Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/9/2015
06:01 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Cybercrime Can Give Attackers 1,425% Return on Investment

Going rates on the black market show ransomware and carding attack campaign managers have plenty to gain.

While security professionals often find it difficult to prove return on investment, a standard ransomware campaign could earn an attacker a 1,425 percent ROI, according to a report released today by Trustwave.

"We're showing what the motivation for and value of a cybercrime is," says Charles Henderson, vice president of managed security testing at Trustwave. "To my mind, if you're going to defend against cybercrime, you need to understand" the attackers' motivation.

Trustwave's report is based on study of the black market cybercrime economy and direct investigations of 574 data breaches across 15 countries in 2014.

Trustwave calculated the ransomware ROI based on the following:

  • Costs of a ransomware payload (CTB Locker in this example), infection vector (RIG exploit kit, which was most common), camouflaging services (encryption), and traffic (20,000 visitors) totaled $5,900 per month.
  • Earnings for a 30-day campaign, assuming a 10 percent infection rate, a payout rate of 0.5 percent, and a $300 ransom, would total $90,000.
  • That's a profit of $84,100 and a ROI of 1,425 percent.

"The black market is very transparent," says Henderson. "You can look for a good deal ... just as any mercantile or purveyer of goods."

Poorly secured point-of-sale systems, the high black market value of track data, and the quick turnaround on stolen cardholder data have also made the carding business very popular  -- particularly against targets in North America, where EMV adoption is so low.

Overall, 42 percent of the incidents Trustwave investigated were on e-commerce assets, 40 percent on PoS system, and 18 percent on internal networks. In North America, 18 percent were e-commerce, 65 percent PoS, and 17 percent internal networks.

Although 49 percent of breaches did involve theft of PII, track data was targeted even more often, in 63 percent of attacks.

This demand for cardholder data and the ease of getting it has affected the industries that hackers are honing in on. The top three industries targeted in 2014 were retail (43 percent), food and beverage (13 percent), and hospitality (12 percent). Ninety-five percent of the attacks in the food and beverage industry and 65 percent in the hospitality industry were from PoS systems.

Nearly all of the PoS breaches were the result of weak passwords (50 percent) and weak remote access controls (44 percent).

E-commerce compromises, on the other hand, were quite different. While only 8 percent come from weak passwords and 17 percent from weak remote access security, 42 percent result from weak or non-existent input validation and 33 percent from unpatched vulnerabilities. The web server vulnerabilities most popular with opportunistic attackers were the WordPress pingback DDoS (30 percent), cross-site scripting (25 percent), and the ShellShock Bash bug.

Trustwave also examined how different types of financially motivated threat actors make money on cybercrime, distinguishing between targeted attackers and opportunistic attackers.

Targeted attackers choose a specific set of targets, and then find out where the potential victim is vulnerable and how to compromise it. Opportunistic attackers approach things from the opposite direction; they learn about a vulnerability, then look for targets that are vulnerable to it.

Trustwave found that both categories of attackers may go after e-commerce sites, for example, but they'll have different post-exploit purposes.

"I see the opportunistic attackers as the serial entrepreneurs," says Henderson. "Someone who's looking to build any business" as opposed to just an auto shop or technology firm or clothing line. "Very nimble, but not very particular."

Opportunistic attackers tended to monetize their efforts by installing webshells and backdoors and redirecting users for search-engine optimization or installing IRC clients for botnet recruitment, according to the report. In addition to being cybercriminals they are also cybercrime service providers.

Targeted attackers, rather, have a methodology and a business plan that they're committed to, says Henderson.

Targeted attackers tend to go after specific high-value sites and steal payment card data. (Service providers for travel booking sites have become a popular target for this reaon, according to the report.) Attackers then monetize it by selling cardholder data, selling goods purchased with that data, or using money mules to transfer money out of compromised accounts to attacker-owned accounts.

Other findings

Trustwave's scanners also found that 98 percent of applications had vulnerabilities.

"It's both surprising and unsurprising," says Henderon. "Surprising in the sense, that there's a difference in knowing application security isn't where it needs to be and seeing a hard number like that."

Plus, "Password1" was the most common password.

"You would think it would be blacklisted," says Henderson. "Not the case."

Most breaches were detected by third parties -- 58 percent by regularory bodies, card brands and merchant banks, 12 percent by law enforcement, 4 percent by consumers, and 7 percent by other parties.

However, that slim 19 percent of organizations that self-detected breaches discovered and contained them far more quickly than third parties did. The median time from instrusion to containment for externally detected compromises was 154 days; for self-detected compromises just two weeks (14.5 days to be exact).

"The ongoing security programs that include managed security providers, extensive teams in-house, and regular proactive security testing, these are the companies that detect their own intrusion," says Henderson. But those are also the types of companies that tend to prevent intrusions, he says.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/9/2015 | 3:36:16 PM
Ransomware
I recently helped someone who was infected with ransomware. Its difficult to remove and very easy to create a new variation making it extremely profitable. When all your photos are encrypted its a difficult decision to make because you cannot put a price on your memories. But apparently the people who built the ransomware can.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.