The Evolution of Cybercrime: A Q&A with Dan Cohen, RSA Fraud and Risk Intelligence
RSA’s Dan Cohen discusses current trends in cybercrime, from shifting tactics to the commercialization of the digital underground.
Back in April we were fortunate to have RSA Fraud and Risk Intelligence director of product management Dan Cohen join us for a podcast on his work tracking cybercrime around the globe. Here’s an excerpt highlighting the conversation – for more from Dan and our own Will Gragido on the subject, you can tune into the full podcast below or on iTunes.
Dan, you mentioned you’ve seen recently an increase in phishing attacks. Can you fill us in on what’s going on there?
Sure. In phishing attacks, the attacker is trying to social engineer, or basically get the end user or the person that they’re attacking to divulge personal information, and we’ve been tracking and carrying out anti-phishing operations for over a decade now. I think we started way back in 2004, tracking the volumes of phishing and kind of tying that also the maturity of the underground and the cybercrime landscape.
Phishing, over the years, has constantly grown. We used to see on average about 10% to 12% increase year over year, but 2016 was definitely the year of the phish, if you want to coin it that way, where we saw an increase of over 240% increase year over year. If in 2015 we were handling about half a million attacks, in 2016, we closed off the year with nearly 1.3 million attacks that were launched around the world. It’s a very significant increase for a crime as old as computers.
What do you think would drive that increase just in the past couple of years? Any particular factor you’ve seen?
I think phishing is basically digital pickpocketing. It’s the oldest trick in the book and it works. When you look at what the bad guys are doing and their evolving tactics, they might improve the way that they carry out the social engineering and improve the story behind the social engineer. At the end of the day, they’re still leveraging phishing to trick individuals, to trick end users to carrying out some kind of action.
I think with the recent year and looking at, again, the evolution of the cybercrime marketplace and the tools that are available out there, the fact is that a lot of the tools have become free. When you look at malware, when you look at ransomware specifically, these tools are now free and available for anyone basically to use. More so, they’re also becoming available as a service. It becomes easier. If you want to launch an attack, you no longer have to figure out malware development. You can basically find it in a software as a service type offering.
When you add that to the fact that it’s incredibly easy to launch a phishing attack, it kinds of explains this huge increase throughout 2016 where we’re seeing a lot of these bad guys, or script kiddies, leveraging the ease of phishing with the ease of getting their hands on ransomware tools and malware tools in general to launch the attacks.
In short, it’s the ease of launching a phishing attack together with the ease of getting your hands on malware tools. That, together with that, basically explains the huge increase in phishing.
Do you see more individuals outsourcing this type of activity or are we seeing more folks operating as individuals without the aid of a third party?
That’s a good question. Back in the day, cybercrime was a lot more about small groups, or very experienced and skilled individuals carrying out, basically, the entire crime. If I was a phisher, I basically have to figure out “How do I put together the phishing kit? How do I launch the attack itself? Where do I host it? How do I send out the emails?” Et cetera. Et cetera.
Over the years, specifically the last five to six years, cybercrime has become more of a service-based marketplace. To your question; do we see individuals leveraging this service-based economy? The answer is very much yes.
For example, if you wanted to hit an email list with 500,000 emails on it, you can find somebody who would offer that as a service. Last I checked, about $40 to $50 would be the cost of emailing 500,000 email addresses with your phishing attack. If you think about it, that’s really no money. You basically find some site, you compromise the site easily. If it’s a blogging site, you plunk your phishing attack on that server and then you pay somebody 50 bucks to launch the campaign against 500,000 emails. If you get 10% success rate, which is pretty much the going rate for success of phishing attacks, then that’s you scoring 50,000 usernames and passwords, or 50,000 credit cards. Incredibly easy, incredibly accessible, and most definitely using this service-based economy to launch these attacks.
It sounds like your team has observed a huge volume of phishing attacks and other scams being used against consumers and, generally, end users. What trends in cybercrime are you seeing targeting businesses today?
Looking at the risk to companies and enterprises — obviously, ransomware has been very up there in the news. Again, it comes back to the fact that ransomware as a tool is now freely available; you could probably Google different ransomware tools and find the source code and then launch that attack.
Then, the other thing that we’re seeing a lot of is what is the known as the business email compromise, where it’s social engineering — it’s not a spear phishing attack per se, but it is a social engineering attack against a very specific individual within a company. Usually, what you’ll see is the CFO or the accountant within a firm will get an email from the CEO, or pertaining to be from the CEO, saying “Hey, can you pay this invoice to this vendor? Here’s their bank account number. Transfer $10,000 to this bank account.”
Obviously, this account, they’re sitting there at their table, they get this email from so-called the CEO and they take action and they transfer the money. This problem, this challenge of business email compromise has grown significantly to the tune of billions of dollars that are being lost to these scammers. Again, it’s basically leveraging social media, looking through LinkedIn, looking for the accountants in these firms, finding them, and it’s not so much a needle in a haystack. Leveraging tools like LinkedIn, it’s very easy to identify these individuals. The emails come across and you can see that they’ve used Google translate to form these emails, but they score.
Again, looking at these types of hackers, the bottom feeders if you will, they’re leveraging freely available tools, they’re leveraging social media, and they’re getting away with might appear as small amounts of money per attack, but when you add them all up it’s billions of dollars that are being lost to these hackers.
We’ve been talking about a variety of threats with high success rates and high incentives for attackers. What can end users do to protect themselves from these kinds of threats?
I might start with saying that there’s no such thing is a free lunch and don’t believe the emails that you get. Always question the integrity of the email. If you’re an accountant, if you’re getting an email from your boss, or your CEO, look for the telltale signs of spelling mistakes. If you’re not sure, just ask. You’d rather ask your CEO if he really wants you to transfer the $10,000 than transfer the $10,000 and then deal with the outcome of doing that. Then, just be weary of everything that’s happening out there. Don’t believe what you see. Yeah, just question everything.