New Targets for Online Criminals

For Small to Medium sized Business (SMB) owners, recent economic turmoil has challenged their very existence.  As if that were not enough, a new threat is emerging on the horizon which may prove to be the final bell for some SMBs.  It is cybercrime, and it stands as a tsunami, ready to wash unprepared SMBs clean off the map.

Hackers and computer criminals have been turning away from the complex and difficult to evade detection systems of very large corporations.  These large companies have spent significant portions of their revenue streams on security and pose too hard and risky a target when other low hanging fruits lay under-protected in the vulnerable and plentiful SMB sector.   The overall affect for business owners may be bankruptcy, and the ramifications could cause further harm to struggling local economies.  Action must be taken in order to insure financial security for small business owners.

BACKGROUND

Since the dawn of the internet, malicious citizens and criminals alike have sought to manipulate it for their own personal gain.  “Cybercrime”, or on-line crime, has evolved tremendously in the last few years, and gotten extermly connected and organized.  Threats have evolved from simple pranks and experiments, to malicious annoyances, to attacks now bent on reaping major profits.  The “Melissa” and “I Love You” viruses of the late 90’s jumpstarted the growth of anti-virus software.   More recent denial-of-service (DoS) attacks hold whole networks and businesses hostage by overloading them with authentic looking service requests.  Phishing scams focus on banking patrons, looking to fool them into providing online banking credentials and credit card numbers.

On-line crime is about to undergo a new phase in its development, switching its focus to the vulnerable assets of SMBs.  According to surveys conducted by the Canadian Chamber of Commerce:

  • 85% of all business fraud occurs in small to medium-sized businesses. 
  • 96% of businesses that responded to the survey are using the internet for business purposes.
  • 90% of organizations experienced a computer security incident.
  • 20% of the respondents suffered 20 or more attacks over a one year period. 
  • 87% provided product information on their websites.
  • 73% accept online payments.
  • 69% of businesses provided the ability for online ordering and tracking of goods. 
  • 44% reported intrusions within their own organizations.
  • 51% of all businesses surveyed indicated that they did not have a privacy policy statement on their websites.
  • 95% of respondents believe they are being targeted for cyber crime (most see ID theft, fraud and viruses as the greatest threats). 
  • 89% of respondents believe that preventing cyber crime should be a priority of government and law enforcement.
  • A recent Symantec study ranks Canada 9th as a country targeted for malicious cyber activities.
  • 70% of Canadian victims of cyber crime are unsure who to report it to or did not think any justice would occur. 

Most of these companies lack the means to deal with these threats due to scarce human resources, lack of funding, and insufficient time.

  • 93% of businesses are employing anti-spam/anti-virus protections for their business.
  • 82% update these protections at least once a month.
  • 93% of businesses have firewalls for their online business.
  • 89% perform a regular back-up of critical data.
  • 19% responded that their business does not have a secure server.
  • 42% do not back up information off-site.
  • 25% of all businesses are not regularly updating their spam filters.

http://www.chamber.ca/images/uploads/Reports/2010/Sub-DES-140710.pdf
http://www.chamber.ca/images/uploads/Resolutions/2009/I-Fighting_Cybercrime_beyond_ID_Theft_and_Spam.pdf

Historically, financially focused attacks took one of 3 major forms. 

  1. An attacker would typically send out a barrage of emails known as spam messages.  Those fooled by the lure of easy money, cheap mediactions, or “performance enhancement” would provide credit card numbers to the attacker by ordering the product.
  2. An attacker would setup a malicious program, offering some perceived benefit, and post it to various unsuspecting distribution sites located throughout the Internet.  Hidden inside the program was a keylogger, designed to capture your password, login ID and any other important inforamtion that it could glean from you.
  3. A motivated attacker could send you an email spoofed to appear to come from your bank, prompting you to click on a link that looks like your bank, but actually takes you to a look-a-like site setup by the attacker.  It asks you to log-in, stealing your information from you.

Newer attacks:

