There is a law that is named after a famous bank robber, — it’s called Sutton’s law. After Willie Sutton was caught, a reporter asked him a simple question, why do you rob banks? “Because that’s where the money is” he answered. Sutton’s law states that when confronting a problem, the most obvious solution should be applied first. It is used in medicine, philosophy, computer programs debugging, but let’s apply this to the field of cybersecurity.
Where is our money? Piggy bank days are over, and most of us do our transactions online. When we want to know how much money we have, we seldom count hard cash, we login to our online bank account and see what’s what. So what can Sutton’s law teach us? That Willie Sutton would not rob banks these days, he’d become a hacker and let himself lose in the virtual space, “because that’s where the money is.”
Understanding the dangers, one faces online is the first step towards assets protection. In this article, I will elaborate on the most popular hacking methods that can cause direct damages to the victim. I will not, however, provide solutions, but be sure to follow up because it will be the main topic of my next article.
Some statistics first
As of 31 March 2019, the number of people connected to the internet is 4,383,810,342, more than half of the world’s population. It’s safe to assume that a significant part does have accounts on Gmail, Facebook, some gaming platforms, and access to their bank account. Unfortunately, cybersecurity awareness is minimal and more than half of the organizations that participated in ESG conducted a wide-ranging global survey of IT professionals stated they have a significant lack in the fields of cybersecurity.
Sadly, the lack of CySec professionals correlates with the damages and financial losses caused by cybercrime. Ransomware damages (I will elaborate on this cyber attack shortly) exceeded $5 billion in 2017 and continues to grow. There’s an estimation that by 2020, there will be 300 billion passwords used by humans and machines. Moreover, at this very moment in Dark Web, you can find a mega-leak of 2.2 billion passwords.
Lots of countries are already declaring that cybercrime is becoming the most common criminal practice. Shockingly, law officers speculate that hackers these days earn more than drug dealers. One thing for sure, this is a real problem and requires meaningful solutions, when it comes to cybersecurity, the proverb “better safe than sorry” is straight to the point.
The most popular cyber attacks
Starting from 2012 ransomware attacks snowballed and continue to grow at an astonishing 350% rate annually. Ransomware is malicious software that encrypts your hard drive (or parts of it) and blocks access to your files. To “unlock” your device, you need to pay a certain amount of money, usually in cryptocurrency.
The most common way to spread the infection is via email and phishing scams (see phishing explanation below). These are massive attacks that don’t focus on single individuals but send convincing letters with download attachments or hyperlinks to unsuspecting users.
Another way to spread ransomware is through infected websites. For example, a hacker finds a particular vulnerability in a web site and inserts a malicious code that executes itself when a specific action takes place (like the click of an ad). There were rare occasions when ransomware was spread through messaging apps.
WannaCry is the most famous ransomware attack that was launched in May of 2017. It spread quickly and infected over 200000 devices in 150 countries. It targeted computers running on the Microsoft Windows operating system and used two exploit software: first, EternalBlue, to gain access to the device, second, DoublePulsar, to install and execute itself. Hackers demanded from $300 to $600, and financial loss estimations vary from hundreds of thousands up to 4 billion dollars.
Phishing is an attempt to gain sensitive private information by deceiving the victim. Usually, it is carried out via email or a web page but can also happen via telephone or text message. Two common scenarios:
- The victim receives a fake yet convincing email that asks for private information. It can be a letter from a bank stating they noticed some suspicious activity, and to protect your account they would like to receive certain credentials. Upon receiving the requested information, they seize the account and try to extract as much money off it as possible.
- Hacker creates a fake website. Usually, it is a web site of some well-known service, like an online shop or even a bank page. If done correctly, the website is almost identical to the real one, and the victim unsuspectingly inputs personal data, that is again being used to seize the account. These fake websites tend to stay online for up to 5 hours and are very hard to trace once shut down.
Phishing by email depends on how convincing and legit it sounds. The more personal data there is, the better the chances a person will be deceived. My prediction is that phishing attacks will become more sophisticated because of substantial data leaks that exposed private information to hackers. Facebook data leak last year may very well be used to construct a convincing phishing email with persons high school, telephone number, places they’ve been and so on.
Credential stuffing is very easy to execute and has been a problem since 2012. However, there’s a massive spike in credential stuffing attacks over the past few years because of numerous data leaks. The attack itself does not require in-depth knowledge of computer hacking but requires several software applications.
First of all, a hacker tries to obtain a database of leaked passwords, usernames, emails, and other personal information. Sadly, such information can easily be found on Dark Web forums, as I mentioned before, there’s a huge mega-leak of 2.2 billion credentials.
Obviously, a hacker won’t input millions of usernames and passwords into different web pages by hand, so he or she acquires an automation software to fill in required fields. Then this software must target lots and lots of websites in hopes that the victim has not changed the username/password combination after the leak. However, this can’t be done from the same IP address, so another piece of software is required, which sends the command through different proxy servers trying hundreds of pages at the same time.
The rest is self-explanatory, in case of success, an account is seized, and any useful data is extracted for further crimes to commit. During the second half of 2018, about 28 billion credential stuffing attempts have been made mainly targeting retailer website. Easy execution, automatization, and lack of cybersecurity awareness make this one of the most popular cyber crimes.
There’s another popular hacking method called Man In The Middle (MITM) attack, but it can be done in several different ways, and due to the complex technical nature of some of them it deserves an entire article. However, I will briefly mention that this attack is used to intercept the communication between the user (client) and web site (server) to gather information, modify it, or take over the entire session.
On 2 January 2019 password manager service, Blur had a hard time. Their new year started with an announcement that 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords were exposed. You can read the full list of data breaches of 2019 here, and I hope that will be enough of an argument to start taking the first steps to increase your security online.
The three cyber attacks that I mentioned above benefit from such leaks, and it will take some time to train the required number of cybersecurity specialists. Another thing to notice is that hackers expect to exploit the human error factor, so education on online dangers may prevent a hasty and unconsidered response.
Once again, in a short time, I will follow up with an article on how to protect yourself against all of the above-mentioned attacks, so stay tuned.