by Kate Goldfinch (TFT Science Editor)
Cybercrime is a fast growing industry and with no signs of slowing down. Activities around Cybercrime – from how it is committed to its methods of spread – are becoming more and more ingenious. Kate Goldfinch, Science editor at The Fintech Times speaks to industry experts about what to watch out for in 2019 and offers some cautionary notes.
In 2018, the Cybercrime economy was estimated to be worth $1.5 trillion, according to a study commissioned by cybersecurity company Bromium. That was the first study of its kind, aimed at examining the “dynamics of cybercrime,” in the context of revenue flow and profit distribution.
The study discovered new criminal platforms and a booming cybercrime economy. This Cybercrime economy is self-sufficient and blurs the lines of legality. “It’s shocking how widespread and profitable cybercrime has become,” commented Gregory Webb, CEO of Bromium. “The platform criminality model is productising malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise, it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum. We can’t solve this problem using old thinking or outmoded technology. It’s time for new approaches.”
In fact, if Cybercrime were a country it would have the 13th highest GDP in the world. Breaking down that $1.5 trillion figure a little more, we can see how profitable some of these illicit activities actually are: $860 billion – Illicit/illegal online markets; $500 billion – Theft of trade secrets/IP; $160 billion – Data trading; $1.6 billion – Crimeware-as-a-Service; $1 billion – Ransomware. The report finds that cybercrime functions on a number of levels, with some large “enterprise” style operations, netting well over $1 billion, while SME-style outfits made between $30,000-$50,000.
“A hyper-connected range of economic agents, economic relationships and other factors now capable of generating, supporting, and maintaining criminal revenues at an unprecedented scale,” the study suggests. “Platform capitalism – a term used to describe the likes of Uber, Facebook and Amazon – is offering fertile ground for hackers to further their gains. Whether by hacking companies to acquire user data; intellectual property; disseminating malware; selling illegal goods and services; setting up fake shop fronts to launder money; or simply connecting buyers and sellers, it is evident that cybercriminals are adept at manipulating existing platforms for commercial gain.”
Yet beyond platforms being the targets and unwitting enablers of cybercrime, the report assumes they have provided inspiration – as a model of platform, criminality emerges. “The main contribution of platforms is to connect individuals with a service or product.” While an individual hacker may only make upwards of $30,000 per year, a manager on a cybercrime platform can make $2 million per job. The study found numerous examples of services and products for sale on these various platforms under the title, “Customer Service.” And these trends show no signs of slowing down.
The evolution of Cyber threats
In December last year McAfee, the device-to-cloud cybersecurity company, released its McAfee Labs Threats Report: December 2018, that examined cybercriminal underground activity and the evolution of cyber threats during Q3 2018. McAfee Labs found an average of 480 new threats per minute and a sharp increase in malware targeting IoT devices. The ripple effect of the 2017 takedowns of Hansa and AlphaBay dark web markets continued as entrepreneurial cybercriminals took new measures to evade law enforcement.
“Cybercriminals are eager to weaponise vulnerabilities both new and old, and the number of services now available on underground markets has dramatically increased their effectiveness,” said Christiaan Beek, lead scientist at McAfee. “As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques. Following up-and-coming trends on the underground markets and hidden forums allow the cybersecurity community to defend against current attacks and stay a step ahead of those in our future.”
Hacker forums provide an elusive space for cybercriminals to discuss cybercrime-related topics with their peers. McAfee researchers witnessed conversations around the following topics in Q3 that could be considered as hidden cybercriminal trends:
Successful Breaches Fuel Markets for Data and Copycat Attacks
User Credentials: Due to many recent successful large data breaches, user credentials remain a popular topic. Hacked email accounts are of particular interest to cybercriminals as they are used to restore login credentials for other online services.
E-commerce Site Malware: Cybercriminals have shifted their focus from point-of-sale systems to payment platforms located on large e-commerce sites. Cybercriminal groups, such as Magecart, have successfully skimmed thousands of credit card details directly from victim websites, which has fuelled demand for both credit card details and the malicious tools that can be used to steal them. Furthermore, as organisations implement additional security measures, cybercriminals are responding accordingly. For example, as organisations add geographic IP location checks for online purchases, the demand for compromised computers from the same sip code as the stolen credit card information increases.
