Wednesday, April 24, 2019

Watch Out Crime, Cybercrime is Giving You a Run For Your Money!

Holy Cow!!  According to the FBI's Internet Crime Complaint Center (IC3) cybercrime made $2.7 billion(that's billion with a *B*) in 2018.  And that's just from the complaints that they got!  So can you imagine how much money was lost to cybercrime last year?

According to IC3 there were 351,936 complaints of cybercrime last year, leading to the $2.7 billion in losses.  That just boggles my mind.  And you HAVE to know that a lot of people just didn't report when they got attacked. 

How about an example?  :-)   Sextortion has been huge lately and do you think I'm going to call the FBI if some Threat Actor threatened to expose my pornographic tendencies to all my friends?  Yeah that would be awesome, here goes my thought on how the call would go....

"Ugh yeah, is this the FBI?"

"Yes Sir it is, how can we help you?"

"Ummm, yeah, some dude sent me an email and said he broke into my computer and was going to lock up my computer but decided that since I was such a pervert and had horded tons of pornographic material he was going to extort me for a bunch of money or he would contact my wife and all of my friends and tell them I'm a pervert and would release a video of me entertaining myself!"

Yeah, I can see that going REALLY well...  What the heck do you say to something like that if you're the FBI???

But I digress... 

IC3 has been tracking this since May of 2000, so they've got about 19 years of data on this.  From May of 2000 till 2018, 4,415,870 complaints have been reported to the FBI with about 300,000 complaints a year and about 900 per day.  That's a lot of hacking.

Now this is very interesting.  The crimes with the largest losses were business email compromise (BEC), confidence/romance fraud, non-payment/non-delivery and extortion.  So what's BEC you ask?  It's a form of attack where the Threat Actor does a very targeted attack to YOU.  Yep, as creepy as it sounds, Threat Actors do a lot of research on their mark. 

Where does all this information come from?  Think about it, how much information do you have about yourself on LinkedIn, Facebook, Instagram, Twitter, shall I go on?  And I'm not saying unplug, live in a cave and wear furry animal skins.  Just be a little mindful of what you're putting up on the Internet because it's public.  Let that sink in just a little bit before you read on.

BEC is very popular with Threat Actors because targeted attacks make more money.  According to the BleepingComputer article I'm getting this information from (https://www.bleepingcomputer.com/news/security/cybercrimes-total-earnings-skyrocketed-to-27-billion-says-the-fbi/)  BEC made $1.2 billion last year.  So almost half of all the money came from these targeted attacks.

Here's an example.  I'm a threat actor and I find out you're the controller of a company.  Suddenly you get an email from your CEO addressed to you.  It states that he/she is working on an important deal and it's extremely time sensitive.  The email looks legitimate, the names are correct and there's a bank routing number where to transfer the money. 

Do you transfer the money or do you do more research?  If it's real, the CEO might get really pissed if you cause him/her to miss out on this deal.  If it's fake you could end up sending the wrong person a chunk of money.  What to do?

But Neil, it has the correct names on it...  Yep, that's easy to fake.
But Neil, they knew my name...  Yep, that's easy to find.
But Neil, they knew what I did...  Yep, that's easy to find.

So see why it's so successful?  Traditional phishing is usually pretty spammy with mis-spellings and grammatical mistakes and is easier to spot.  BEC is personal and it should worry you.

Well on that sunny note, I think I'll stop scaring everyone.  :-)  If it seems fishy, it's probably cause it is.  If it seems to good to be true, it's probably cause it is.  Threat Actors do a lot of stuff to hit us in the gut and make us ask "how high" when they say jump.

Be careful out there!
Neil

No comments:

Post a Comment