[BreachExchange] How Criminal Hackers Make Money from Your Data

[Audrey McNeil]

http://www.aim.ph/blog/how-criminal-hackers-make-money-from-your-data/

Every day, businesses handle massive amounts of customer data—so huge that
it makes disaster recoveryquite challenging for many companies. On the
other hand, cyber hackers capitalize on such data to conduct illegal
activities. Surely, data is a very powerful instigator of fraud.

Data breaches are commonly perpetrated by criminal groups to make financial
gains. To avoid making direct online, illegal transactions involving actual
currencies, criminals use these ways to turn stolen data into real money.



1. Ransomware

Commonly distributed through spam emails, malicious advertisements, and
black hat SEO sites, a ransomware malware encrypts computer files and locks
its user out of the system until the victim agrees to pay a ransom to the
hacker.

In 2015, the Hollywood Presbyterian Medical Center paid its attackers
$17,000 worth of Bitcoin to retrieve sensitive medical records. And early
this year, the Lincolnshire County Council’s computer system was held up
for $500.



2. Transacting with fraudulent credit card

Fraudsters steal data stored on credit cards’ magnetic stripe, print it on
an improvised credit card, and use it to make purchases or hire “money
mules” to withdraw cash from ATMs.

Retail merchants are the most common target of credit card breaches. In
early 2015, customers’ credit card data were stolen from Target and Home
Depot to create fraudulent Apple accounts to buy valuable items and
merchandise.

Larger credit card breaches can be broken down into multiple layers, where
data thieves sell stolen card information to brokers, who then pass it on
in so-called “cc dumps” to other “carders.”



3. Using stolen credentials to make transactions

There’s such a thing as data black market in the online community. Data
thieves offer aggregators the following personal data of a person:

Name
Email
Password
Social security number
Phone
Address
Bank account details

Once cyber criminals gain access to these pieces of information, they can
make transactions on e-commerce sites, break into someone’s online
financial and social media accounts, and transfer money to another
party—the list keeps growing.

JPMorgan Chase reportedly fell victim to a massive online hacking scheme
late last year, where account information of about 7 million small-scale
businesses had been stolen.

The hacker of the 2012 data breach linked to the Yahoo mail service
provider was selling usernames, passwords, and birth dates to a marketplace
on the dark web for three bitcoins, roughly equivalent to $1,800.



4. Trading illegally on the stock exchange

>From 2010 to 2015, a group of hackers who had illegal access to non-public
financial information of publicly listed companies earned nearly $30
million as they sold the confidential information to stock market illegal
traders before public releases were made to legitimate investors.

All the hackers needed to carry out their exploit was to get into the
system of Marketwire L.P., PR Newswire Association LLC, and Business
Wire—three business newswire firms that kept hundreds of public companies’
unpublished press releases concerning their earnings, gross margins, and
other financial information.



5. Cracking into an online account or app with payment method facilities

Nowadays, hackers could hijack even frequent flyer miles or Uber
accounts—any account that links to a credit card, checking account, or
PayPal.

Back in 2012, CBS News reported that United Airlines passengers lost
thousands of miles credit in a scam. Hackers can steal credits to buy
airline tickets or hotel accommodation and resell these to third-parties.

Similarly, scammers can set up fake Uber driver accounts and charge user
victims for bogus riding services.



Impact of Stolen Data for Businesses

All forms of data theft or data breach correspond to monetary and
non-monetary damages for your company, including:

Disruption of business and lost revenue – The security breach can cause a
company to shut down its electronic operations while the IT support is
tracking the origin of the attack and making corrective measures. Needless
to say, the daily revenue suffers.
Breach notification and post-breach expenses – Companies are under an
obligation to notify customers if their info was lost, stolen, or
compromised, which can cost businesses significant out-of-pocket expenses.
Preventing another breach by putting up more rigid data protection systems
can be equally costly.
Decline in market value – Research shows that news of data breach can cause
a company’s market value to drop by approximately 9 percent within 30 days
after the breach is discovered, and by 3 percent over the long term as a
serious consequence of cyber attacks.
Decreased customer trust and confidence – Customers can be unforgiving to
cases of data breach because they expect no less than the privacy and
security of their data. Customers can suspend or terminate their dealings
with companies with records of a security
Damaged reputation – The bad reputation of a brand or business is
comparable to a stigma that is likely to linger in the minds of business
partners and customers, and companies will have to conquer many challenges
to rebuild a positive reputation.

Cyber espionage is happening all around, and businesses cannot let hackers
get the better of them. Otherwise, data breaches will remain profitable for
online crooks while companies suffer from financial losses and bad
publicity to no end.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160913/cde1d9ee/attachment.html>