The business plan of cybercriminals

Cybercrime is big business. However, it is not only large corporations that are affected, but also SMEs and municipalities such as the Swiss community of Rolle We show the dangers from the somewhat cynical perspective of the criminals.

What options do we have as cybercriminals to get to the coveted money? Theft and blackmail are particularly suitable. For example, we can...

1. ...copy proprietary information and blackmail the owner with disclosure.
2. ...copy proprietary information and sell it to the highest bidder.
3. ...steal information worthy of protection - that is, not only copy it, but also remove it from the owner's access - and extort the owner for its return.
4. ...steal money unnoticed.
5. ...let other states and organizations pay us as service providers for acts of sabotage, theft, etc.

For each of these scenarios, we analyze real-life examples in quick succession below and draw initial conclusions. We would also like to indirectly express our thanks and respect to those affected by the attacks here for making details of their experiences public for the benefit of the rest of the economy or for providing an insight into what happened. For with humility we must acknowledge that absolute security is unattainable and that it can affect anyone. The publication of such negative experiences helps others to become aware of the dangers and to protect themselves.

Before we go into the examples, however, we first determine the size of the market, as is usual in a business plan. As is almost always the case in market research, the volume can only be estimated and the estimates can also be exaggerated due to the self-interest of the publicists. We mention here estimates of Senior Lecturer Michael McGuire of the University of Surrey and leave them in the room.

Because whether it could effectively be half or twice as much is irrelevant for our further story in view of the dimensions. It shows that there is a lot of money involved, almost no matter how high the estimation error is assumed to be. So there is a market for the criminals.

Publication of trade secrets of Stadler Rail

Stadler Rail informed the public about the incident described here via media release in 2020. According to SwissInfo, the attackers demanded around CHF 6 million and threatened to publish the stolen documents otherwise. After the company refused, a "first part" of the documents was also published, including bank and credit agreements as well as tax agreements with the canton of Thurgau. Several computers are said to have been infected with malware .

Sale of data stolen from HomeDepot

But Stadler Rail did not want to pay. Is it possible to sell information on the market to the highest bidders? This might be possible for some trade secrets, but the best documented case is the market for stolen credit card numbers. In one of the biggest cases in 2014, for example, the retail giant HomeDepot lost 56 million (!) of its customers' credit card numbers. The incident, by the way, is not to be confused with the more recent credit card theft of a HomeDepot employee who had privileged access to temporary credit card numbers.

A single piece of stolen credit card information currently costs between USD 5 and USD 150, according to Forbes, depending on how much information is included in addition to the actual number.

The bankruptcy of SwissWindows and the vulnerable healthcare system

Not all information is worth protecting enough to sell to the highest bidder or is so delicate that publication must be avoided at all costs. That's why ransomware today takes a two-step approach. First, the information is copied, then encrypted, making it unusable for the victim. This gives the cyber criminal two chances: an extortion attempt to restore the data. And if the victim is able to restore them via backups, the second attempt threatens blackmail regarding publication.

In 2019, the company SwissWindows with 170 employees goes bankrupt because of such a cyber attack. The window manufacturer's window construction program, including all customer and machine data, is encrypted. Backups were created, but not stored outside the company's own IT infrastructure and thus immediately encrypted and are also unusable. Since no ransom is paid, recovery is not possible. A production stoppage of one month is the consequence, then contractual penalties are due due to missing deliveries, in the end there is no money left and bankruptcy has to be filed.

Bad. But if no one pays on an extortion, there is no business model, right? Theoretically, yes, but many organizations don't feel able to say no. Hospitals and healthcare providers are particularly vulnerable. Cases regularly come to light in which a hospital has had to buy its way out. For example, Massachusets Hospital has had to admit to paying for the release and deletion of their patient data as promised by the criminals.

Both examples show that paying ransom is a morally difficult question. Should ransoms never be paid? Or is it exceptionally justifiable when a company with over a hundred employees is facing ruin? Or is it permissible when the lives of patients in hospital hang by a thread? And even those who are against paying ransoms in principle might reconsider if it is their company that is facing ruin or if they are being admitted to the hospital for an urgent operation. It's best to do everything we can to avoid finding our answer in the first place by taking countermeasures.

A municipality transfers USD 430,000

So blackmail has a catch: the victim can say "no." So why not just transfer the money ourselves? In 2019, a particularly sophisticated case led the U.S. municipality of WestLake-Gladstone to pay out nearly half a million USD to an unknown criminal organization from an annual budget of 7 million USD. Quasi quite normally by bank transfer. They had deliberately chosen the vacation season. Several smaller transfers of less than USD 10,000 each could be executed unnoticed for 17 days until the outflow was discovered and stopped. Another USD 50,000 could just be saved, the rest of the money is gone.

