If you ask guest Dan Cohen, director of product management for RSA Fraud and Risk Intelligence, 2016 was the "Year of the Phish." This episode focuses on the growth and development of cybercrime in recent years, with Dan bringing insights from over a decade of experience tracking these activities on the underground. We hope you enjoy!

Highlights from this episode include:

• 1:00 - 2016: The Year of the Phish and the driving forces behind a record year for phishing attacks
• 2:30 - The commercialization of cybercrime and the shift to a service-based marketplace
• 8:00 - The demographics of cybercrime
• 13:45 - Current trends in cybercrime targeting businesses, including ransomware and business email compromise attacks
• 16:15 - The role of social media in facilitating online criminal activity
• 21:00 - Tips for protecting against common cyber attacks

Intro/outro music: "Groovy Baby" by Jason Shaw, licensed under CC BY 3.0 US

Transcript

[0:00:08.6] NL: Hello and welcome to Episode 04 of the Digital Guardian Podcast. I’m your host, Nate Lord, and joining me today are my cohost, Will Gragido, as well as special guest, Dan Cohen. Dan is head of product management for RSA Fraud and Risk Intelligence, and we’re really excited to have him on board. Dan and Will, thanks for taking time to join us today. Why don’t you guys take a couple of minutes to introduce yourselves?

[0:00:28.6] WG: Thanks, Nate. Hi everyone, my name is Will Gragido, I’m the director of advanced threat protection here at Digital Guardian.

[0:00:34.5] DC: Hi everybody. My name is Daniel Cohen, I head product management for RSA’s Fraud and Risk Intelligence Division, and we help protect millions of consumers from different types of attacks, mainly targeting their wallets and credit cards and bank accounts.

[0:00:48.0] WG: Important things.

[0:00:48.8] NL: Awesome, yeah. Yeah, we’re excited for today’s episode. We’re going to focus on some current events in cybercrime and fraud and we’re really excited to have Dan bringing some insights from his work to our discussion.

So, guys, let’s start off with a threat that’s as old as computers themselves; we’re talking about phishing attacks. Dan, you mentioned you’ve seen recently an increase in phishing attacks. Can you fill us in on what’s going on there?

[0:01:12.1] DC: Sure. Yeah, that’s an interesting way to open it; as old as computers, and it’s actually true. Phishing basically — in phishing attacks, the attacker is trying to social engineer, or basically get the end user or the person that they’re attacking, get the end user to divulge personal information, and we’ve been tracking and carrying out anti-phishing operations for over a decade now. I think we started way back in 2004.

Tracking the volumes of phishing and kind of tying that also the maturity of the underground and the cybercrime landscape, phishing, over the years, has constantly grown. We used to see on average about 10% to 12% increase year over year, but 2016 was definitely the year of the phish, if you want to coin it that way, where we saw an increase of over 240% increase year over year.

If in 2015 we were handling about half a million attacks, in 2016, we closed off the year with nearly 1.3 million attacks that were launched around the world. It’s a very significant increase for a crime as old as computers.

[0:02:21.7] NL: Wow! Yeah. What do you think would drive that increase just in the past couple of years? Any particular factor you’ve seen?

[0:02:28.3] DC: I think phishing is basically digital pickpocketing. It’s the oldest trick in the book and it works. When you look at what the bad guys are doing and their evolving tactics, they might improve the way that they carry out the social engineering and improve the story behind the social engineer. At the end of the day, they’re still leveraging phishing to trick individuals, to trick end users to carrying out some kind of action.

I think with the recent year and looking at, again, the evolution of the cybercrime market place and the tools that are available out there, the fact is that a lot of the tools have become free. When you look at malware, when you look at ransomware specifically, these tools are now free and available for anyone basically to use. More so, they’re also becoming available as a service. It becomes easier. If you want to launch an attack, you no longer have to figure out malware development. You can basically find it in a software as a service type offering.

When you add that to the fact that it’s incredibly easy to launch a phishing attack, it kinds of explains this huge increase throughout 2016 where we’re seeing a lot of these bad guys, or script kiddies, leveraging the ease of phishing with the ease of getting their hands on ransomware tools and malware tools in general to launch the attacks.

