The business plan of cyber criminals

Cybercrime is big business. However, it is not only large corporations that are affected, but also SMEs and municipalities, such as Swiss municipality of Rolle in 2022. From the somewhat cynical perspective of criminals, we point out dangers.

What options do we have as cyber criminals to get the money we want? Theft and extortion are particularly useful. For example, we can...

1. ... copy sensitive information and blackmail the owner with disclosure.
2. ... copy and sell sensitive information to the highest bidder.
3. ... steal sensitive information - this means not only copying, but also removing it from the owner's access - and blackmail the owner to return it.
4. ... steal money unnoticed.
5. ... let other states and organizations pay us as a service provider for acts of sabotage, theft, etc.

For each of these scenarios, we analyse real examples at speed below and draw initial conclusions from them. We would also like to express our thanks and respect to those affected by the attacks indirectly for making public information about their experiences for the benefit of the rest of the economy or providing an insight into what happened. Because with humility, we must recognize that absolute security is unattainable and that it can affect anyone. Publishing such negative experiences helps others to become aware of the dangers and to protect themselves.

Before we go into the examples, however, we first determine the size of the market, as is usual with a business plan. As is almost always the case in market research, the volume can only be estimated and the estimates can also be exaggerated due to the publicists' self-interest. We call here Estimates from senior lecturer Michael McGuire from the University of Surrey and leave them standing in the room.

Because whether it could effectively be half or even double doesn't matter for our future story, given the dimensions. It shows that there is a lot of money involved, almost no matter how high the estimation error is assumed. There is therefore a market for criminals.

Publication of Stadler Rail trade secrets

Stadler Rail informed the public about the incident described here in 2020 via media release informed. According to SwissInfo, the attackers demanded around CHF 6 million and otherwise threatened to publish the stolen documents. After the company refused, a “first part” of the documents was also published, including banking and credit agreements as well as tax agreements with the canton of Thurgau. It Should several computers with malware have been infected.

Selling data stolen from HomeDepot

But Stadler Rail did not want to pay. Can information only be sold on the market to the highest bidders? This may be possible with some trade secrets, but the market for stolen credit card numbers is best documented. In one of the biggest cases, for example, the retail giant HomeDepot lost 56 million (!) credit card numbers of their customers. By the way, the incident is not to be confused with the younger Credit card theft by an employee from HomeDepot, which had privileged access to temporary credit card numbers.

A single stolen credit card information costs as follows forbes currently between USD 5 and USD 150, depending on how much information is included in addition to the actual number.

The bankruptcy of SwissWindows and the vulnerable healthcare system

Not all information is worth protecting enough to sell to the highest bidder or is so delicate that publication must be avoided at all costs. As a result, ransomware today has a two-stage approach. First, the information is copied, then encrypted and thus made unusable by the victim. This gives the cyber criminal two options: an extortion attempt to recover the data. And if the victim is able to restore them via backups, there is a risk of blackmail regarding the publication in the second attempt.

In 2019, the company leaves SwissWindows with 170 employees went bankrupt due to such a cyber attack. The window manufacturer's window construction program is encrypted, including all customer and machine data. Although backups were created, they were not stored outside the company's own IT infrastructure and are therefore immediately encrypted and are also unusable. Since you don't pay a ransom, recovery is not possible. The result is a production loss of one month, followed by contractual penalties due to lack of deliveries, at the end there is no more money left and bankruptcy must be filed.

It's bad. But if no one pays for blackmail, there is no business model, right? In theory, yes, but many organizations feel unable to say no. Hospitals and healthcare providers are particularly vulnerable. Cases are regularly reported in which a hospital had to buy itself out. For example, has Massachusets Hospital must admit, to have paid for the release and deletion of their patient data guaranteed by criminals.

Both examples show that paying ransom is a morally difficult issue. Can ransom never be paid? Or is it exceptionally justifiable if a company with over a hundred employees is on the verge of ruin? Or is it allowed for the lives of patients in hospital to hang by a thread? And even those who are fundamentally opposed to paying ransoms could only reconsider if it is their company that is on the verge of ruin or if they are just admitted to hospital for urgent surgery in an emergency. It is best for us to do everything we can to prevent us from finding our answer at all through countermeasures.

A municipality transfers USD 430,000

Blackmail therefore has a snag: the victim can say “no.” So why don't we transfer the money to ourselves right away? In 2019, a particularly sophisticated case led the US community of Westlake-Gladstone to convert almost 7 million USD from an annual budget of 7 million USD disbursing half a million USD to an unknown criminal organization. Almost normally via bank transfer. The vacation days were specifically chosen. Several smaller transfers of less than USD 10,000 each could thus be carried out unnoticed for 17 days until the outflow was discovered and stopped. A further USD 50,000 has just been saved, and the rest of the money is gone.

