They're attacking you

I met guest columnist, Jonathan Nichols, a cyberintelligence consultant at ZeroFox, during an Institute for Fraud Prevention conference where he was a panelist and spoke on bitcoin and money laundering. I was impressed by his five years in building cyberthreat intelligence teams within the U.S. Department of Defense. Also, in the private sector, Jonathan worked for 10 years in psychological operations for the U.S. Army in Iraq and Afghanistan. In this column, he describes hacking in three different configurations — knowledge that all academics can pass on to their budding fraud examiners. — Pat Johnson

You have to tell your students that the good guys are losing the battle to hackers. Organizations are vulnerable, and criminals are perpetrating vast amounts of online fraud daily. Here's what you can teach them.

Let's start with three types of hackers with different motivations: (1) cash (2) governments and (3) ideas. We call these three groups, respectively, "carders," "APTs" (short for "advanced persistent threats") and "hacktivists." Although there's some overlap (a hacktivist might decide to dabble in more lucrative activities) these distinctions are fairly rigid. (Note I don't distinguish terrorists from hacktivists. Hacking for political aim is the same even if you're willing to kill for your ideals.)

Let's talk about how each type of hacker can attack organizations and their clients.

Thieving carders are money movers

Carders don't usually care about who you are, what you do or any political causes that you hold dear. Carders move money from bank accounts into theirs. The magnetic strips on the back of credit cards holds everything carders need to take over lives and organizations, but the process can be arduous. (At present, users with "chipped" cards are somewhat more secure. However, researchers are already cloning data off these cards, and it's only a matter of time before theft is just as common as it is for the magnetic strip variants.)

At the beginning, low-level carders with little technical skills (such as wait staff, bartenders, gas station attendants or others) run cards through "skimmers" — card-reading equipment that feed data into hackers' databases — before they slide them through legitimate point of sales (POS) devices. The skimmers often look identical to the legitimate machines, but some are so small they can be plugged into smartphones.

When a hacker has skimmed a debit card, the card owner is 99 percent of the way to being "pwned" (slang for owned). To completely take over, the hacker probably also needs the card owner's PIN. More advanced hackers will install touch-sensitive pads and skimmers on gas pumps and POS devices to capture PINs in conjunction with card data.

Even more advanced hackers will attack POS machines with a RAT (Remote Access Trojan) to steal an entire database or to just scrape the data as it passes out of the network and off to the bank. The hackers will then sell that data on carder forums to the tune of anywhere from $1 to $120 per card — depending on the perceived value of the victims and freshness of the data. After the Target hack went public, thousands of cards were selling for $1 each as the hackers rushed to offload the data before it went stale, according to How stolen credit cards are fenced on the Dark Web, by Donna Leinwand Leger, Oct. 19, 2014, USA Today.

Market prices for cards vary widely. Interestingly, cards missing PINs and stolen from gas stations in poor areas are less valuable than cards taken from U.S. military personnel, which sell at a premium. Fraudsters know those in the military are guaranteed steady paychecks and might be too busy fighting wars to notice thefts.

Now that the hackers have cardholders' data, they need to turn it into cash. Skimmers sell the data to "cloners" (I think I might have just made up that term, but it works) who — after they buy a batch of cards — turn skimmer data into fake cards. Using over-the-counter card-making devices (about $30 each) they print the data onto blank credit cards. Good cloners will even stamp cards with any name a purchaser wants!

The cloners then sell those cards on carding forums or darknet marketplaces and also send marketing emails to aspiring hackers. Fraudsters can then use the cards for purchases like any other cards or employ mules to make bulk ATM withdrawals. The mules receive a percentage of the withdrawn cash and send the rest back to the organizer who's typically in an unfriendly country where law enforcement can't extradite him even if they could catch him. The organizers keep mules honest by checking card limits in advance and doling out PINs only seconds before operations are set to begin.

On Feb. 19, 2013, fraudsters directed their mules — casher crews — to pull in $40 million from ATMs in at least 26 countries with cloned cards in just 10 hours. Mules stole $2.4 million from 2,904 withdrawals in New York City alone, according to The ATM Heist: How Did the ‘Casher' Crew Do It? by Michael Daly, The Daily Beast, May 11, 2013.

APTs are guns for hire

The APTs are motivated by the national interests of those countries that hire them. They have access to "0-day" or "zero-hour" (unpatched) vulnerabilities in computer applications and whatever other resources the paying governments give them. APT attacks are notoriously hard to attribute to a specific actor group, and almost all attribution claims are unverified. Recent examples of potential APT attacks include the Saudi Aramco hack, Stuxnet, and, probably, the attack on the U.S. Office of Personnel Management.

Carders don't usually care about who you are, what you do or any political causes that you hold dear. Carders move money from bank accounts into theirs.

Attackers — armed with governments' wealth and teams of hackers — can find flaws in organizations' systems they never knew existed. They can wreck businesses, their clients, and even the ideas they hold dear. That isn't hyperbole; military propagandists are getting into the cybergame and actively working to subvert opposition viewpoints.

With such difficult adversaries, the only thing organizations can really do is limit their attack surfaces. They can't defend against threats they aren't aware of, and it's typically a waste of resources to try. My recommendation is to make the target smaller, which is critical to any good defense, especially against more advanced hackers.

