Cybercriminals are as varied as other internet users: just as the web has allowed businesses to sell and communicate globally, so it has given fraudsters the ability to plunder victims anywhere and set up crime networks that, previously, would have been impossible.
The web has become central to the smooth running of most developed economies, and the types of cybercrime have changed too. While 15 years ago the majority of digital crime was effectively a form of online vandalism, most of today’s internet crime is about getting rich. “Now the focus is almost entirely focused on a some kind of pay-off,” says David Emm, principal security researcher at Kaspersky Lab.
That’s causing significant costs to businesses and consumers. IBM and Ponemon Institute’s 2016 Cost of Data Breach Study found that the average cost of a data breach for the 383 companies participating increased from $3.79m to $4m over 2015: the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158. All the organisations in the survey had experienced a data breach ranging from 3,000 to 101,500 compromised records, and the majority of the leaks were down to malicious attacks (as with many types of crime, the costs of cleaning up can be vastly higher than the loot that the hackers manage to get away with).
Data breaches aren’t the only costs to business of online criminals: the FBI calculates that CEO email scams — where criminals pose as senior execs and persuade finance managers to transfer huge sums to phoney bank accounts — have hit tens of thousands of companies and cost over $3.1bn since January 2015.
There’s a significant cost to business of protecting against attacks, too: according to analyst firm Gartner, worldwide spending on security products and services will reach $81.6bn (£62.8bn) this year, up eight percent year-on-year thanks to increasingly sophisticated threats and a shortage of cybersecurity professionals.
Most internet crime is motivated by a desire for profit — stealing banking credentials or intellectual property, or via extortion for example. But as online crime has grown it has also evolved — or mutated — into a set of occasionally overlapping groups that pose distinct threats to organisations of different sizes.
These groups have different tools, objectives and specialities, and understanding this can help defend against them.
“The bulk of cybercrime is the equivalent of real-world opportunist thieves,” says Emm. These are the crooks you’re most likely to come across, or at least feel the impact of, as an individual — the petty criminals of the online world. They may spew out spam or offer access to a botnet for others to run denial-of-services attacks, or attempt to fool you into an advance-fee scams where the unwary are promised a big payday in return for paying (often a substantial) sum of money up-front.
One big growth area here is ransomware: “The return on investment in the criminal ecosystem is much better if you can get your victims to pay for their own data,” said Jens Monrad, global threat intelligence liaison for FireEye.
Still, basic IT security is often enough to keep this sort of crime at bay: encrypting data, using anti-malware technologies and keeping patching up to date means “you’re going to be in fairly good shape,” according to Kaspersky’s Emm.
“The twenty-first century digital criminal is best characterised as a ruthlessly efficient entrepreneur or CEO, operating in a highly developed and rapidly evolving dark market…they are a CEO without the constraints of regulation or morals,” warned a recent report from KPMG and BT entitled Taking the Offensive.
These groups will have a loose organisation and may utilise many contractors — some expert at developing hacking tools and vulnerabilities, others who will carry out the attack and yet others who will launder the cash. At the centre of the web is a cybercrime boss with the ideas, the targets and the contacts.
These are the groups with the capability to mount attacks on banks, law firms and other big businesses. They might execute CEO frauds, or simply steal vital files and offer to sell them back again (or sell them on to unscrupulous business rivals).
According to European law enforcement agency Europol in its 2015 Internet Organised Crime Threat Assessment, there is now some overlap between the tools and techniques of organised crime and state-sponsored hackers, with “both factions using social engineering and both custom malware and publicly available crimeware”. Organised cybercrime groups are also increasingly performing long-term, targeted attacks instead of indiscriminate scatter-gun campaigns, said the agency.
When nation states use a technique it usually takes around 18 to 24 months for that to filter down to serious and organised crime.
“One of the challenges for the ordinary company is the level of the adversary continues to get more sophisticated because they are able to get access to more of the technologies than they would have been able to do in the past”, said George Quigley, a partner in KPMG’s cyber security division.
