (IBM, n.d.). According to IBM, there are several ways to prevent phishing catastrophes like this. Suggestions include early detection, thorough review of invoices and payment related communications, creating strict payment processes, implementing two-factor authentication, e-mail system automation, employee education and training, spam filtering, keeping systems patched, employing antivirus software, and encrypting sensitive data. Cyber extortion usually occurs via malware called ransomware but can also be something like using stolen data to blackmail a target. The goal of extortion is usually for the attacker to get the target to pay for the data to be returned or for the attacker not to release the personally sensitive data to the public. According to UC Berkeley (n.d.), ransomware mainly spreads to computers and networks through phishing emails with malicious links and drive-by downloads. Drive-by downloads can occur without any prompt or notification by installing malware on the device of someone who has merely visited a malicious site. Ransomware often works by encrypting the target’s data and decrypting the data upon payment. Unfortunately, when a target pays up, it does not guarantee that the cybercriminal will release the decryption key or that the attacker will hold up their end of the deal in any way whatsoever. In 2017 there was a ransomware outbreak termed as a ransomware epidemic that affected over 200,000 computers called WannaCry.
WannaCry disrupted hospitals, banks, and communications companies around the globe. WannaCry is a type of malware called a worm. Whereas a virus involves human intervention to execute (such as clicking on a bad link in a phishing email), a computer worm replicates itself and spreads to other systems on its own once an initial system has been infected. WannaCry works by encrypting critical files on a user’s computer and displaying a message which demands payment for those files to be unencrypted. Some of the biggest victims of the WannaCry ransomware computer worm were the UK’s National Health Service, US hospitals, Russian banks, railways, and telecom services, Indian police departments, Chinese universities, Japanese electronics maker Hitachi, Chinese police departments, and French automobile manufacturer Renault. The overall cost of the WannaCry ransomware attack was estimated to be $4 billion. Even though the ransom was a relatively low dollar amount, one can assume most of this cost estimate is due to the downtime and lack of production these organizations and companies suffered. According to Gregory (2021), the main goal of the WannaCry ransomware was most likely to create panic and chaos. Gregory claims three North Korean software programmers (part of a north Korean hacker group called Lazarus) were indicted by a grand jury on February 17 th , 2021 for the creation and distribution of the WannaCry ransomware. Jeraj (2020) notes a man named Marcus Hutchins who single handedly discovered a killswitch and effectively shut down the WannaCry ransomware attack. Hutchins found a web domain in the code of WannaCry and when the domain was registered, WannaCry was effectively defeated. Hutchins was apparently steeped in the creation of malicious code and when they discovered the killswitch, they even took measures to protect the mechanism to prevent the original attackers from removing the killswitch. According to Azzara (2021), the WannaCry epidemic is a “study of preventable catastrophe” because Microsoft released a patch which would have prevented WannaCry infection months before the spread began. Had these systems been updated in a timely manner, everyone would have been spared the damage. Azzara recommends installing the latest software, performing backups, and subjecting employees to cybersecurity awareness training as a means of preventing attacks like these in the future.
Data breaches are another type of cybercrime which regularly make the news. Trend Micro (n.d.) defines a data breach as an incident where information is stolen or taken from a system withoutthe knowledge or authorization of the system’s owner. These data breaches are valuable to attackersbecause this data can contain sensitive information such as credit card numbers, social securitynumbers, trade secrets, and national security secrets. Trend Micro claims that personally identifiable information (any information that permits the identity of an individual to be directly or indirectly inferred) was the most stolen type of data between 2005 and 2015. Financial data was the second most stolen type of data. Trend Micro breaks down a data breach into three phases. In phase one, the attacker conducts research by looking for weaknesses in a chosen system or organization such as employees or the network. In phase two, the attacker deploys a social engineering or network-based attack. Network attacks could consist of SQL injection, session hijacking, denial of service, or any other network infrastructure attack. Social engineering attacks consist of phishing emails or tailgating someone into the establishment. The attacker could also leave a USB drive where an employee may find it which contains malware. Once malware is installed on a device, an attacker may have their vector secured and data exfiltration can ensue.
Todd (2022) reports that a 2013 data breach affected all 3 billion Yahoo! user accounts. Yahoo! Disclosed the data breach at a tough time because they were in the process of being bought by Verizon.
The disclosure ultimately cost Yahoo! $350 million as a reduction in the offer by Verizon. According to McAndrew (2018), Karim Baratov was indicted and sentenced to 5 years in prison. It is alleged that Baratov was a Russian sponsored hacker for hire. Yahoo! ended up paying $117.5 million because they had violated multiple sections of the Securities act of 1933 and the Securities Exchange Act of 1934 by failing to disclose the breaches for years after they had known about the incident. The attackers allegedly used forged cookies in the Yahoo! data breach. These cookies can allow an attacker to access users’ accounts without a password.
