Cybercriminals today
Today we will talk about how the world of cyber-attacks has changed due to cyber-criminals, focusing on those who are now “in”.
It’s good to remember the differences between hackers and cyber-criminals. Hackers are people who know a lot about a technology and try to go beyond its limits, generally helping to improve this technology. Cyber-criminals are professionals who seek to breach a company’s IT defences. What they are looking for is to achieve their objective, to make money through cyber-crime.
It is also important to remember that, traditional computer attacks (new viruses, wrong configurations or unpatched systems) continue to be an easiest way to gain unauthorized access, but cyber-criminals know that if there is a good level of awareness of computer security and a strong foundation in place (strong passwords, MFA, NAC, etc.), their chances of success will drop dramatically.
Therefore, cyber-criminals will take advantage of any cutting-edge technology that could help them, they are usually very up to date and, in some attacks that we will discuss below, they no longer need these credentials to carry out their operations.
The presentation, entitled How Bad Guys Hack Good (Financial) People with State of Art Technology, reviews several real cases of the new cyber-attacks being perpetrated by many cyber-criminals against companies.
We may think that these attacks only catch small companies off guard, but nothing could be further from the truth, as we have seen on Twitter, Mapfre, Marriot and others, have been attacked recently.
Let’s start with Twitter. Some minors are being investigated for gaining access to social network management platforms by tricking a company employee.
Once they had access to these platforms, hackers managed to impersonate dozens of Twitter accounts of US celebrities, including former US president Barack Obama, publishing a fraud with crypto-currencies that defrauded more than 100,000 dollars.
In the wake of COVID-19, QR codes are taking over the world. They are used as graphical hyperlinks leading to sites or other information. A major concern for restaurants right now is the use of physical menus. Since customers are hesitant to touch these. It takes less than a minute to upload a menu in the PDF format and convert it into a QR Code but it goes a long way in keeping customers engaged and safe. Issue comes when some bad guy replaces a simple QR Code for a new one leading to a malicious site and after hacking the customer, forwarding to the original site or PDF. Human eyes are not good at comparing two different QR codes.
A completely different example is based on trust between a bank client and its employee, requests for operations were launched via email. This meant that when an order was placed with the bank by email, there was no electronic signature to validate the operation. However, since the customer and one of the employees spoke regularly on the phone, there was no major problem. The problem came when a money transfer request, from the client’s own email, asked to transfer 20,000 euros abroad. The explanation was quite simple: a cyber-criminal had been reading the all emails between the client and the bank employee for days, and tried to impersonate the client, even in his own writing.
This usually happens between companies, impersonating an employee to interfere with payments between companies, diverting money to accounts that do not belong to either of them, but to the cyber-criminal.
Cyber-criminals look for a lot of information on the Web, usually requiring only an email address and using Open Source Intelligence (OSINT). They use all the sources available on the Internet to locate all the pieces of information about an organization’s employees. To have a map of who works there and who is the most vulnerable piece.
To launch an attack without passwords, they take advantage of the so-called OAuth tokens, which are basically the authorization that you grant in some services when you log in using your Facebook accounts, google etc. For example, signing up to Medium using your Google account or facebook one.
The problem is that cyber-criminals are really good at creating fake and malicious apps with OAuth tokens that request a disproportionate number of permissions. For example, access to read and send emails.
Artificial intelligence, another booming technology. In August 2019, a unique cyber-attack became known, in which criminals had managed to replace the CEO of a company with an AI development that was capable of mimicking his voice. They ordered fraudulent transfers, according to The Wall Street Journal.
In the same way, more scams could be seen, even in video conferences.
In conclusion, we would like to draw your attention to the fact that security is not about buying protection services, and that common sense is not enough either. Security is something that has to be worked on constantly, the forms of attack and, therefore, the way we defend ourselves, change over time, which is why we never reach 100% security. Even so, always bear in mind, do not grant access to any of your social networks if you are not completely sure the reason why. Trust your instinct, if something smells awful probably is cause is fake. Activate second factor all along your accounts, mail, social networks and so on. Read carefully any advice or pop-ups in your phone and computers and think before you accept.
