[BreachExchange] It's a myth that most cyber-criminals are 'sophisticated'

Thu Jul 27 19:24:33 EDT 2017

http://www.bbc.com/future/story/20170726-why-most-
hackers-arent-sophisticated

Among the mistakes journalists sometimes make when covering cyber-security
stories is calling an attack “sophisticated” when it’s anything but. And it
tends to irritate security professionals.

There’s no real definition of what a sophisticated attack is, but a more
elaborate hacking incident might involve gathering intelligence on a
specific, complex networkbefore it could be successfully and subtly
exploited.

Attacks like that do happen. But more often than not, the hackers and
cyber-criminals hitting the headlines aren’t doing anything magical. In
fact, they’re often just wily opportunists – like all criminals.

The head of Europol says that the growth of cyber-crime is “relentless”.
The agency has identified a range of increasingly common methods used by
21st Century offenders – and these are not sophisticated. These include
digital payment attacks, ransomware, selling illicit material on the dark
web and stealing people’s personal data to commit fraud or identity theft.

Much of the time, established criminals seek to enlist the services of
unethical hackers and younger “script kiddies”, who use programs developed
by others to infiltrate computer systems.

“The organised crime gangs are saying, ‘Show us how good you are’, and
drawing them into the dark side,” says Alan Woodward at the University of
Surrey, who is an adviser to Europol.

“They don’t have the technical capability [themselves], they’re switching
from drug trafficking and all the rest of it to cyber-crime because
basically there’s a much better return on it.”

The ways in which young people become involved in this sort of activity
were recently detailed in a report by the UK’s National Crime Agency (NCA).
The average age of those arrested for malicious hacking activities was just
17 – the offences included vandalising websites, stealing data and breaking
in to private computers.

Because our world is so much more connected than ever before, and those
connections are often woefully insecure, it’s relatively easy to find ways
of exploiting computer systems illegally. And ransomware in general is
increasingly successful. In 2016, criminals made an average of $1,077 with
every attack. For the BBC's Cyber-hacks series, Click's Spencer Kelly
discovered how cyber-criminals can acquire off-the-shelf ransomware using
only a search engine.

As Woodward points out, the easiest thing to do is “just cast it out there”
– whether it’s ransomware, spyware or spam – and see what comes back. Many
people are often surprised by the amount of spam they receive, especially
because so many of the scams are so obviously illegitimate. But the reason
you still get emails from a Nigerian prince offering cash out of the blue
is because people continue to fall for such stories. Not huge numbers, but
a few. And that’s all it takes to make a profit.

And when cyber-criminals employ social engineering techniques, they tend to
be pretty cheap and dirty. They might try to get us to click on a dangerous
link by associating it with something likely to attract our attention, for
example. After Osama Bin Laden’s death in 2011, for instance, links on
Facebook directing readers to a video of the terrorist leader’s execution
were found to be booby-traps. They actually led to malicious code.

What all of this paints, though, is not the oft-imagined image of a shadowy
hacker with pseudo-magical powers. Instead, a lot of this activity is
carried out by people with a few technical skills but who are ultimately
quite lazy. Representations of hackers in popular culture – figures who
flip open a laptop and break into the Pentagon – haven’t helped.

Thankfully, the old adage about the long arm of the law remains relevant –
many cyber-criminals are failing to get away scot-free. In the UK,
successful convictions of computer-related crimes are on the rise. There
were 45 in 2014, but 61 in 2015.

Are there frighteningly powerful hackers out there? I’m sure there are a
few – and they most likely work for governments. As for criminals, the goal
is always the same. That same lure – a quick buck – is what pulls them in
online, just like it used to in the offline world.

“Criminals are lazy as well as clever,” says Woodward. “That’s why they
don’t walk into banks with shotguns anymore. It’s easier to go and steal
stuff online.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170727/9e48e88b/attachment.html>