In short, it’s the ease of launching a phishing attack together with the ease of getting your hands on malware tools. That, together with that, basically explains the huge increase in phishing.

[0:04:02.4] WG: That’s actually a really interesting point. The ease of accessibility whether it’s to the tool themselves or the services has really broadened and increased the probability of the attacks. Do you see more individuals outsourcing this type of activity then, Dan, from your experience or from your team’s experience, or are we seeing more folks operating as individuals without the aid of a third party?

[0:04:23.0] DC: That’s a good question. Back in the day, cybercrime was a lot more about small groups, or very experienced and skilled individuals carrying out, basically, the entire crime. If I was a phisher, I basically have to figure out “How do I put together the phishing kit? How do I launch the attack itself? Where do I host it? How do I send out the emails?” Et cetera. Et cetera.

Over the years, specifically the last five to six years, cybercrime has become more of a service-based marketplace. To your question; do we see individuals leveraging this service-based economy? The answer is very much yes.

For example, if you wanted to hit an email list with 500,000 emails on it, you can find somebody who would offer that as a service. Last I checked, that was going for about $40 to $50 would be the cost of emailing 500,000 email addresses with your phishing attack. If you think about it, that’s really no money. You basically find some site, you compromise the site easily. If it’s a blogging site, you plunk your phishing attack on that server and then you pay somebody 50 bucks to launch the campaign against 500,000 emails. If you get 10% success rate, which is pretty much the going rate for success of phishing attacks, then that’s you scoring 50,000 usernames and passwords, or 50,000 credit cards. Incredibly easy, incredibly accessible, and most definitely using this service-based economy to launch these attacks.

[0:06:01.2] NL: Dan, you mentioned a 10% success rate as kind of the going rate for phishing attacks today. Is that an open rate on those phishing emails, or literally 10% of what a cybercriminal might send out is successful in infecting a machine or extorting an end user?

[0:06:18.2] DC: The 10% is really kind of what the bad guys advertise. As this market has become more commercial, obviously they’re more so-called vendors in the underground offering their services and they’re fighting basically over market share and customers. Usually, you will see when somebody promises success rates for their type of attack, it will be around the 10% to 12% success rate, which means of the 500,000 emails or X-number emails that you’re going to hit, 10% of them are going to fall victim to the phishing attack and provide their personal information.

Usually, that’s a metric that you kind of measure the success against. There are cases — again, the underground has become a very much service-oriented marketplace. Customer service is a very element of this ecosystem. If you don’t get your 10% to 12% as agreed upon when you kind of struck this deal with the vendor, you could get your money back, they’ll agree to launch another attack for free, et cetera, et cetera. That’s kind of where the numbers come from.

[0:07:25.4] WG: Hey, Dan, this is Will. I’ve got a question in regards to that. In your experience, aside from the obvious, perhaps lack of skill set or infrastructure, do you see it as being a transference of risk opportunity and is that a major attraction for, I’ll say, less experienced criminals or less savvy criminals? Or even savvy ones who just want to be able to tap into that 10% that you’re talking about a moment ago while the same time establishing plausible deniability from an underground perspective? Is that a factor at all that weighs into this? Do the purveyors of the services know and understand that and still accept that risk on their side in order to gain greater and greater audiences from a business perspective?

[0:08:03.8] DC: That’s a good question. From our experience — and this is kind of going into the demographics of cybercrime and the different geo — not geopolitics, but the different — the geos and how they interact in this space called cybercrime. When you look at, maybe, the Russian speaking arena, deniability if a very key factor, and protecting their identity and sec-ops is a major factor as they’re carrying out their business.

When you kind of look at maybe Latin American cybercrime, West African cybercrime, the whole shifting of risk, the risk of, “Will I be caught by law enforcement?” is not so much a factor from what we see. Basically, they’ll leverage these services just because it’s easy and accessible and it saves them the work, because they’re pretty lazy, the so-called hackers that we’re talking about. They want to make a quick buck. They want to send out their phishing email, capture whatever thousands of credentials, and then sell them off to the next guy, and the next guy will — whatever — hack the accounts, or transfer the money.

