There are Different Types of Cybercriminals: Which are the Most Dangerous?

When we speak about cybercrimes, such as phishing and malware attacks, we tend to lump cybercriminals into one category but there are many different types of cybercriminals. They are not all motivated to steal credentials that lead to some sort of financial theft. While those types of crimes do occur, it is important to distinguish between the different types of cybercriminals that comprise today’s threatscape.

Here are cybercriminal examples in operation today:

  • Nation-states:Most notably, China, Iran, other nation-states looking to steal and infiltrate data.
  • Hacktivists: Activists or groups (like WikiLeaks) seeking to steal data and release it publicly.
  • Professional Cybercriminals:This group (led by technologists turned cybercriminal) does the most damage, particularly to financial institutions, retailers, e-commerce businesses, governments, etc. This group of cybercriminals actually creates more fraud, remediation and reputational damage than the other types of cybercriminals combined.

Regardless of which type of cybercriminal you’re dealing with, it is important for you to find who that bad guy is. That’s where enterprise security intelligence comes into play. This new technology, powered by big data, can help you locate, find and take legal action against a particular cybercriminal, or at least put the right countermeasures in place against that criminal and his behavior.

Which types of cybercriminals have you encountered in protecting your organization? Share your experience in the comments section below.

Negative reinforcement: How NOT to improve user behavior

One of the interesting aspects of security awareness training is the intersection of information security with human resources. We know from experience that security practitioners are not always experts in the latter, but what we recently saw from Dave Clemente was a real doozy.

Clemente suggested that employees who engage in unsafe IT security behavior (such as clicking on phishing links) be reprimanded and that unsafe behavior should even negatively affect their performance review. To the security part of your mind, it might feel good to punish people for their security sins. We need to remember, however, that the ultimate goal of security is to protect a network, not give users a reason to DDoS it.

For effective security awareness, keep it focused

Switch book coverIn their book, “Switch: How to Change Things When Change is Hard” authors Chip and Dan Heath examine how influencing humans to change requires appealing to two parts of the brain: the rational and the emotional. Since the emotional part of our brain often gets frustrated when asked to make huge changes, Chip and Dan recommend that we “shrink the change” to change behavior in the face of resistance.

The Heaths cite financial guru Dave Ramsey’s “Debt Snowball” strategy as an effective example of shrinking the change. For people mired in a mountain of debt, this strategy advocates paying off their smallest debts first – regardless of interest rates. Although this flies in the face of conventional financial wisdom, it is a lot easier for people to remain focused by paying off a $200 debt than it is to pay off $200 of a $20k debt. It’s easier for our brains to process manageable changes, and when we feel like change is manageable, we’re more likely to implement it.

Top Phishing Concerns of DNS Providers

Twitter and the New York Times were hacked this week, which means that they have officially joined the ranks of other major news organizations, including the Financial Times and Washington Post who have been targeted by hackers over the past few months.

So, how’d it happen?

Three things: hacker groups, DNS providers and spear phishing.

The Syrian Electronic Army (SEA) appears to be taking credit for this attack, as their logo was prominently displayed at NYTimes.com when the site was compromised. The SEA, a hacker group, protesting Syrian President Bashar Al-Assad, launched the attack in order to generate high profile awareness of their political agenda.

Why DNS Providers Are Targeted by Cybercriminals

The nature of this attack is consistent with several other cyberattacks that have recently taken place, in that the DNS Provider was targeted in order to carry out the attack. Melbourne IT, the New York Times’ registrar, was the victim of a spear phishing attack that successfully provided members of the SEA with access to the Times’ DNS Manager. DNS providers are among the most targeted businesses by cybercriminals, ranking alongside large financial institutions and major retailers as lucrative targets. There are two primary reasons for this:

  1. By gaining access to a customer account, DNS records can be changed to whatever the cybercriminal wants them to be.
  2. Gaining access to the DNS Provider’s employee accounts gives the cybercriminal access to several different domains, creating an opportunity to launch a large-scale attack.