And it’s not just the big companies that may be at risk. “You could be forgiven as a small business for thinking ‘I’m not one of those guys, why would somebody want my network?’ — but you are part of somebody’s supply chain,” said Kaspersky’s Emm.
These may be individuals or groups driven by a particular agenda — perhaps a particular issue or a broader campaign. Unlike most cybercriminals, hacktivists aren’t out to make money from their exploits, rather to embarrass an organisation or individual and generate publicity. This means their targets may be different: rather than a company’s accounts system or customer database, they may well want to access embarrassing emails from the CEO or other company officials.
Despite the hype, the threat from cyber terrorism remains low, largely because these groups lack the skills, money and infrastructure to develop and deploy effective cyber weapons, which only the largest nations can hope to build. “Terrorist sympathizers will probably conduct low-level cyber attacks on behalf of terrorist groups and attract attention of the media, which might exaggerate the capabilities and threat posed by these actors,” said US director of national intelligence James Clapper in his assessment of worldwide cyber threats in September last year.
While standard criminality accounts for the vast majority of cyber threats, the use of the web by state-sponsored hackers has been widely publicised in recent years. Much of this takes the form of cyber espionage — attempts to steal data on government personnel or on expensive defence projects. Governments will spend millions on developing all-but-undetectable ways of sneaking onto the systems of other nations — or those of defence contractors or critical national infrastructure — and these projects may take years of development.
“Networks that control much of our critical infrastructure – including our financial systems and power grids — are probed for vulnerabilities by foreign governments and criminals,” warned President Obama last year, blaming Iranian hackers for targeted American banks and North Korea for the attack on Sony Pictures that destroyed data and disabled thousands of computers.
Like hacktivists, state-sponsored groups aren’t usually seeking financial gain. Rather, they are looking to support the policies of their government in some way — by embarrassing another government by revealing secrets, or by gaining a potential strategic advantage, for example.
Worse, nation-state hackers may be interested in creating physical effects by digital means — bringing down a power grid or forcing open the doors of a dam at the wrong time, for example. This is where cybercrime tips over into cyberwarfare.
“The management and operation of critical infrastructure systems will continue to depend on cyber information systems and electronic data. Reliance on the power grid and telecommunications will also continue to increase, as will the number of attack vectors and the attack surface due to the complexity of these systems and higher levels of connectivity due to smart networks. The security of these systems and data is vital to public confidence and safety,” says Europol.
With the emergence of the Internet of Things (IoT) — where everyday objects from thermostats to home security systems — can be controlled online, the risk of well-funded groups attempting to hack into these devices increases. If your organisation is being attacked by state-sponsored groups, keeping them out is likely to be extremely difficult: you should consider how to limit the damage, by segmenting networks and encrypting sensitive data, for example. Concentrating on blocking at the perimeter will not be enough.
With all the focus on external threats, is it possible that companies are forgetting a danger much closer to home?
“There’s been an awful lot more issues being driven from insiders of late. One of the challenges is that when people think cyber they automatically think external,” says KPMG’s Quigley. Confidential company documents stored on shared drives and weak internal controls on who can access data mean that the disgruntled or greedy insider could still be one of the biggest risks to businesses. “They should have insiders much higher on the radar than they do,” Quigley warns.
In reality there’s a lot of overlap between these groups, in personnel, the tools they use and the targets they choose. “The cyber threat landscape is becoming a much more complicated environment to do attribution or explain attacks,” says FireEye’s Monrad.
However, most breaches start in the same way, says Kaspersky’s Emm: “What they have in common is how they get their initial foothold through tricking individuals into doing something that jeopardises security: click on a link, open an attachment, give out some confidential information.” It’s vital to educate staff and close obvious holes: through to 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year, according to Gartner.
What’s certain is that, as the internet becomes even more essential to our day-to-day lives, the potential for cyber criminals to make money will only increase.