If you consider this service-based marketplace, it saves me the effort and time, so I’ll just go ahead and pay this guy whatever it is, the 50 bucks to launch the campaign. I’ll get my credentials. I’ll steal the credentials. I’ll then sell them to the next person, and that’s my business. That’s me, my link in the cybercrime chain being fulfilled.

Again, to your question, it depends on who you are. Who you are, Mr. Hacker, and how important is it to you to shift the risk? Most of the world, the cybercrime world, it’s not that important. Obviously, some areas such as the Russian speaking space, maintaining security of identity and security of operation is a lot more important to them.

[0:09:50.9] WG: Got it. Excellent. That’s an interesting point; that it varies geographically. I guess, in a sense, that ties into the old idea that if you’ve got enough in the loose, the risk is worth reward. Not that I’m encouraging crime [laughter]. I think from an acceptable risk perspective, it’s easy to understand why, to your point, in some geographic theaters, the risk is less of a concern than in others.

I would imagine some of that is due to sophistication and just how well or how seriously they approach their activity as a business versus just a way to make easy money.

[0:10:24.7] DC: Exactly. Coming back to kind of the geographies and the demographics of it, we’re speaking about the Russian speaking cybercrime landscape, which is, if you take a step back and look at it, this is the number one source of software tools, for example. A lot of the software tools, malware and whatever it is, a lot of it is sourced from the Russian speaking underground.

When you look at the Chinese speaking underground, a lot of it is about hardware. I would go as far as saying that the Russian speaking underground is number one in software, whereas the Chinese speaking underground is number one in hardware. Anything from sniffing, sniffing hardware, ATM hardware, skimming hardware, you can find that, a lot of that, happening in the Chinese speaking underground, and it’s an interesting conversation, because when you get into kind of the cultural aspect of it, it’s fascinating. When you’re in the Russian speaking space, you have to be very courteous, very professional in your dealings with the vendors. Or as a vendor, that’s very much expected.

Whereas when you’re in the Chinese speaking arena, it’s a lot more of a — almost, if you’d close your eyes and envision yourself walking down a Chinese marketplace and everybody is very loud and all these vendors are shouting what they’re selling, it’s very much — that’s kind of the experience of it; very loud, very fast-paced kind of marketplace and very untrusting also. They don’t like outsiders. So yeah — the demographics is an interesting conversation to have.

[0:12:00.7] WG: Interesting. Actually, you’ve piqued my interest in respect to something. I think my own experience, with regards to the deltas of sophistication with regards to software versus hardware. What’s interesting about that, and again, the hat being tipped with respect to software developments to the Russian speaking ecosystem versus the Chinese — but what’s interesting is what you’re talking about with regards to the nexus between cybercriminal activity and physical tools to achieve those ends. Whether it’s credit card scammers or whether it’s some type of sniffing device or another tool that’s used for actually gleaning information from a machine for financial purposes, does that also extend to infiltration of firmware in that particular cybercriminal ecosystem on devices? Are you seeing more of their efforts being targeted again more toward quick and easy ways to tap into the financial ecosystem on a global basis for credit cards and things of that nature?

[0:12:52.1] DC: I would say yes, but I mean we have to remember that when you’re tapping the cybercrime marketplaces, a lot of what happens there, the more vocal stuff that happens there is more kind of targeting consumers. You’ll see a lot more happening in the card skimming space, the ATM skimming space, because there’s a lot of mass in that.

Talking about firmware, if it’s tapping or hacking the phone manufacturing, the mobile phone manufacturing facility and getting your hands on the firmware in some way, you’re not going to see a lot of conversation, public conversation, happen, but it’s definitely there and at the end of the day you see it come out of those regions where phones are coming out and already hacked right out of the box. Yeah, the short answer would be yes.

[0:13:44.2] WG: Fascinating.

[0:13:45.2] NL: Guys, we’ve been talking a lot of phishing attacks and other scams being used against consumers and, generally, end users. Dan, what trends in cybercrime are you seeing targeting businesses today?

[0:13:57.0] DC: That’s a good question, Nate. Again, if I link that to this previous conversation we had about demographics and trying to explain the increase in phishing attacks and what we’re seeing — when you look at West African attackers, I categorize them as the mimickers, or the copycats, and they’ll wait for these tools to become free. As ransomware becomes free and accessible, you’re now seeing these small either individuals or very small teams out of West Africa and they’re now launching all these ransomware attacks across the globe.

