HOW CYBERCRIME WORKS
The point of nearly all malware is to make money. Cybercriminals have many methods to monetize their activity. Fortunately, the criminals must take many steps for the entire process to work. Every step along the way is another opportunity for us to break the chain needed for their efforts to be profitable.
The first step for cybercriminals is to find victims. Here are the six primary ways cybercriminals ensnare unwitting victims in their nets and compromise their computers for criminal purposes.
Spam: The monetization of malware started primarily with email spam. Peddling pills, fake watches and Russian brides is still a profitable practice for many criminals. Although spam volumes have begun to drop, spammers send billions of messages every day hoping that just a small percentage will make it past spam filters and convince a few folks with their guard down to make a purchase. While malware is still sent attached to some messages, it has largely moved to the web.
Phishing: Attackers use email for more than just spam promoting products and services. Email is the preferred method to deliver phishing attacks. These can vary from emails pretending to be from your bank or email service providers in order to steal your account details, to targeted attacks attempting to gain access to your company’s internal services.
Social Media: Many spammers have migrated from email spam to social media spam. Users are more likely to click links in commercially motivated spam if it appears to come from a friend or colleague on services like Facebook and Twitter. Breaking news and popular features on these networks can lead curious victims to click on unsafe links.
Drive-By Downloads: The largest number of victims are delivered into the hands of these thieves simply by visiting websites containing exploits known as drive-by downloads. Everyday over 30,000 URLs expose innocent surfers to a variety of code attempting to exploit vulnerabilities in their operating systems, browsers, plugins and applications.
Malware: Worms, viruses and other malware files still serve their masters well. While they are less common today than they were 10 years ago, opportunistic crooks still exploit malware to infect exposed systems and recruit people’s computing devices for their own purposes.
MONEY BEHIND THE MALWARE
After a criminal hooks a victim or takes over a victim’s computer, there are many ways to make money. Here are five schemes that cybercriminals use to make money off their victims.
Selling products: The most basic way to make money from any sort of malware, spam or website compromise is to sell a product. Criminals simply set up a store and use infected websites and spam to deliver promotions and advertisements to drive traffic to a virtual storefront. Many of these operations are not just false-front businesses. They ship sham products pretending to be Viagra, Rolex watches, Gucci handbags and various pirated software packages.
Stealing Login Details: The purpose of phishing spam messages is to convince you they come from someone you know or trust. Criminals use social engineering techniques borrowed from real brands to collect usernames and passwords associated with high-value websites like PayPal, banks, Facebook, Twitter, Yahoo and web-based email services. It’s easy for criminals to imitate these companies as everything online is digital. They simply steal real communications from the victim companies and redirect the links to bogus webpages. As a percentage, phishing emails are an increasing threat taking advantage of a user’s lack of awareness of hacking attacks and data breaches.
Fake Security Software: Often referred to as fake antivirus, these programs are designed to behave in the exact opposite way of traditional malware: noisy, annoying and flashy. Fake antivirus works by convincing the user they are at risk of infection after visiting a compromised webpage that secretly installs the fake antivirus on their computer. The criminals typically charge around US$100 for the fake antivirus software to “clean up” the infected computer. But the fake antivirus doesn’t clean up threats—it is a threat. And the criminals can make even more money off the victim by offering extended support and multi-year offers. Fake security suites target Windows, Mac and even Android users.
Ransomware: Cybercriminals can use ransomware to encrypt your documents, boot sector or other important component of your PC and hold it hostage until you pay a ransom. The ransomware often uses modern cryptographic algorithms, and only the criminals possess the keys to unlock your files. If you want your stuff back, you have to pay up. Traditionally ransomware was almost exclusively Russian, but recently we’ve seen these gangs targeting North America, Europe and Australia. A new variation plaguing Internet users in 2012 is a fake law enforcement warning suggesting your federal police authority has detected child pornography on your computer. The warning tells the victim their computer has been locked and they must pay a $300 fine to unlock it.
Social Media Spam: Delivering email messages to our inbox is harder than ever. Spam filters block more than 99% of it before it can see the light of day. And users can spot the fake names on spam that gets through. Social media sites like Facebook and Twitter have been an attractive place for spammers to move. The criminals can purchase access to stolen user credentials or convince users to spread fraud for them. They benefit from your social capital—the more friends and followers you have, the more people can be spammed by the criminal using your account. Users are far more likely to click a message about winning a free iPad or losing 30 pounds on a miracle weight-loss plan if it comes from someone they know and trust.
HOW WE WIN
As long there is money to be made criminals will continue to take advantage of opportunities to pick our pockets. While the battle with cybercriminals can seem daunting, it’s a fight we can win. Although our adversaries have plenty of incentive to infect users, their schemes require a series of steps to be successful. We only need to break one link in their chain to stop them dead in their tracks. Simply deploying patches more quickly, eliminating unnecessary applications, and running as a non-privileged user will thwart more than 90% of these attacks.
Many attacks succeed when users let their guard down. Increasing employee awareness of the threat and providing examples can help keep your users from opening malicious attachments or clicking on links out of curiosity. Users need to understand that, while security tools enhance the security of the network, the user is the most important defense for protecting sensitive company information.
We must recognize our weak points and work together as a community to share the knowledge we need to defend ourselves. Reducing the threat surface by having fewer apps, educating your users, and restricting administrative rights can make the job so difficult for the scammers that they will look elsewhere for their victims.