Top Phishing Concerns of DNS Providers

  • Spear Phishing is increasing in frequency. A spear phishing attack happens when cybercriminals launch a targeted attack against specific individuals who they feel can give them access to the information, credentials or infrastructure that they need to carry out their attack. In the instance of the New York Times attack this week, a spear phishing attack was launched against employees of a reseller of Melbourne IT.
  • Hacktivism is becoming part of the “new normal” when it comes to the cybersecurity landscape. In attacks such as this, the goal is not to obtain customer credentials and access account information to procure funds. Instead, the goal is exposure. As Sun Tzu states, know your enemy.
  • Brand Loyalty/Customer Relationships suffer even if just one attack is successful. If a DNS provider fails to protect customer accounts from being accessed by cybercriminals, customer loyalty will be damaged and brand integrity will suffer long-term consequences.

What DNS Providers Can Do

The most important thing that DNS providers can do is focus on email.

When it comes to launching these attacks, cybercriminals almost always launch a phishing attack via email. That’s why email-based threat intelligence is so important. If you are using security intelligence appropriately, you can identify the source of a threat and even stop an attack before it happens.

Additionally, it’s important to take a look at which players in your organization have access to information that could be appealing to cybercriminals. There is another word for these employees: targets. Adjust the security level for these folks to provide additional protection against these kinds of attacks.

Share your thoughts. How can DNS providers protect themselves against phishing?

To make training stick, immerse employees

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.

One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.

To improve security awareness, think marketing

Security awareness is a term that often makes IT security pros cringe. It brings to mind images of mind-numbing training or of ineffectual posters and stress balls urging employees to change their passwords frequently.

Based on years of experience working with enterprises and other large organizations, we are launching a new blog series, “7 Principles Critical to Security Awareness Programs”, that will offer some insight in concepts we have incorporated in our solution to demonstrably improve security awareness for our customers.

The first topic we will address is marketing.

Changing behavior is one of the greatest challenges security officers face when implementing security awareness programs. Convincing people to change is hard in any arena, but when it comes to security – an area which most users neither know nor care much about – it’s especially difficult. We can learn a lot about changing behavior from a source security pros are often wary of: marketers.

An untapped resource to improve threat detection

Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.”  Despite its value, many organizations don’t have a way to get timely threat intelligence.

How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.

What is definition of phishing?

According to a recent infographic produced by via resource, 37.3 million users were subject to phishing attacks in 2012, but what definition of phishing is being used? What does phishing actually mean?

As consumers increase the amount of time that they spend online, cybercriminals are ramping up their productivity – launching larger, more efficient and increasingly targeted attacks against brands both in and outside the financial services industry.

PhishMe delivers email-based anti-phishing solutions. Through our interactions with prospects and customers, we’ve realized that there are several different definitions of phishing floating around and that often the term “phishing” is used interchangeably with terms like “malware” and “spam”.

What’s in a word? Well, it’s an important distinction. While both phishing, malware and spam are rampant in today’s threatscape, they are not one and the same. Pure phishing threats are analyzed and acted upon differently than spam and malware.

A general definition of phishing by Wikipedia:

“Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”

Phishing is, admittedly, a wide-reaching term. There are several ways to carry out a phishing attack, which is likely where some of the confusion comes into play. In the broad sense, you could say that phishing is any attempt on behalf of a cybercriminal to steal credentials. This can be carried out via a phishing website where the victim is prompted to enter his credentials or via a malicious executable.

At PhishMe, we categorize a malicious threat as phishing according to the following two rules:

  1. If the page is representing a brand and asks for any login/personal information.
  2. If the URL is not say “companyname.com, and if you do a Whois on it, the domain is not registered to that company name. So, if the URL is ilikepuppies.com and displays the logo of a major brand, it is trying to make itself look like that major brand.

What’s the difference between Phishing and Malware?

The relationship between phishing and malware is a bit blurry, mostly because they often work together to achieve the goal of the cybercriminal. In fact, the term “malware” is often included in phishing discussions.

Now that being said, here is Wikipedia’s malware definition:

“Malware, short for malicious software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.”

“….Malware includes computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or Trojans rather than viruses…”

One key distinction is that not all malware is delivered via email. Malware converges with phishing when it is being used as an accessory to execute the phishing attempt.

When it comes to defining today’s malicious threats, where do you encounter confusion? How do you differentiate between them? Share your thoughts in the comments section below.