Home / How Cybercriminals Steal Money!
Hackers have moved beyond stealing corporate and government secrets anddefacing web pages to something more lucrative: stealing actual cash andcredit cards, committing fraud, extorting people, and even encrypting data
files and holding it for ransom, until the victim pays a fee to get it back.Over the past three or four years the profile of the cyberattackers has changed. Previously when people usedto write worms and viruses, they would typically want Cybercriminals
to make names for themselves, they were seekers ofnotoriety. They would release worms and viruses thatwould cause lots of traffic, crash lots of servers until somepatch was deployed, and the game would be over.The big shift that’s occurred over the past three years isa results of significantly increasing volume of commercethat is now transacted on the Internet. As more businesses make more and more moneyfrom e-commerce, the cybercriminals want to get their share. The motivation now for thevast majority of cyberattacks is money. The attacker profile has shifted from amateurs toprofessionals that want to make money and, in many cases, those professionals are veryorganized.It is their full-time job to attack sites. The bad guys, in some cases, will hireother people as mules to transfer money from one place to the other, so it’s an extensive,organized network. We’re not fighting against amateurs anymore.Let’s explore some of what the cybercriminals are doing and what if anything youcan do to protect against that.
Organized Crime Networks
An example of an organized crime network is the Russian Business Network. They’reresponsible for botnets like Storm, which have compromised over one million machines.Storm is a peer-to-peer based botnet that can be used for denial of service, key loggingand several other malicious actions. The Russian Business Network is also alleged tobe responsible for a piece of software called Malware Alarm. Malware Alarm pops upa dialog box on your PC, with a message saying, "We think your computer is infectedby malware. Please click here to disinfect." Of course, if you click here to disinfect, itwill infect your computer as opposed to disinfect it. The Russian Business Network is avery organized group. The cybercriminals rent out the machines on those botnets for Xcents per day, and you give me a binary. I’ll put whatever binary you give me on thosemachines and farm them out.
Encrypted File Ransom Attacks
A new tactic used by thieves is to encrypt files on a victim’s computer and demanda ransom in order to unlock that. One tool to do that is the Cryptolocker malware. InNovember, the National Crime Agency in the UK warned that tens of millions of peoplewere targeted by spam containing the Cryptolocker virus.
If you fall victim to Cryptolocker, a hackercould lock up forever that spreadsheet ordocument where you keep all your contacts,personal data, and root passwords. Whilethis data might have little or no value tothe hacker, for you it is vital. So you wouldcertainly considering paying 1 bitcoin(454 Euros), as in the screen shown below, toget that back.
The cyptolocker email contains a zip file. These contain PDF files with a PDF icon whoseactual file suffix is .exe. But people will not see that this is an .exe file as show file extensionsis turned off in Windows by default. So the victim unzips the file, click on the PDF, andinstalls the virus. Now Cryptolocker can start encrypting files, plus it goes to the internetand downloads even more malware.The victim cannot unlock the file himself or herself by looking for the encryption key in
the Windows registry or file system. Cryptolocker is far more sophisticated than that. Itcontacts its command and control server to download encryption keys. It is also faulttolerant. There are not just a handful of command and control servers, something thatcould be blocked by coordinated law enforcement. Instead, the thieves have adopted theP2P approach to distributed computing, which is called Gameover Zeus, as explained
below, making it difficult to shut down.
See SpamTitan anti-phishing and anti-malware solution in action today - book a free demo
Book a Demo
Gameover Zeus
The Gameover Zeus botnet is a network of 500,000 to 1 million Windowscomputers that are infected with the Gameover virus which is used toprocess payments and download encryption keys for Cryptolocker.
Krebs on Security reported in June 2014that the US Justice Department workedwith law enforcement agencies aroundthe world to take control of the GameoverZeus Botnet. The Gameover Zeus botnet isa network of 500,000 to 1 million Windows
computers that are infected with theGameover virus which is used to processpayments and download encryptionkeys for Cryptolocker. Krebs says thatGameover has been used to steal morethan $100 million from banks, business,and consumers. The accomplices in thiscrime are ordinary people who unwittinglyallowed their computers to be hacked,thus becoming proxies for this crime.
An ordinary hacker can rent a botnet tolaunch, say, a denial of service attack.Gameover Zeus is orders of magnitudemore complex. If its command and controlservers get taken down, the systemgenerates random domain names endingin .ru, .com, .info, and .biz and then consultstop-level DNS servers to see which newdomains have been registered to see if anyof those match and then failover to that.In other words, if law enforcement shutsdown the existing command and controlservers, the thieves can register hundredsmore to bring traffic back online. Gameoverjust looks for any new domain name thatmatches some pattern and connects to that.
