Sadly, greed has become the one of the biggest cyber weaknesses of our time as more and more many ways of exploiting this basic human trait emerge. Even sadder, there is no easy ‘second Tuesday’ patch to block this in-built vulnerability.
Greed provided the backdrop to one of last year’s biggest and most intriguing cyber heists, where personal data was used, not as ‘dark web’ currency between hackers or to syphon money from unwitting individuals, but to exploit human beings’ overwhelming appetite for avarice. To explore this subject a bit further, let’s take a step back.
Credit card details are a classic example of a black-market commodity that people overestimate the value of. Some credit cards have limits of £50,000 or more, but this doesn’t translate to hard cash. More likely to be used as a kind of currency between cybercriminals, as well as to perpetrate new cybercrime (much as stolen cars are typically the ideal choice for a getaway vehicle), the outlet for stolen credit cards isn’t simply “go buy stuff without paying for it.” In any case, CC companies are getting really good at spotting odd 1€ transactions and freezing the card (really frustrating when the trade was real), goods are shipped to addresses that merchants can trace, and geo-sensitive behaviours are tracked to the nearest 10km or so, ensuring further safety.
Far more valuable are the email addresses of ‘middle class’ individuals. Or at least they are, if you know what to do with them.
The aspiring middle classes are emerging as the best kind of cybercriminal target if you don’t just blow it by trying to steal their money directly. They have a certain amount of disposable income and ‘net worth’, and as a global class they are growing.
According to the US Government Bureau of Justice Statistics, people in households with an annual income of $75,000 or more suffer a higher prevalence of identity theft than any other income bracket. And with cybercriminals having to become even more creative at exploiting data they extract from nearly every household (46% of American have either been a victim or know someone who has) novel approaches have been developed to turn this data into hard currency.
They use one of the oldest scams in the equities market to pump up a stock price, dump it at its peak and rub their hands with glee. As the stock price plummets or returns to normal levels, innocent investors are left wondering what the hell just happened. What’s even more appealing about this exploit is the sense of shame and guilt felt by the victims, making them slow to react and reluctant to inform the authorities.
These scams are infamously known as Pump and Dump (P&D) schemes. The scam draws its power from a single human characteristic: greed. While traditional middle America, increasing numbers of affluent Asians – and equally eager Europeans – are duped by a trusted source (compromised by identity theft) into following or buying a stock that is tipped for upward movement, the perpetrators may only be looking for a 10% gain before bailing out, or they may only be addressing a small portion of their stolen credentials at a time so as not to draw attention. Funny really, that cybercriminals avoid the temptation of being too greedy in order to evade detection and maximise their profits!
The sting here though is that the cybercriminals hold tens of millions of records; records that have been extracted over many years. Think about it: so many companies have had their defences breached and data stolen – often over scandalously long timeframes before finding out – and yet few suspicious activities have emerged. Isn’t that suspicious in itself?
Most modern P&D scams have relied upon a very crude spamming approach that sends junk to millions of random email records so that the <0.1% who act on the information generate enough critical mass to impact the stock price.
In the recent case of JPMorgan and several other leading US financial institutions and brokerages, this was made significantly more lucrative because the honest stock-speculators concerned were so well targeted and by highly reputable, trusted sources.
This audacious infiltration of trust raises two further questions:
Who is the victim? It’s not simple to address, even though it’s clear that the data has been stolen from a finance house, and that their reputation would have been damaged. But no money was stolen and it’s hard to put a solid value of the theft, even though last year’s discovery estimated the total scam netted the gang more than $100m over a number of years. Meanwhile, the unwitting or amateur stock speculator has been duped, but again none of his/her passwords or account data has been compromised. No money has been stolen; indeed some of the ‘victims’ may even have managed to profit from the scam as they saw the prices rise in the time following their trade. Eventually they’d all lose – unless they got out in time – but then that’s the risk of the stock market, right?
What’s worth more, everyday data about ‘valuable’ people or valuable financial data about everyday people? In this case, I’d suggest the former.
These new P&D scams – and others like them – demonstrate the innovation of cybercriminals and the need for businesses and their trusted IT advisors to think laterally and in non-obvious ways. It should help channel partners introduce new security concepts like modern malware, APTs and behavioural analysis tools – they look for odd behaviours like executable programmes not executing, or unusual trends – and this helps VARs have far more interesting and strategic conversations with their customers that ultimately lead to greater value.
These scams also reveals that – as people – we are our own worst enemy, especially now that the science of cybercrime is staying one step ahead in capitalising on our human weaknesses.
P&D scams show that greed is a very powerful force that cybercriminals are committed to exploiting, and they also highlight the amount of vigilance and investment organisations need to employ to prevent and mitigate them.
As Gordon Gecko famously said, “Greed is Good.” Well that rather depends on whose greed it is…