Common Entry and Attack Methods Remain Popular
Common Vulnerabilities and Exposures (CVE): McAfee researchers witnessed numerous mentions of CVEs in discussions focused on browser exploit kits RIG, Grandsoft and Fallout, and on GandCrab ransomware. The popularity of these topics signals the importance of vulnerability management for organisations around the globe.
Remote Desktop Protocol (RDP): Shops offering logins to computer systems worldwide, ranging from the consumer home to medical devices and government systems, remained popular throughout Q3. These shops provide one stop for cybercriminals looking to commit fraud, selling RDP access as well as social security numbers, bank details, and online account access.
Ransomware-as-a-Service (RaaS): Ransomware remains popular, evidenced by 45% growth over the last four quarters and strong interest on underground forums for leading RaaS families such as Gandcrab. The number of unique ransomware families has declined since Q4 2017 as partnerships between essential services have increased, for example the partnership between GandCrab ransomware service NTCrypt seen in Q3. Partnerships and affiliate schemes have bettered the level of service provided to customers and increased infection rates.
As McAfee Labs saw 480 new threats per minute in Q3 2018:
- New IoT device malware grew 73% in Q3 2018; total IoT malware was up 203% in last four quarters
- Cryptomining malware increased 71%
- New mobile malware decreased 24%
- Financial sector data breaches increased 20%
- New ransomware increased 10%
Source: McAfee Labs Threats Report: December 2018, statistic for Q3 2018
Among threats, researchers identify the following categories:
Cryptomining and IoT. IoT devices such as cameras or video recorders have not typically been used for cryptomining because they lack the CPU power of desktop and laptop computers. However, cybercriminals have taken notice of the growing volume and lax security of many IoT devices and have begun to focus on them, harnessing thousands of devices to create a mining super-computer. New malware targeting IoT devices grew 72%, with total malware growing 203% in the last four quarters. New coinmining malware grew nearly 55%, with total malware growing 4,467% in the last four quarters.
Security incidents. McAfee Labs counted 215 publicly disclosed security incidents, a decrease of 12% from Q2. 44% of all publicly disclosed security incidents took place in the Americas, followed by 17% in Europe and 13% in Asia-Pacific.
Vertical industry targets. Disclosed incidents targeting financial institutions rose 20%, as McAfee researchers observed an increase in spam campaigns leveraging uncommon file types, an effort to increase chances of evading basic email protections. McAfee researchers also observed banking malware include two-factor operations in web injects to evade two-factor authentication. These tactics follow a broad effort on the part of financial institutions to increase security in recent years.
Regional Targets. McAfee researchers found a new malware family, CamuBot, targeting Brazil in Q3. CamuBot attempts to camouflage itself as a security module required by the financial institutions it targets. Although organised cyber gangs in Brazil are very active in targeting their own population, their campaigns have been crude in the past. With CamuBot, Brazilian cybercriminals appear to have learned from their peers, adapting their malware to be more sophisticated and comparable to that on other continents.
Attack vectors. Malware led disclosed attack vectors, followed by account hijacking, leaks, unauthorised access, and vulnerabilities.
Ransomware. GandCrab, one of the most active families of the quarter, increased its required ransom payment to US$2,400 from $1,000. Exploit kits, the delivery vehicles for many cyberattacks, added support for vulnerabilities and ransomware. New ransomware samples grew 10%, and total ransomware samples grew 45% over the last four quarters.
Mobile malware. New mobile malware decreased by 24%. Despite the downward trend, some unusual mobile threats appeared, including a fake Fortnite “cheat” app and a fake dating app. Targeting members of the Israel Defence Forces, the latter app allowed access to device location, contact list, and camera and had the ability to listen to phone calls.
Malware overall. New malware samples increased by 53%. The total number of malware samples grew 34% in the past four quarters.
Mac malware. New Mac OS malware samples increased by 9%. Total Mac OS malware grew 51% over the last four quarters.
Macro malware. New macro malware increased by 32%, growing 24% over the last four quarters.
Spam campaigns. 53% of spam botnet traffic in Q3 was driven by Gamut, the top spam-producing botnet spewing “sextortion” scams, which demand payment and threaten to reveal victim browsing habits.