An organization can ensure that it restricts critical data to only those who need it (via user access management policies), limit the amount of junk coming into its network ("Can I surf Facebook from my desk at your workplace?") and incorporate robust security training.

In 2013, the Syrian Electronic Army (SEA) sent spearphishing emails to Associated Press (AP) employees. (See Details Emerge About Syrian Electronic Army's Recent Exploits, by Nick Bolton and Nicole Perlroth, May 10, 2013, The New York Times.)

The employees unwittingly clicked on the links and provided their email credentials to the SEA. Using those credentials, the SEA was able to access the Twitter account of the AP (a failure of user access management) to tweet that two bombs had gone off at the White House. (See Market quavers after fake AP tweet says Obama was hurt in White House explosions, by Dina ElBoghdady, April 23, 2013, The Washington Post.)

The stock market dropped $136 Billion in seconds. Yeah, that capital "B" is intentional. This was serious. However, according to The Washington Post article, "The stock market … rebounded just as quickly when it became clear that the message was bogus." (Also see Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism? by Max Fisher, April 23, 2013, The Washington Post.)

Organizations' critical steps to stop this type of attack are: (1) regularly checking to ensure its systems are patched (even at user workstations), (2) incorporating relentless training and (3) allowing access to data to just the employees who need it when they need it.

Hacktivists want political change

Political ends motivate these "hacker-activists." They don't work for governments, and they don't (typically) care about credit cards. They want political change, but because political causes are as varied as the people supporting them, so are the hacks. Hacktivists aren't typically monitored, and sometimes governments even support them.

I won't try to tackle the full scope of hacktivism here, but I'll focus on the most famous network of hacktivists: Anonymous, which began in 2008 (ish). The bulletin board site, 4chan.org, viewed Anonymous as the Freudian id of the Internet — a group of like-minded individuals who only spoke to each other using un-attributable "anonymous" handles. Attacks (raids) against other websites began as fun larks, but when members started raiding to achieve political ends, the Anonymous movement was born.

Hacktivists, typically, are activists first; they care about political ends more than they do about hacking, and their skillsets tend to reflect this. For Anonymous, "raids" have evolved into Operations (Ops). To start an Op, a motivated person goes into an Anonymous network (on Twitter, Facebook, an Internet relay chat, a slew of forums or even in person at a hacker convention) and presents an argument. If enough agree to help, or if capable hackers or influential leaders believe enough in a cause, an Op is born. The primary tools of an Op are: (1) Distributed Denial of Service attacks (DDoS), (2) defacements and (3) Structured Query Language injections (SQLi).

Here's how a DDoS works. Imagine that an organization's server is a house. The wire connecting the server to the Internet is a road. A DDoS attack involves putting as many cars (connections) as possible on that road to cause a traffic jam, which will stop anyone who wants to do business with the organization — or its clients — from seeing its website (or getting to the server). This digital "sit-in" doesn't harm the contents of the house (or server), but the U.S. does prosecute DDoS attacks under the Computer Fraud and Abuse Act.

Defacements, the second type of attack, are akin to graffiti. Hackers will maliciously crack into a system (because of weak passwords or user access issues) and use a website or social media page as a billboard for their own messaging.

Finally, SQLi relies on flaws in the way a server processes data to gain full access to a database. Imagine you have a program that asks, "What is your name?" and I say "My name is Jon; AND PRINT ALL DATA." The computer reads Jon, sees the semicolon as a new line of code, and then prints all its data. That's a very simple version of how it's done.

So, what about defense? This gets a little technical, so bear with me. DDoS attacks are stopped with load distribution, filters, cloud-based solutions, etc. Load distribution techniques spread data loads across server instances. Filters stop servers from processing bad packets at the firewall or intrusion detection system (IDS). Cloud-based solutions, such as Cloudflare or Akamai, act as advanced DDoS mitigation systems, which combines these solutions.

Defacements are fixed by keeping your server updated and implementing user access policies and robust password rules. SQLi is almost always solved with "input sanitation" (which is just fancy talk for "make sure users can't input semicolons or other commands").

Hackers are attacking organizations right now

Hackers love to target medium-sized businesses because they almost certainly will have cash but won't be large enough to have robust cybersecurity departments. To stop hackers, organizations need to change. Smart leaders learn about the problems and apply correct policies.

If an organization does have a cybersecurity department, it should leverage it correctly and give its team the tools it needs to protect the organization. It can conduct training — arguably the most important layer of defense — without a huge investment in expensive tools.

Organizations should make security an integral element of their cultures. It's okay to call outside businesses for help. For example, I don't code my firewall — I use a third-party vendor — and it saves me time and money. Hiring outside teams to audit systems, review policies and train staff is frequently much cheaper than hiring full-time cybersecurity staff. Regardless, organizations shouldn't hope that they won't be targets. Because they already are.

Jonathan Nichols is a senior analyst at ZeroFox. His email address is: Jon@ZeroFox.com.

Patricia A. Johnson, MBA, CFE, CPA, is the program coordinator of the Master's in Science in Forensic Accounting program at Canisius College in Buffalo, New York. She's chair of the ACFE Higher Education Advisory Committee. Her email address is: johnsonp@canisius.edu.