COSE (2018) provides 5 ways that a data breach can be prevented. Number one is to begin all operations with security in mind. This means that if one’s institution handles sensitive information, the first conversation should be about how to make sure that information is handled securely. Number 2 is access control. Only those who need administrative privileges should have them. This means making sure everyone in the organization has their own unique account and that their privileges are configured appropriately. Number 3 is requiring secure passwords and authentication. Number 4 is to use encryption to store data as well as to transmit data. And Number 5 is to segment the network using firewalls, subnets, or VLAN’s. This helps monitor who is going where on the network and helps contain damage in case of an attack.
Terranova Security (n.d.) describes identity theft as using a target’s stolen identity to conduct fraudulent activities in their name. Common fraudulent acts conducted with stolen identities include applying for loans, applying for credit cards, signing leases, and transferring funds from the victims’ bank accounts. Identity theft occurs in several ways such as social engineering, malware, eavesdropping on phone conversations, and dumpster diving. Terranova Security claims that in 2019, 1 out of every 15 people worldwide were victims of identity theft and that 1 in 5 of those affected experience identity theft multiple times.
From 2008 to 2011 an IRS employee was able to collect $1 million through a stolen identity tax refund scheme. The attacker was identified as Nakeisha Hall who was sentenced to 9 years in prison. Hall was able to accomplish this fraud through unauthorized access to IRS computers (United States Attorney’s Office, 2016). With this unauthorized access, Hall obtained names, birth dates, and social security numbers which were used to create fake income tax returns. Hall set up the refunds to be placed on debit cards which would be shipped to an address where Hall could pick them up. It is not said exactly how Hall obtained this access, but there are many ways a company can ensure the security of their individual workstations. Datto (2015) recommends not allowing monitors to face the public and using privacy screens to help prevent shoulder surfing. A clean desk policy requires employees to have their desks completely cleared of any sensitive information when leaving the workstation unattended. It is also a good idea to make sure employees are locking their workstations when unattended as well as configuring unattended workstations to lock automatically after a few minutes of inactivity.
There are many ways that individuals can help prevent identity theft such as keeping an eye on their mailbox, shredding mail, safeguarding social security numbers, using strong passwords and extra authentication steps, and being alert to phishing and spoofing. In the case of Hall where an employee for a trusted entity such as the IRS is involved, it seems that none of the measures listed above could have prevented the incident and that the IRS and other government institutions need to be extra strict about access controls.
Cryptocurrency theft is self-explanatory being that it is when an attacker steals cryptocurrency. According to White (2022), the main ways that hackers steal cryptocurrency are the theft of private keys, wallet vulnerability exploitation, fraudulent investment funds and exchanges, and dark web market attacks. Wilson (2022) claims that crypto theft has totaled $14 billion with $3.2 billion of that being stolen in 2022.
The biggest crypto heist to date was the loss experienced by Ronin Network on March 29th, 2022. The loss totaled $620 million. According to Tsihitas (2022) the same group which helped produce the WannaCry ransomware was responsible for this theft. BBC (n.d.) provides an explanation from Ronin on how this kind of thing could have happened. Ronin was reported saying that the hack occurred when the user base grew to an unsustainable size. This influx forced Ronin to relax security procedures and hackers were able to take advantage. Ronin claims that two of their validator nodes which are responsible for verifying, voting on, and maintaining a record of transactions were compromised and the funds were drained in a mere two transactions. Customers of Ronin are still waiting for reimbursement.
A company called Sky Mavis managed to raise $150 million to help some of the customers of Ronin. Reiff (2021) claims there are options available to crypto investors which will afford protection beyond that of the original platform. Reiff also claims that crypto can be transferred to hardware devices which are referred to as physical or cold wallets. These wallets look like USB drives and act as physical storage for tokens or coins. The downside to these physical wallets is that if they are lost, the coins cannot be recovered. There are also online wallets available which rely on private keys that are not recoverable. This means that the risk of losing the private key is the same as losing a physical wallet. New types of cybercrime are becoming prevalent at an alarming rate. The only way to stay safe in the new age of data is constant vigilance whether it is an individual trying to protect their investments and identities or organizations trying to protect their network infrastructures, data, and reputations.
Everyone should be aware of common security concepts such as using strong passwords, employing anti-malware software, and being aware of phishing strategies. Organizations in particular can utilize network firewalls, train employees on cybersecurity awareness, and implement stringent access controls to mitigate risk. It is impossible to keep systems 100% secure, but these practices and policies combined with continued education and dedication by system administrators can help prevent easily avoidable disasters and provide a little peace of mind in such a chaotic time.