Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/11/2020
10:00 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Help Spoil the Cybercrime Economy

Cybercrime increasingly is turning into a commodity. Stolen PII data and hijacked cloud accounts especially propel the spread, research shows.

The key commodities prices of oil, grains, sugar, and cotton don't just affect business sectors as they rise and fall with supply and demand: They also drive global trading activity and form the foundation of the world economy. The same applies to cybercrime.  

The prices for key "goods" in the underground economy — pilfered credentials, hacked accounts, or payment card information — doesn't only mirror fluctuations in supply and usage. They also determine the kinds of attacks criminals will launch. This should come as no surprise. Criminals are businesspeople, after all, and they want to maximize their return on investment. 

The recently released Dark Web Price Index 2020 reveals current average prices for a selection of cybercrime commodities available "on demand." Stolen credit card details start at $12 each, and online banking details at $35. "Fullz" (full identity) prices are around $18, which is less than it was a couple of years ago because a series of large breaches created an oversupply of personally identifiable information. A basic malware attack on targets on Europe or the US costs $300, and a targeted distributed denial-of-service (DDoS) attack goes for $10 per hour.

Extortion Evolves
These rates shed light on a big shift in cybercrime since 2018: the move away from ransomware and toward DDoS attacks that attempt to extort money from their targets. Ransomware is old school and was deployed only on a fairly small scale because it couldn't be spread without help from unwitting users. As a result, most attacks tended to be limited to scrambling data on a few PCs or servers. 

Later, in 2017, the infamous EternalBlue exploit changed everything. Ransomware created to take advantage of it — such as WannaCry and NotPetya — could spread without assistance to any unprotected company computer. If even a single user opened a malicious attachment, the organization's network could be taken down in minutes, making it easy for bad actors to demand payoffs. 

This drove a spate of ransomware attacks that lasted for about a year and a half. It also compelled organizations to install EternalBlue patches and implement extra security measures so attacks became less successful. High-end malware like WannaCry and NotPetya require financial and human resources to develop, and blockbuster exploits like EternalBlue are rare. As a result, ransomware use has dropped. Today, it's once again being used as a tool for targeted attacks.

DDoS Deeds, Done Dirt Cheap
As ransomware use has waned (for now), DDoS attacks have become the go-to weapon for online extortion. As we've seen, thanks to the proliferation of Dark Web services, it doesn't cost much to unleash a damaging attack — some DDoS-for-hire services cost just $10 per hour or $60 for 24 hours. The "salespeople" even offer volume discounts. 

One reason why DDoS attacks are so inexpensive is that, more and more, the people offering DDoS-for-hire services are leveraging the scale and bandwidth of the various public clouds, providing more artillery firepower than ever. Research by Link11 reveals that the year-over-year share of attacks using public clouds ballooned by 64% — from 31% in the second half of 2018 to 51% in second half of 2019. (Full disclosure: I'm the COO of Link11.) It's easy to set up public cloud accounts using a cheap fake ID and an equally cheap stolen credit card — thanks again, Dark Web! — and simply rent the accounts to whoever has an attack target in mind. If the credit card stops working, no problem. They're (almost) a dime a dozen. Because they're so easy to procure, often DDoS attacks are used to produce a smoke screen to keep IT teams busy and cover up a targeted hacking campaign.

Making matters worse, it's not terribly risky to run or rent these services. According to the World Economic Forum's "Global Risks Report 2020" report, in the United States, the chances of a cybercrime actor being caught and prosecuted are almost nil (0.05%). At the same time, the business impact on targeted companies is massive. IBM's "Cost of a Data Breach Report" pegs the average total cost of a security breach at $3.92 million.

These days, because of the COVID-19 pandemic, organizations around the globe are embracing remote work at unprecedented levels. This has made the online services of all kinds — from governments to banks to e-commerce or e-gaming — more vulnerable to criminals, and DDoS attacks more alluring as a means of extortion. Like the best business propositions, such attacks don't cost much and can reap excellent returns. On the target's side, when online connections are halted or significantly slowed for even a few hours, employees' work is disrupted, customers can't buy anything, and the organization's revenues and public image are damaged. 

Make Sure Crime Doesn't Pay
With DDoS attacks growing heavily in size, multiple times larger than the available internet bandwidth, on premise solutions are turning into a toothless tiger. If a large attack hits an organization, the pipe is doomed to collapse before any local hardware can start interfering. As a result, the ISP is going to discard (black hole) all traffic for the duration of the attack, making the organization inaccessible to anyone. To ward off new flood of DDoS extortion attacks and prevent having to pay ransom money to cybercriminals, organizations need to protect their IT infrastructure using cloud-based services capable of fending off even large-scale attacks. These route all IP traffic to the organization's networks to an external cloud service that automatically and instantly filters out all malicious traffic using AI wizardry and ML to spot anomalies — before an attack can take down mission-critical services. Such an off-premise-service is usually underpinned by a multi-terabit MPLS network, capable of absorbing even large-scale attacks.

There's no doubt the cybercrime economy will continue to be a bonanza for the evildoers who know how it works. But organizations can still avoid feeding the beast.

Related Content:

 

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.