Online Banking Heists
The internet has greatly reduced the need for bank robbers to maintain many people intheir crew. The old way of robbing someone’s bank account was to replace an ATM´s cardreader with a hacked one and install a camera to read the pin as the banking customertyped that in and then clone their debit card.Someone who is a victim of account theft like that has varying levels of protectiondepending where they live, whether they have insurance, what kind of account they have,
and how much money was stolen. But consumer protection does not always extend tobusinesses, where a wire transfer can reach into the hundreds of thousands or millions ofdollars. ComputerWorld reported that a judge ruled a bank in the USA could not be heldresponsible for $440,000 that was stolen from a business account. The bank was followingrecommended security practices. The customer lost their user id and password to hackerswho used that to wire money to themselves. Thatcourt said the customer’s inability to protect theirown password was not the bank’s fault. Protection does notalways extend to businesses,where a wire transfercan reach into the hundredsof thousands or millionsof dollars.
Sometimes banks are the victims themselves.Last year hackers logged into systems of variousbanks in the Middle East and greatly increasedthe value of prepaid Mastercards issued there.Then thieves fanned on foot to buy luxury cars
and Rolex watches.
Keyboard Logging
The thieves who robbed the commercial customer we mentioned above could havestolen these credentials by installing malware that records keystrokes. Windows is notthe only place where that happens. Security researchers have shown that Android
(and iPhone) apps can use the accelerometer, gyroscope, and orientation sensors todetermine what the key user has typed on the keyboard.
People rarely pay any attention to thepermission requested by Android appswhen they install them. Plus apps askfor permissions they do not need. Forexample, why does Chrome need accessto your camera and Microsoft SkyDriveneed access to your contacts? What makesthis situation worse is there is no option togive permissions one-at-a-time. Either youinstall the app with all the permissionsrequested or you cannot install the app.So people are trained to give all of thataway without giving it much thought.
See SpamTitan anti-phishing and anti-malware solution in action today - book a free demo
Book a Demo
Fraud
There are many kinds of smartphoneattacks. For example, people can installmalware that looks like something theyalready know, like Angry Birds, that usesthe same logo. Then the user blowsthrough the permissions screen, withoutreading that carefully, and gives awayaccess to their phone logs, contacts,camera and microphone, sensors, andthe ability to send text messages. Onceinstalled, the app can send out textmessages to expensive messagingservices running up the customer’s billand filling the criminal’s coffers.WhatsApp has become a platform forexecuting fraud. People have beentricked into forwarding messages toothers. When someone clicks on thatmessage, it directs them to a website
People rarely pay anyattention to the permissionrequested by Android appswhen they install them. Plusapps ask for permissions theydo not needwhich then records their IP address. Withthe IP address, the hacker can consult
the phonebook and map to create avoice mail from that country code andarea code or invoice from a companylocated in that area. Someone is morelikely to trust something from someonewho works or lives in the same area asopposed to, say, some distant location.Once the victim opens the link, the sitecan drop an .apk (zipped-up Androidapp) file into the download folder.Depending on the operating systemversion and the security settings on thephone, if the user clicks on that it either
installs the app, warns the user aboutthat, or not install anything. Then theapp can start stealing data and sendingout copies of itself.
Wholesale Data Theft
It was widely reported last year thathackers got into the point-of-salecash register systems at the Americanretailer Target. They stole 250 millioncredit cards. This type of data, like creditcard numbers and identity informationis very attractive for cybercriminals.Within hours those stolen credit cardswere being sold in online black marketsfor $100 each. Online black marketsare an ever expanding channels andgrowing underground economy.Criminals can also burn those credit
card numbers onto blank magneticstripes of their own and hand thoseout to mules who then go to ATMsand try to do cash advances or usethe cards at various points of sale. TheAmerican banking system is particularlyvulnerable to that because they donot required pins or use a credit cardauthentication keys. Because of thisweakness and data loss, the Americansare starting to change those paymentsystems.
This year there were more victims.Hackers stole an incredible 350 millionuser ids and passwords from eBay. eBayowns PayPal as well, but the passwordsfor each system are kept in separatedatabases. Thank goodness for that, as
PayPal is where the money is located. But as you know, people often usethe same password for more than onesystem. Try their eBay password atPayPal and it might just work.Passwords should beat least 8 characters,use letters that are notwords, be mixed caseand include numbers
and symbols.
Stolen passwords are not safe. They arenot encrypted, as that would requirethat they be accompanied by a key(in other words a password), insteadthey are encoded. That means theycan be unlocked by simply looking ina dictionary of hashed passwords tosee which ones match. For this reason,people should not use words in English,Russian, or any other languages aspasswords. You’ve undoubtedly heardthis before, but are you doing it? Allnetwork devices should be configured
with strong passwords. Passwordsshould be at least 8 characters, useletters that are not words, be mixedcase and include numbers and symbols.
Read Guide:Guide to Data Breach Prevention
Security Weaknesses in Windows
The problems with the 8080 architecture and Windows are almost too numerous to list.Here are just a few and what, if anything has been done to address that.