  • Continue to attack the consumer – Mom and dad, little brother or sister, playing and communicating out on the Internet, unaware of the dangers.  These are the targets of the new attackers.  They want to be your Facebook friend, and they would love to be LinkedIn with you.  Not because they are interested in what you are interested in, or they care about what you care about.  They want access to your computer so that they can get access to your parents’ computer.  They want to gain access to other people’s computers without the risk of getting caught.  Let you take the fall, while they take a free vacation!
  • Drive-by Web Attacks – The Internet’s web interface is the delivery mechanism of choice these days.  Email has too many layers of protection, and they are now baked-in to every ISP’s basic offerings.  It is far easier to just setup a free or inexpensive website, compromise an existing one, or even better, create a malware laced advertsiement image that can be circulated to real mainstream legitimate sites.  Malware gets the widest distribution possible in this manner.
  • BotNets – Software designed to install onto and take-over your computer, making it part of a network of compromised systems.  The bot-herder takes his botnet to the highest bidder, and spreads spam, other malware, or conducts distributed denial of service for cash.  The risks are low, the payoff high, the work remains easy.
  • Custom made malware – Malicious software tailored to fool most anti-virus tools.  It can do anything, from capture keystrokes, search and email specific documents of other content, to capturing copies of your screen, or encrypting your files and charging a fee to access them.  These are often sold in kits, and allow the purchaser to “roll their own”.  The malware involved can usually be detected at a low rate, based on certain characteristics, but if sufficiently changed or obfuscated, can get past standard defenses.
  • Advanced phishing – A malicious tool sits idly by until you surf to your banking site.  Once there, it covers the part of your screen that shows the value of a transaction with a field containing the value that you intended to send in an online bill-payment.  Instead, it issues a payment for the maximum allowed, and quietly changes the recipient to one of its own choosing.  The changes go unnoticed until the bill goes unpaid or a balance enquiry is made offline.
  • APT Advanced Persistent Threat – This is malicious software that is downloaded to your computer through email, spam, surfing to malicious websites, or even surfing to news sites that have been compromised or serve up a compromised ad.  What is different about true APT is that it is custom made for YOU.  No one else will likely get this specific malware.  No anti-virus company is likely to get a copy to make a detection signature from.  It gets in under your anti-virus radar, and persists to stay there.  It’s purpose is to gather intelligence about you and your network, to send back to the mothership information about vulnerabilities and assets.  If something on the list appears useful or interesting to the attacker, he may instruct the software to explore for him, or open up a backdoor for direct connection.  This is a true espionage tool.
  • Good old fashioned Social Engineering – This can be done using print, email, phonecalls, or in person.  The idea is to provide a credible story to fool someone into doing something that provides the attacker some benefit.  An example is the classic “lost engagement ring” ploy.  A woman claims to have lost her expensive ring and may enlist you to help her find it.  She will leave a business card or other conveyance, urging you to call her right away if you find it, to earn a big cash reward.  Later, another person will “find” the ring, and offer it to you for a smaller amount of cash.  They operate as a team, preying on your greed, expecting you to accept the cheap $50 ring in exchange for a few hundred dollars, so you can trade it to the original owner for several times that amount.  You end up with a $50 ring and lose several hundred dollars.  social enginering can get an attacker anything from airline tickets, to credit card numbers, or even access to a secure server room.

What Can We Do

  • Cybersecurity insurance is an effective and reasonable way of protecting small business assets.  According to cio.com only 25% of companies have it. 
  • Consumers should use the standard mainstays of security, EVERYWHERE.  These include both hardware and personal software firewalls.  These have both been comoditized to the point where they are pretty much given away.  Take them!  Use them!  Keep them updated!  Same goes for anti-virus software.
  • Patch.  Do it NOW.  Do it OFTEN.  When a vendor takes the step of admitting to a serious flaw in their product, and issues a corrective measure, apply that measure immediately.  If they didn’t have an obligation to release patching information, do not think for a moment that vendors would do it.  It is a hard pill for vendors to swallow when their product can be proven to have introduced a security risk to their clients.
  • Get some software on your computer that does “whitelisting“.  The concept is simple.  You install software on your computer.  You should understand what the software does.  You approve its activities.  If that newly installed Sesame Street software suddenly starts opening up an Internet session, but no browser window is open, and it’s not expected, don’t allow the communication.  If that is enough to break the software, it doesn’t belong on your computer anyway.  It _SHOULD_ throw up an error message, coming clean that it was rying to connect for updates or something.  If it doesn’t, it was probably up to no good.  Use only software that you trust, and obtained from a trusted source.
  • Use a browser SandBox.  It separates your browser from the rest of your system, setting up a virtual environment that looks like a standard install to the Internet.  All of the nasty elements are confined to and impact only the session you are currently running.  When you close the browser, all of the cruft that was unintentionally downloaded to your system is flushed.
  • Install and use a web-surfing filter.  There are some that can be enabled on the Internet, some work at the ISP level, others at the DNS provider.  Still others can be installed right on your PC.  They allow you to select the types of Internet sites that can be connected to from your network and systems.  Most identify malware and malicious sites, porn, sites related to illegal activites, etc.  I use one at each level, ensuring the maximum protection, should one of them fail to detect something or be interfered with by an attacker.
  • Don’t use P2P or “Torrent” software.  It will open your computer to other attack vectors, and 90% of the software hosted in this manner is malicious or contains some malicious content. 
  • Use Your Head.  Nothing in this world is free.  Not even this advice is free.  The cost of this advice; Remember where you got this advice, and remember the advice that you have been given.  You are expected to act upon this advice, and make the world a safer place for HONEST people to get ahead. 

YOU are ultimately responsible for your own security AND the security of those around you.  If not YOU, then WHO?  I was asked recently during an interview, why I bother with this blog, and the information that it contains.  It reaches such a small audience, and is of little interest to most.  Well, the person that typed this message has children, and grand-children, and would like them and their children to have a fair chance at a decent life.  The scumbags that prey on our trust and naivete do so at a cost to our businesses, to our livelihoods, to our families, to our children, and to their futures.  I am not prepared to pay that cost, nor to enable them to do so. 

Cyber-criminals.  STAND AND DELIVER!

Mark

Advertisements