Cybersecurity Landscape

Home , Crimeware, Cryptovirology, Phreaking

Paul Love Chief Information Security Officer, CO-OP Financial Services Topics

§ Impact

§ Motivations

§ How

§ The Future

§ Open Q&A Cybercrime Stats

Cybercrime economy is In the past year, security SMB’s are targeted 43% of expected to grow to at least breaches have increased by the time in cyber attacks 1.5 Trillion each year >11% and by 67% in the last five years

Ransomware attacks to Ransomware attacks Cybercrime kits can be increase 5x by 2021 occur every 14 seconds purchased for as little as $1 on the dark web and online marketplaces Impact

Average cost of a malware attack Average cost per record of a breach on a company

Source: IBM 2018 Cost of a Data Breach Source: Accenture

By 2021, damage related to cybercrime is projected to hit

Annually Source: Cybersecurity Ventures Motivations Vernacular of Hacking

Motivation Labels Skill Labels Motivation/Support

§ Hacker (white hat) § Elite Hacker § Lone attacker § Grey Hat § Script Kiddie § Hacktivist § Bad Hacker (black hat) § Neophyte/Noob § Nation State § Blue Hat § Organized Criminal Gangs (OCG) History

1989 1992 2001 2013 First Ransomware 1260 Polymorphic Code Red Target/Yahoo detected (PC Cyborg) Virus 2003 2014 1993 Blaster Sony 1988 First DEFCON Morris Worm Conference 2005 CardSystems 2015 1994 Solutions Ashley Madison Citibank 1986 Computer Fraud 1996 2007 2016 and Abuse Act Cryptovirology TJ Maxx Bangladesh (basis of Modern Bank Robbery Ransomware) 2009 1983 2000 Conficker Wargames ILOVEYOU 2010 Movie Worm Stuxnet

1950 1960 1970 1980 1990 2000 2010

Late 50’s – Late 70’s Late 80’s – Late 90’s 2000’s and Beyond Phreaking/System Hacking Increases Monetary/Political attacks Exploration Nation State Why

§ Money § Resources (medical) § Impersonation for non monetary (criminal arrest) § Extension of Political goals § Other (prestige, etc.) How Cybercrime Business Model

PAST CURRENT

Individual or small team who § (Cybercrime as a Service or CAAS) created malware, delivered § Project Manager malware and exploited malware. § Coder/Malware developer § Bot herder (as needed) § Intrusion Specialist § Data Miner § Money Specialist

These roles can be further specialized to component parts, initial access tools all the way to full service models High Level Overview

One third of all security incidents began with a phishing email

Source: Trend Micro Cybercrime as a Service (CAAS)

Can consist of specializations Malware as a service Counter AV as a Service Ransomware as a service Fraud as a service Escrow Services Drop Services And others Costs

Type Amount

Server Hacking Approximately $250

Home Computer Hacking Approximately $150

Creating Malware Approximately $200

Bulk Stolen Data depending on gigabytes stolen

Hack Service Rental (depending on size) $200 - $1000

Varies depend and can include fixed fee Full project hack (end to end) or portion of proceeds Tools

Networks Approaches

§ Deep Web § Watering Hole attacks § Dark Web/Darknet § Malvertisements § Public/Internet/Clearnet § DDOS § Botnets § Ransomware § Malware BlackHat – DefCon Security Conference

§ Hacker conference discussing new trends, attacks and intelligence sharing

§ Approximately 25,000-30,000 attendees from law enforcement, InfoSec and hacker communities.

§ Key learnings § Crime as a Service is growing § IoT, Vehicles and Voting Machines can be hacked in minutes § Thermostats and other IoT are susceptible to ransomware § Mobile wallets are a target. One attacker showed how a hacker could make fraudulent payments through Samsung Pay1. § Mag Stripes are susceptible to guessing (brute force) allowing attackers to create mag stripe cards on the fly for POS, hotel rooms and other uses2.

1 http://www.itproportal.com/2016/08/10/fraudulent-payments-through-samsung-pay-are-real/ 2 http://www.esecurityplanet.com/hackers/hacking-hotel-keys-and-point-of-sale-systems-at-defcon.html Information Sharing

Source: https://www.hackaday.com Security Testing Tools Available

Source: https://www.hak5.org/ Resource for All Skill Levels

Source: https://www.darknet.org.uk/popular-posts/ The GozNym Criminal Network: How It Worked 1 Sourcing the Malware The leader of the criminal network The developer (from Orenburg, Russia) worked with coders (from Tbilisi, Georgia) leased access to create GozNym, a sophisticated piece of malware to steal to the malware from a developer. online banking credentials from victims’ computers.

2 Recruiting Accomplices The leader recruited other cybercriminals with specialized skills and services which they advertised on underground, Russian-speaking online criminal forums. 3 Covering Their Tracks The leader and his technical assistant (from Kazakhstan) worked with ’crypters’ (including one in Bali, Moldova) to crypt the malware so antivirus software would not detect it on the victims’ computers.

Crypters 4 Distribution and Infection Spammers Spammers (including one in Moscow, Russia) sent phishing emails to hundreds of thousands of potential victims. The emails were designed to appear as legitimate business emails and contained a malicious link or attachment

When clicked, the victims’ computer was redirected to a malicious domain on a server hosting a GozNym executable file. This file downloaded GoxNym onto the victims’ computers. Many Sites to Support Attackers

Remote Administration Spreaders

Other Services § Full fledged services (MAAS) § Marketing services § Training § Support Philadelphia RaaS Example

(criminals) run their business the same way a legitimate software company does to sell its products and services. While it sells Philadelphia on marketplaces hidden on the Dark Web, it hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options.

Source: https://nakedsecurity.sophos.com/2017/12/13/5-ransomware-as-a-service-raas-kits-sophoslabs-investigates/ Phishing as a Service Example

The Fake-Game website offers VIP account for high costs (with more services available) Some statistics from this site were a total of around 60,000 subscribers and almost 680,000 credentials stolen (2016 data)

Source - https://www.fortinet.com/blog/threat-research/fake-game-the-emergence-of-a-phishing-as-a-service-platform.html Ransomware as a Service Example

Source: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/free-ransomware-available-dark-web Emerging Business Models

Tox – is free and only takes 20% of the ransom as it’s business model

Subscription access to popular backdoor services — attacks that get around traditional security mechanisms like firewalls and other forms of authentication — can now be found for as little as 40 or 50 dollars a month. Subscriptions to phishing attacks are even cheaper, with some going for as low as just a few dollars a month.

Source - https://securingtomorrow.mcafee.com/other-blogs/mcafee- Source: https://www.recordedfuture.com/crimeware-as-a-service-affordability/ labs/meet-tox-ransomware-for-the-rest-of-us/ The Future

§ Nation State § More sophisticated criminal networks § More focus on small to medium sized businesses as targets of opportunity How to Protect Yourself and Company

§ User education

§ Don’t click on links in emails you weren’t expecting

§ Don’t download or click on attachments in emails

§ If it feels suspicious, assume it is and contact your security team

§ Keep systems and antivirus patched Thank You.

Paul Love Chief Information Security Officer

[email protected]