If normal money transfers have been made, can the recipients still be located? No, not if you recruit a dozen unsuspecting private individuals to do so. In North America, there have recently been more and more reports about fictional job advertisements. This involves using advertisements on normal job boards and targeted social networks to identify unemployed people and submit a job offer. The companies have websites, their letters have standard letterheads and are signed by important sounding people. The company's commercial register numbers are also printed. Everything looks completely normal. The jobs are attractive because — by no means uncommon these days — employees can work from home. Brazenly, one or even several interviews are then conducted by the HR manager or the alleged supervisor, in which the candidates are interviewed. What is your career path? What professional experience and education do they have? You then happily sign your supposedly normal employment contract.

They are then trained and also receive their first orders. As a rule, some payments must then be processed and - because something formal in the employee recruitment process has not yet been completed by the HR or Finance department - they should do something with a private account and then settle them as expenses. Or something like that. And if the new employees refuse to process transactions privately on behalf of the company, they should otherwise select and buy their new notebook via a specific web shop in accordance with the “Bring Your Own Device” policy, pay with a private credit card and then settle it via an expense report.

In the example of the community of Westlake-Gladstone, 18 people were hired who received payments from the municipality, converted them into Bitcoin and forwarded them to the criminals. And that, of course, in ignorance of what they were doing. Particularly popular destinations include newly immigrant people who have not yet been able to gain a foothold in the labor market and who are not familiar with local customs. These detours covered the tracks; only the 18 exploited, fictitious employees could be located.

But how did the payments from the municipality come about? At least one community employee apparently fell for a phishing email and clicked on a link. After this workplace was infected, the attackers worked their way forward. In the present case, they appear to have found at least part of the e-banking login details. They then changed the e-banking password and all verification questions. And then they began to transfer a series of small amounts to their fictitious “employees,” which would not immediately be noticed. And thanks to the vacation period, it took 17 days for the runoff to stop.

Is e-banking access mandatory for such an attack scenario? Not likely, but it is likely to skip control steps in most companies. However, it would also be possible to create fictitious creditors and creditor documents in the ERP system. Depending on the authorization of the compromised user accounts, you can only release them yourself or at least feed them in with seemingly usual purchased services and inconspicuous sums and hope for uncritical approval.

Or in a still rare but interesting case, which is the future of Social Engineering-Attacks outlined, was an employee from CEO instructed by phoneto transfer 220,000 British pounds to a supplier. Using artificial intelligence, the CEO's voice was imitated so well that the employee was completely convinced that he had spoken to the CEO in person and transferred the sum.

Ransomware-as-a-Service

And the last way presented to make money with cyber crime is to position yourself as a criminal service provider. For example, with a ransomware-as-a-service, even those who would be unable to do so themselves can launch a ransomware attack. The recently published results of Infiltrating the LockBit hacker gang by security specialist Jon DiMaggio gives an interesting insight into the business model. A decentralized organization with profit-sharing schemes is emerging. And even a bug bounty scheme was launched. 1 million US dollars was suspended for those researchers or criminals who, due to security gaps in LockBit, can find out who is behind their avatar “LockBitsUp”.

For the victim, attacks do not behave significantly differently from ransomware-as-a-service. But the circle of attackers well equipped with professional tools is thus expanding.

What countermeasures need to be taken?

Unfortunately, there is no easy answer. However, you would have to reduce it to one statement; in Switzerland, the board of directors of a company consists of Commitment to company-wide, integrated risk management. Information security risks must be part of every company-wide, integrated risk management system today and must not simply be left uncritically to the “IT department.”

What do we learn from the described examples of attacks? Use professional, technical protective measures. For example, a well-functioning backup on sufficiently separated infrastructure makes data recovery possible after a ransomware attack, but does not prevent data theft.

But in addition to this technical point of view, we must also recognize from the examples that attacks are no longer just directed against technical systems, but are increasingly increasingly directed directly at people. Freely quoted by the FBI agent who became famous, purified and now long-time FBI agent through the film “Catch me if you can” Frank Abagnale: “Every security incident starts with a person who has done something they shouldn't have done or who hasn't done something they should have done.” Technical systems are becoming more and more secure. Employees are not keeping pace and are becoming the primary target of attack. Who clicks on links in fake emails? The people who receive them. Who records a transfer in e-banking on behalf of a CEO? A human being. Who has a a) separate and never used multiple times, b) kept secret, c) randomly combined, d) with uppercase and lowercase letters and special characters and e) at least 8-digit (better longer) password for each user account? Unfortunately (almost) no one. Many more incidents are likely to follow.