Looking at the risk to companies and enterprises — obviously, ransomware has been very up there in the news. Again, it comes back to the fact that ransomware as a tool is now freely available; you could probably Google different ransomware tools and find the source code and then launch that attack.

Then, the other thing that we’re seeing a lot of is what is the known as the business email compromise, where it’s social engineering — it’s not a spear phishing attack per se, but it is a social engineering attack against a very specific individual within a company. Usually, what you’ll see is the CFO or the accountant within a firm will get an email from the CEO, or pertaining to be from the CEO, saying “Hey, can you pay this invoice to this vendor? Here’s their bank account number. Transfer $10,000 to this bank account.”

Obviously, this account, they’re sitting there at their table, they get this email from so-called the CEO and they take action and they transfer the money. This problem, this challenge of business email compromise has grown significantly to the tune of billions of dollars that are being lost to these scammers. Again, it’s basically leveraging social media, looking through LinkedIn, looking for the accountants in these firms, finding them, and it’s not so much a needle in a haystack. Leveraging tools like LinkedIn, it’s very easy to identify these individuals. The emails come across and you can see that they’ve used Google translate to form these emails, but they score.

Again, looking at these types of hackers, the bottom feeders if you will, they’re leveraging freely available tools, they’re leveraging social media, and they’re getting away with might appear as small amounts of money per attack, but when you add them all up it’s billions of dollars that are being lost to these hackers.

[0:16:24.2] WG: That’s a good question, or that poses a good question. That makes me think of an interesting question, Dan. Are you seeing a shift in your work with the team more so focused on just intelligence harvesting, or data harvesting from those social media networks, or are you seeing actual infiltration and comprise of the networks themselves and then operations occurring within the context of a social media ecosystem, or are you seeing both?

[0:16:46.7] DC: What we’re seeing social media, obviously, we’re seeing a lot of — or you don’t’ really see it, you can assume that the reconnaissance is taking place, because, again, considering the people that you’re dealing with and the fact that they don’t want to invest too much time in their attack, they’re going to use Facebook, they’re going to use LinkedIn to harvest information about individuals and then leverage that in their attacks. Obviously, if they get their hands on account information, if they get your Facebook account, they might use that to post stuff on your wall, links to infection; malware infection sites, et cetera, et cetera. We see that happening.

In terms of hacking or getting into the social media systems, we know from the past that that’s happening, but it’s not something that I can talk to. Again, it’s not so much our level of what we do here, but I will say that we were speaking about the commercialization of cybercrime earlier in this chat. Really, what we are seeing over the last year or so is pretty much the socialization of cybercrime. You can go online at this very moment, you can go on Facebook, if you search for the term CVV2 — with credit cards in mind, the last three digits of the three digits in the back of the card. If you search for that term on Facebook right now, CVV2, you will come across credit numbers out there in the open.

What we’re seeing is that the bad guys are now leveraging social media as a platform to market and conduct their business, because if you think about it, what is the goal of social media? Social media is about brining likeminded people together, connecting likeminded individuals together, getting them to share information and talk with each other and enrich each other. The bad guys are looking at this and saying, “Hey, why don’t we use social media so that we can better connect with likeminded individuals?”

You can find groups for credit card skimming, for credit card selling, for DDoS bots, for malware, et cetera, et cetera, and this is happening out in the open. You can join these groups. You can join the conversation and they’ll share methods about how to hack merchants, how to card different stuff, and that’s kind of what we’re seeing happen on the social media platforms. It’s basically the use of the platform to conduct their business.

[0:19:11.3] WG: That’s fascinating. These fraudsters, these criminals, regardless of level sophistication, or knowledge, are leveraging social media platforms such as Facebook in open clear text communication to describe tradecraft and methodology for the express purpose of committing fraud and criminal activity. That’s fascinating.

