The idea of a sophisticated cyber attack, with careful planning and targeting, has captured the imagination of many organisations now seeking to ward off these online threats.
However, the chances of being hit by a more “regular” attack that makes use of common hacks that are sold in the seamier corners of the Web may be higher, argues Chester
Wisniewski, principal research scientist of cyber security firm Sophos.
Instead of developing or buying an expensive and high-profile exploit that may be swiftly fixed with a patch, he said, many cyber criminals are turning to “hacking as a service”, which lets them customise malware to penetrate victims’ systems using social engineering.
In 2016, many cyber criminals used booby trapped videos or flaws in browsers to attack a victim. This year, they are looking to send an e-mail to a potential victim to hoodwink him into clicking on a link or attachment, thus unwittingly opening up his PC.
“In other words, they trick the victim to open up his own PC, instead of trying to find a flaw in it,” said Wisniewski. This means better returns on investment for criminals, he added, because social engineering is something hard to guard against.
For example, a human resource manager might be sent an e-mail with an actual resume attached, only that it also includes a macro that he might allow to run and open his PC to remote access.
“Why would a criminal pay for US$50,000 for an exploit and it only works for a week? Social engineering is more successful and it’s free,” said Wisniewski.
Another reason for the heightened threat is how well organised the cyber criminal enterprise is today, he noted.
On the Dark Web, a criminal could hire a writer to draft an e-mail that mimicks a legitimate one. A graphic artist can design a website replicating a bank’s, while a translator can help get the message across in the right language to target wealthy consumers around the world.
Finally, there might be a spammer who can deliver the malware-loaded e-mails to actual targets. Some service providers even guarantee that the e-mails will be opened or they will help send another bunch for you – for free, said Wisniewski, who frequently visits such sites for his research.
Another big development is how easy it is for criminals to get in the game. There are now “ransomware as a service” tools that they can buy and start targeting victims with, he added.
Showing Techgoondu one such tool at a recent interview, he demonstrated how a criminal can set the ransom (in Bitcoins), select the encryption method (only disrupt part of a file instead of entire hard drives to save time), encrypt certain file types and even set varying prices for victims from different regions.
Funnily enough, the ransomware tool has a warning to not run the compiled malware program on one’s own computer, so as to avoid being the first unwitting victim.
“Once they have the file, the criminal then gets the spammers to send it out to people and wait to get paid,” said Wisniewski.
Are things going to be more difficult for organisations, especially after the widespread impact of the WannaCry and Petya ransomware of late? Wisniewski believes the good guys have won some important battles.
For example, two major Dark Web marketplaces were taken down last month, disrupting the trade in malware and services, among other criminal enterprises. Arrests have also been made after high-profile attacks, including ones connected to the Mira botnet last year and Yahoo hack earlier.
And it is harder to attack software, said Wisniewski, because of the efforts in recent years by Microsoft, Apple and Google to plug many loopholes that are found.
“Attacking software is too hard so now criminals have turned to attacking people,” he added. “To defend ourselves, we need to know that security is everyone’s job.”
