If you could sit down and have a face to face open conversation with a cyber criminal what do you think they would tell you?
In this fictionalised interview, we attempt to look at cyber crime from their perspective.
How did it all start?
I can’t say that it was a planned career move or anything like that, in fact quite the opposite. Maybe more a case of ‘right place at the right time?’ But even that sounds wrong. Perhaps myself and the others are just members of the disenfranchised millennials who found that traditional IT work was relatively mundane and our more modern technical skill sets were totally undervalued in the offers of employment we had, so we looked elsewhere.
What you have to remember is that so much of cyber crime goes unreported due to its relatively low value. I mean companies can lose £200 here, £1000 there, it’s not going to bring them down, but the time and effort it will take them to investigate it, report it, is too much for the value of what they have lost. Is this just ‘luck’ on their part? Of course not, it’s designed that way. Our focus is not about stealing £100,000,000 from one company, but a few thousand pounds from a few thousand companies. The beauty of cyber crime is that it scales.
Who do you target?
How do I select a ‘client’? I profile them. Just a few simple questions – Who has large amounts of personal data? What kind of industry is NOT at the cutting edge of technology – i.e, still using Windows XP, and a company that is taking regular payments – preferably on credit card.
If they have a social media presence, so you can find out the names of some staff, even better. Once you have the format of a companies email address, you can target them relatively easily with a phishing attack.
We use basic phishing strategies, typically sending e-mails to obtain sensitive information such as passwords and company employees often unwittingly download malware. Some of these vulnerabilities are easily mitigated, including getting employees to periodically reset passwords and avoid downloading suspicious messages, but rarely do they do it.
My personal favourite, my tool of choice, is to get a key logger remotely installed across the company. Companies that take credit card details have to physically type them into their payments systems system – especially if it’s a recurring payment – so a key logger grabs all that and sends it to me as a string of characters. I can parse that using some custom software and then I have a complete active credit card – name address, card number and security code.
From here we will swiftly take a payment, never a round number like £100, but more £449, or £735. We randomise the payments we take across the vast active field of cards we have, just to add a bit of ‘white noise’ to the process. We are not greedy and usually only take one payment, then the active cards are posted to the dark web and put up for auction. It’s a case of get the card, get the payment, move on.
Are you afraid of getting caught?
The Police are relatively powerless at the moment – not that things are not improving, but their investigation cycles are so long, that the trail goes cold within hours – not days, or weeks as they are more accustomed too. Added to which cyber crime knows no physical boundaries so funds can be moved across regions, across countries through multiple currencies and back – these boundaries most Police forces cannot cross without an element of collaboration, which is not there for them right now.
For us as well the crimes undertaken are designed to take advantage of the shortfalls in all the systems right now, from our targets, to the way crimes are investigated.
How do you get paid?
Moving funds around is relatively straight forward, the payments are taken from the obtained data straight into a shell company that is held overseas in a country whose banking system is not regulated as tightly as those in the Western world. Countries who have political or economic turmoil are highly attractive too because they have bigger issues to deal with then what we are up to.
We will use intermediaries who will take a commission and pass the proceeds back to us via a range of methods, my personal favourite is through gaming networks. Yes, gaming networks. Funds are converted to gaming credits, used to purchase items from a third party, those third parties can then convert their credits into real cash. Nice eh?
How long will this last?
Myself and my team know that we are in the ‘wild west’ days of cyber crime right now, things change constantly. All aspects of security are improving, but just as they improve new tools and techniques for circumventing them appear. Added to which as new technology trends appear: mobile, IoT : there is a window of opportunity for us. So we take it.
Cyber crime, like any aspect of technology, will evolve. Companies and individuals can easily make themselves less of a target should they choose, but they lead busy business lives, they are busy innovating and doing their business. So busy in fact that losing a bit of cash here and there to cyber crime is sadly for them becoming almost just part of modern business life.