When asked “How do you think a hacker looks like?” most people will definitely associate it with any of the movies they’ve seen depicting that world. In reality they are experts in covering their identity, but you definitely won’t imagine a neatly dressed executive working for a well-organized business aiming at optimal return on investment. Reality is weirder than you think.
Today hackers have reached a level far beyond the individual know-it-all portrayed in movies, being a part of a whole cybercrime supply chain, generating billions of dollars each year. The massive data breaches we have observed in recent years are the strongest evidence that hackers developed enterprise-mimicing operations on a global scale. One plausible idea is that by stealing billions from world-leading brands is just a demonstration of what’s possible. Besides allegedly flexing muscles, the most skilful hackers being able to stay undetected will naturally remain unreported and very, very rich.
With the increase of software use in virtually any aspect of our life, combined with many types of hackers eager to exploit vulnerabilities it can feel like an uphill battle. It is very likely that security specialists will never be able to win this fight.
Before huge data outbreaks one common belief about hackers was that they were only looking for credit card information to either use themselves or sell to the highest bidder. Still this is a big part of fraudulent processes, but the same kind of attacks can also provide account credentials which are even more valuable. Once those credentials are collected information like user name, address, phone, email accounts, methods of payment, financial and business contracts can be obtained and used or sold.
Maximizing profit is the goal of any business including ones in the field of fraud. The goal is to reach consistent results with minimal effort and money. Most hacker groups go for account credentials providing all sort of private data which is inevitably online – mortgage accounts, tax data etc.
The initial breach of data is just the start. Rarely will the person that stole your data use it by himself. More often other hackers buy it and focus on specific parts of it corresponding to their set of skills. It may sound weird, but today it is more important to protect your email rather than your credit or debit card info. The information transaction is done in the deep web with websites changing all the time. Supply and demand of fraudulent data still have reliable mediums of exchange and it is no surprise that this market is thriving. It is notable that fraudulent data market is also driven by reputation. The higher quality of stolen data, the more repeat sales, combined with an increase of initial price.
Why is it more important to protect your email rather than you bank cards? Imagine this: 5 years ago you sent a loan application via email. When stolen, hackers have all the required data to create false identities or get loans themselves with disastrous consequences.
Now lets examine the fraudulent supply chain. In it, getting a hold of the credentials is just the beginning. Like in any other business, the offered goods have to make their way through the supply chain before reaching the end consumer. There are four general kinds of hackers with many more specializing in different areas. The first type includes hackers who acquire credentials. Their expertise is finding vulnerable spots like third-party vendors that do business with their target. Their scam pallet is large with techniques such as phishing scams and social engineering. Their main goal is to find human weakness which allows to take advantage of a system. The second type consists of hackers who sell the stolen data. Most often this is done via online hacker forums, part of the deep web. Prices are set according to the value and longevity of offered information. Next, there are the ones which specialize in using credentials to isolate consumable goods – credit card numbers, personality identifiable information, intellectual property and more. The last type includes hackers who are proficient in using the stolen data. Their main goal is to bypass fraud monitors so they can actually monetarize the stolen information. The conclusion is that there are many organizations and people that support the hacker ecosystem directly or indirectly, but what is actually scarier here is that some of these people might not even realize it.
Companies are inefficient in implementing best practices and appropriate technologies in protecting places that are of highest importance – like email. One very effective method is adopting two factor authentication whenever possible. Stolen credit card information on mobile devices are becoming harder to trace. Mobile devices are home to a number of private and business-related apps containing sensitive information.
The good news is that there are many business nowadays that develop new systems to prevent hackers from exploits in the places they work most. Some governments are also taking steps in assisting their citizens against cyber crimes. The bad news is that hackers have shown over and over they are great at adapting to changes and staying ahead of security specialists. It is up to us to protect ourselves.