One process should not be able to read the memory of another process. That is anIntel issue.
- Microsoft now requires that .dlls be signed in order to run in the OS. That is animprovement as hackers now have to write their viruses to run inside other runningprocesses, since they execute .dlls themselves. Of course, installing an .exe is anotherissue, as the user who does that has given express permission to the operating system.
- The buffer overflow problem is associated with the ability to read another program’smemory. Java and Android do not have this problem as programs there run inside Javavirtual machines (The modified version of Java that powers Android is called Dalvik.).Those cannot read memory outside the virtual machine. A C++ program running onwindows can read memory outside the area it has declared as its own. Hackers use thisto insert assembly language instructions in programs to make them load other objectsin memory. That is how they gain command-line access to Windows. Microsoft hasrandomizes where items are stored in memory to make that more difficult.
- Windows gives almost anyone access to low-level operations and system files. Soa person can modify routing tables, overwrite system files, and do what otherwisewould be limited in Mac OS or other operating systems.
With the level of threats growing, what can you do? The short answer is: it’s complicated.The best security is to assume that your computers are already infected.
See SpamTitan anti-phishing and anti-malware solution in action today - book a free demo
Book a Demo
Two Factor Authentication
The number one way to stop hackers is to require two-factor authentication everywhere.That is such a simple idea that it stymies the mind to understand why people do notuse their cell phone or other device to authenticate their email or PC. If a hacker plantsmalware on your computer to read your keystrokes, they cannot use those stolencredentials to login without the Google Authenticator, RSA token, Cryptocard, orbiometric device used to enter the token needed to login to that.
These solutions don’t solvethe problem of phishing,spoofing or on lineimpersonation but they allmake it a lot more difficultfor criminals to succeed.Getting people to use two-factorauthentication is a matter of education onthe importance of doing so. The technologyis available, most banks and brokerages,and social media offer it. These solutionsdon’t solve the problem of phishing,spoofing or on line impersonation but theyall make it a lot more difficult for criminalsto succeed and will protect your onlineaccounts.
Internet and Computer Usage Policy
The biggest wild card in computer security is the end user. A good corporate usage policy isan obvious starting point, however many companies don’t bother or realise the importance.A usage policy is now a serious requirement for businesses. Importantly, not all internetpolicies should be the same: each should be tailored to the organisation’s particularrequirements so that clear, realistic and company appropriate guidelines are in place.As well as the issue of time wasting on the internet, the risk of employees accessinginfected sites of spreading malware, viruses and botnet infections across the networkis widespread. Cybercriminals wanting access to company network and data are notinterested in the size of the company so all sizes are at risk however, being prepared isthe best defence to tackle these problems.
Training and Education
Probably the best way to prevent attacks is through education. As we said earlier,botnets are computers operated by ordinary people set loose on your computers andothers. People already know you should not play with matches; they should also be
taught to pay attention what they click.
Don’t be a Vector
If you are running a website or application thendeploy tools to prevent cross-site scripting andSQL injection. Those are attacks where peopleenter actual mini-computer programs into datafields causing the computer to process that asinstructions to unmask cookies from other usersessions, copy files, or otherwise do damage.
Security Solutions
Spam is a big headache for organisations, causing problems such as data loss, networkslowdown, lost employee time and delivery of offensive, fraudulent and dangerouscontent to users. Spammers are constantly deploying new techniques to get around spamand security filters. Selecting a business spam filter can alleviate spam as a problem forbusinesses. There are many different types of business spam filter available. There are awide range of business spam filtering solutions available. Choosing the right solution foryour organisation will depend on many factors including the number of e-mail accountsyou want to support, your network topology, how much you are willing to spend, how youwould like to deploy the solution, how easily you can migrate to an alternative solution.Once you’ve established your key requirements it’s then time to research and look at theoptions available.
It’s important to keep your anti-spam, anti-virus and other network security solutions upto date. Most solutions will prompt you to dothis and any many will automatically update,it’s important that you manually check for theseupdates regularly. Oftentimes the updateswill be related to new features you don’t careabout, but updates will often deliver criticalpatches behind the scenes also.
See SpamTitan anti-phishing and anti-malware solution in action today - book a free demo
Book a Demo
Conclusion
After outlining the risks and how to mitigate some of those, it’s important to note thatthe situation is only going to get worse as refrigerators, thermostats, televisions, andeven automobiles are all now connected or will be connected to the internet. Expectthat cybercrime will increase and educate yourself about that. Even the most securecomputers in the world, the US Military and those at the NSA, were defeated by simplethumb drives. So your organization and you are certainly going to be a target at somepoint. The important thing to do is plan for that.
If you enjoyed this article you might also be interested in our System Administrators toolbox which contains lots of useful resources for busy IT Pros.
