In recent years, coverage of cyber security incidents in the mainstream media has increased dramatically to the point that it is now common for some form of incident to be reported on a daily basis. While the world has no doubt become more aware of cyber security, the fact remains that cyber criminals are having staggering financial success without being caught.
While technologies such as anti-virus, intrusion detection and firewalls play an essential role in securing modern-day digital devices and networks, they only provide coverage against those cyber attacks which are already known via “virus signatures”. It’s these signatures which act as fingerprints to identify and detect specific viruses. Cyber criminals are exploiting these vulnerabilities with impunity and are no longer targeting systems but are instead increasingly focussing on individuals more and more as the recent ransomware attacks demonstrate.
From a financial perspective, a study by ISACA has shown that the cost incurred by companies as a result of cyber attacks is directly proportionate to the number of employees in an organisation (ISACA, 2017) – with the Ponemon Institute calculating the average cost of a cyber attack per employee at USD $394.56.
The commercialisation of cyber crime
Since 2013, but particularly in 2016 and 2017, there has been a dramatic shift in how Cyber Crime operates as a business model. Previously, it was commonplace for Cyber Criminals to develop their own malicious software (“Malware”) and carry out their own attacks. Cyber Criminals now produce what are known as “Crimepacks’ with distinct groups providing speclialised services. This is a multi-billion-dollar industry.
Crimepacks make their Malware and Phishing infrastructure available to use by other actual or wannabe Cyber Criminals for a fee. For example Phishing and Malware As A Service (PhAAS), costs $200 per month to $1200 per year and comes with telephone support.
Cyber Criminals using PhAAS are now offering customers access to their own email servers. Previously, Cyber Criminals had to build up their own network of email servers in order to utilise phishing on a large scale; however, with PhASS they have a pre-existing network available to them at a low cost. In some cases, cyber criminals are providing Data Analytics as part of their PhAAS solutions with a view to providing their customers with in-depth information on the success of their Phishing campaigns.
Malware as a Service (MaaS), Cyber Criminals are selling individual pieces of Malware on Dark Net Marketplaces at a set cost; while others are providing a subscription-style service to the owners of the Crimepacks. Each subscriber has access to all new and updated Malware developed for the duration of their subscription which has been continuously tested against the latest defences from the security vendors who then confirm they are unable to detect it. The InfoSec Institute recently reported that cyber criminals were offering the use of modified versions of the CryptoLocker Ransomware for a fee of USD $100 on the Dark Net.
In essence, Malware and Phishing as a Service have made the business of Cyber Crime easily accessible to a broader range of people- which may go some way towards explaining the dramatic increase in cyber crime during 2016 and 2017.
Ransomware: A game changer for cyber criminals
Pre-2012, cyber criminals largely focussed on stealing information such as credit card details or passwords for financial gain; however, 2012 saw a drastic change in tactics. It is now common practice for cyber criminals to hold computer users to ransom by locking access to their system and/or data and requesting that victims pay a ransom in order to regain access. Such software is commonly referred to as ransomware which is mostly delivered with phishing e-mails (93 per cent of all phishing e-mails now contain ransomware as an attachment (Verizon, 2017)). It is particularly relevant at present given the significant media coverage afforded to the WannaCry and Petya Ransomware.
Ransomware has proven to be extremely lucrative and The CryptoLocker Ransomware active in 2013 resulted in an estimated $3 million gain for the perpetrators (at a cost of $300 per victim (ZD Net, 2013)), while the CryptoWall Ransomware active in 2015 is estimated to have resulted in an estimated $18 million gain for the perpetrators (FBI, 2015).
In 2016 there were an estimated 638 million Ransomware attacks (One for every twelve people on the planet) – up from 3.8 million in 2015 (a 167-fold increase) – with industry experts forecasting even further growth into 2017 and beyond.
A scam in which criminals impersonate the email accounts of chief executives has cost businesses around the globe more than $2bn in little over two years. The FBI has seen a sharp increase in “business email crime,” a simple scam that is also known as “CEO fraud”, with tens of thousands of victims affected globally. In the scam, a criminal mimics a chief executive’s email account and directs an employee to wire money to an overseas bank account. By the time the company realises it has been duped, the money is gone. The average loss is $120,000 but some companies have been tricked into sending as much as $90m to offshore accounts.
Who is at risk?
Large organisations but particularly SMEs and the average home PC user are all at risk from cyber crime –particularly from phishing, CEO Fraud and ransomware. Security software and hardware vendors are very much a step behind the Cyber Criminals. Companies should therefore consider bolstering staff defences to not only make them more aware of phishing risks but also provide advice on what actions they can take at work and at home to deter the threat. This is known as a human firewall and the last line of defence.
CyberRiskAware, assisted by Irish Government agency Enterprise Ireland, has been growing its market presence in the UK and Ireland by attending several events and partnering with cyber insurance, security service and system integrators. Through this, the company’s clients are minimising risks to their businesses, protecting their computer data as well as customer data to meet legal and regulatory requirements.
CyberRiskAware’s training program aims to reduce the read rate of phishing e-mails from 30 per cent to 3 per cent, the Click Rate from 12 per cent to 1 per cent and the credential disclosure date from 12 per cent to 1 per cent. Achieving this level of compliance results in an overall reduction in cyber security risk by 99 per cent. Whilst cyber attacks are still on the horizon, its solutions like those provided by Cyber Risk Aware which are framing businesses with a good degree of optimism.
Stephen Burke, CEO of Cyber Risk Aware
Photo Credit: andriano.cz/Shutterstock