If normal money transfers have been made, then the recipients can be traced, can't they? No, not if you recruit a dozen unsuspecting private individuals. In North America, reports of fictitious job advertisements have recently been piling up. In these cases, jobless people are identified via advertisements on normal job boards and targeted via social networks, and a job offer is made. The companies have websites, their letters have standard letterheads and are signed by important-sounding people. Company registration numbers are also printed. Everything looks completely normal. The jobs are attractive because - not uncommon nowadays - employees can work from home. Brazenly, one or even several interviews are then conducted by the HR manager or the supposed supervisor, in which the candidates are interviewed. What is their background? What work experience and education do they have? After that, they happily sign their supposedly normal employment contract.

After that, they are trained and receive their first orders. As a rule, some payments have to be processed and - because something formal in the employee hiring process has not yet been done by the HR or Finance department - they are supposed to do something with a private account and then settle it as expenses. Or something. And if the new employees refuse to handle transactions in the name of the company privately, they should otherwise select and buy their new notebook via a certain web store according to the "Bring your own Device" policy, pay for it with a private credit card and then settle it via an expense report.

In the example of the WestLake-Gladstone community, 18 people were hired to take payments from the community, convert them into Bitcoin, and forward them to the criminals. And, of course, they did so unaware of what they were doing. Particularly popular targets are recent immigrants who have not yet gained a foothold in the labor market and are unfamiliar with local customs. Through these detours, the traces were covered, and only the 18 exploited fictitious employees could be located.

But how did the payments from the municipality come about? Apparently, at least one employee of the municipality fell for a phishing email and clicked on a link. Once this workstation was infected, the attackers worked their way in. In this case, they seem to have found at least part of the e-banking access data. They then changed the e-banking password and all verification questions. And then they started transferring a series of smaller amounts to their fictitious "employees", which would not be noticed immediately. And thanks to the vacation period, it took 17 days to stop the outflow.

Is e-banking access mandatory for such an attack scenario? Rather not, but it is likely to skip control steps in most companies. However, it would also be conceivable to create fictitious creditors and vendor documents in the ERP system. Depending on the authorization of the compromised user accounts, one can release these oneself or at least feed them with seemingly usual purchased services and inconspicuous sums and hope for uncritical release.

Or in a still rare but interesting case that outlines the future of social engineering attacks, an employee was instructed by the CEO over the phone to transfer 220,000 British pounds to a supplier. Artificial intelligence was used to imitate the CEO's voice so well that the employee was completely convinced that he had spoken to the CEO personally and transferred the sum.

Ransomware-as-a-Service

And the last way to make money from cybercrime is to position yourself as a criminal service provider. For example, with a Ransomware-as-a-Service, even those who would not be able to do so themselves can launch a ransomware attack. The recently published results of the infiltration of the LockBit hacker gang by security specialist Jon DiMaggio gives an interesting insight into the business model. A decentralized organization with profit sharing is emerging. And even a bug bounty scheme has been launched. 1 million US dollars has been offered to those researchers or criminals who can find out who is behind their avatar "LockBitSupp" due to security holes in LockBit.

For the victim, attacks are not much different from ransomware-as-a-service. However, the circle of attackers well equipped with professional tools is expanding.

What countermeasures should be taken?

Unfortunately, there is no simple answer. However, it would have to be reduced to one statement; in Switzerland, the board of directors of a company has a duty to implement a company-wide, integral risk management system. Today, information security risks must be part of any company-wide, integral risk management and must not simply be left uncritically to the "IT department".

What do we learn from the examples of attacks described above? Professional, technical protective measures are useful. For example, a well-functioning backup on sufficiently isolated infrastructure makes data recovery after a ransomware attack possible, but does not prevent data theft.

But in addition to this technical view, we must also take note from the examples that attacks are no longer directed only against technical systems, but are now increasingly and ever more brazenly directed directly at people. Loosely quoted by Frank Abagnale, the reformed and now longtime FBI agent made famous via the movie "Catch Me If You Can," "At the beginning of every security incident is a person who did something they shouldn't have done or didn't do something they should have done." Technical systems are becoming more secure. Employees are not keeping up And are becoming the primary target of attack. Who clicks on links in fake emails? The people who receive them. Who enters a transfer in e-banking on behalf of a CEO? A human. Who keeps a password for each user account that is a) separate and never used more than once, b) kept secret, c) randomly combined, d) contains upper and lower case letters as well as special characters, and e) has at least 8 digits (preferably longer)? Unfortunately (almost) nobody. Many more incidents are likely to follow.