[0:19:28.9] DC: Yeah. You can go online now and you could just search for these terms and you’ll find it, it’s right there in the open and it’s happening across the globe. Obviously, Facebook being the number one social media platform in the world, we see a lot of it happen on Facebook, but we’ve seen it happen on VKontakte, Odnoklassniki in the Russian speaking space, Baidu Tieba and QQ in the Chinese speaking space, and they’re all being leveraged, again, to connect — to help connect these individuals, these hackers, and help them get their business done.

It’s interesting. When you look at — also, we did some work on link analysis about who belongs to, which identity belongs to which group, et cetera, et cetera. We fingerprinted hundreds and hundreds of groups and over — I think it was about almost nearly 300,000 unique identities that were participating. This was mid last year. By the end of the year, by the end of 2016, that had already grown threefold. It was interesting to see, again, coming back to the Russian speaking arena, identities were never used in more than one group.

Again, coming back to the famous Russian sec-ops, they only burned an identity in a single group. Whereas if you look at Latin America, you look at West Africa, you look at the Indian speaking and the Indonesians, Indonesian speaking space, they were all using the same identity in a number of groups. It’s a really interesting ecosystem and development leveraging social media for their business.

[0:20:59.1] WG: Fascinating.

[0:20:59.9] NL: Yeah. Thank you, Dan. Guys, I think we’re getting close to our wrapping up point here, but I wanted to close with one last question for both of you. We’ve been talking about a variety of threats with high success rates and certainly high incentives for the attackers themselves. What can end users, the average listener, do to protect themselves from these kinds of threats?

[0:21:21.4] DC: I might start with saying that there’s no such thing is a free lunch and don’t believe the emails that you get. Always question the integrity of the email. If you’re an accountant, if you’re getting an email from your boss, or your CEO, look for the telltale signs of spelling mistakes. If you’re not sure, just ask. You’d rather ask your CEO if he really wants you to transfer the $10,000, or transfer the $10,000 and then deal with the outcome of doing that. Then, just be weary of everything that’s happening out there. Don’t believe what you see. Yeah, just question everything.

[0:21:55.8] WG: Yeah, I think that that’s actually solid advice. I think that we’re taught, or at least previous generations were taught to try to be open-minded and to be less skeptical and scrutinous of people and their intentions. The advent of the internet, and specifically social media, and the massive explosion and popularity of those platforms has really changed a lot of that.

Dan brings up a good point. I think caution is key. Being cautious is key. I would also say that teaching that type of thought and ideology to young people is really paramount, because that’s, I think — this is actually an interesting point. Dan, you touched on this a little bit with mobility earlier on in social media. There’s a — I don’t know how many millions upon millions, but we’ll just say billions of young people, [laughter] people younger than us, who are actively involved in social media in various forms; on major platforms and also minor ones too that are beginning to pick up speed and momentum, most of which are driven by mobile application use cases and ecosystems.

I think the reality, and it’s safe to say that what Dan is describing, is occurring within traditional larger social media ecosystems. You can rest assure that similar types of fraudulent activities are occurring in those smaller ones, and the net effect I think is that people, even young ones, use their mobile devices to store the very type of credentials that Dan is referring to; credit card information, CVV2 information, all that kind of salient detail that can easily be absconded with from a good solid, social media-driven campaign. Yeah, I think being cautious is key.

[0:23:24.8] DC: I’ll also just add — also, at the end of the day, we don’t want to grow up paranoid, and I think we as industry, the security industry, I think we’re doing a very good job at developing the tools that the banks, financial institutions, enterprises use and deploy. Then, credentials. To Will’s point, the fact that credentials are being stored on phones or whatever it is. That’s eventually going to go away. When we get into the whole big data analytics, et cetera, et cetera, machine learning, all those buzzwords, it is going to play a very key role in the fight against fraud and cybercrime. I think, if you ask me, that’s going to be the winning factor going forward.

[0:24:08.5] NL: Cool. Dan, Will, thank you guys so much. I think we’re going to wrap up episode 4 of the Digital Guardian Podcast here. To our listeners, stay tuned for our next episode, first week of May with Rafal Los.

Guys, thank you both for joining us and we’ll have to do this again soon.

[0:24:25.3] WG: Excellent. Thanks very much, Nate. Thanks, Dan.

[0:24:26.4] DC: Stay safe out there.

[0:24:27.3] NL: Take care.