Inside the mind of a cybercriminal

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
Sun Tzu, The Art of War

The best way to protect ourselves from any kind of criminal is to know how they operate. When travelling to Barcelona, which is famous for its pickpockets, it is wise to be aware of the techniques that pickpockets use so that you can avoid making the common mistakes that lead to being robbed in broad daylight. Similarly, if we are to conduct business using computers and the internet, we should do what we can to remain in the know about what kind of criminals we may be targeted by, and how best to avoid, accept, and mitigate those risks.

Cybercriminals are usually motivated by at least one of three things:

1. Money – if they think that there is enough money to be made to justify the effort and risk, a cybercriminal is likely to investigate their avenues of attack. Such avenues could involve blackmail, ransomware, stealing data to sell on the black market, or accessing financial systems.
2. A grudge/vendetta – if somebody feels wronged by a person, organisation, or “the system” they might seek to damage their target by any means necessary. The result of this could vary from defacing a website to obtaining and publishing sensitive personal information of the subject of the cybercriminal’s rancour.
3. Surveillance – we joke about tinfoil hats these days but criminal organisations, nation states, and government agencies perform foreign and domestic surveillance on their targets. This can involve anything from intercepting and deciphering electronic communications to installing spyware on the target’s laptop or PC.

From here we will analyse what kind of tactics cybercriminals use to achieve the above goals, as well as discussing prevention and remediation strategies to ensure that, as individuals and companies, we are doing everything we can to keep cybercriminals at bay.

Let’s set up a scenario in which your company, and by extension, you, are the target of a cyber criminal. Your attacker may perform several weeks or even months of Open Source Intelligence (OSINT) gathering where they collect as much information as they can about the company and all its employees using every hacker’s favourite tool: Google. The information collected is then used to select individuals who the attacker deems to be a weak link in the company’s security. The attacker has selected you and begins a targeted spear-phishing campaign against you. They know a lot about you from your public Facebook and LinkedIn accounts and they have crafted an email designed specifically for you. The email is sent to your work account and it contains a harmless looking link, so you click on it.

You’re now a target for a cyber attack

Let’s assume you haven’t updated your browser in a while and you’ve missed the latest security update as a result. The attacker can now use that to take complete control of your computer remotely. Now the attacker is inside the company network and you are completely unaware. From here the attacker can read your email, send new emails (now as a trusted employee), and might even be able to install software on your PC. In this example, let’s assume the worst. Your computer has User Account Control (UAC) turned off because you wanted to be able to install software without needing the IT Administrator to sign-off on it every time. This has made life more convenient for you, but it has also done the same for the attacker.

Your attacker installs a variety of software on your computer: a keylogger to record what you type (including usernames and passwords) and a Remote Access Tool (RAT). The attacker waits until you go out to lunch and return and log back in, they capture your desktop password using the keylogger. They wait even longer until you go home, then they unlock your computer remotely and immediately get to work.

At this point, every asset on the company’s internal network is at a much higher risk of being breached. Any application servers, database servers, and file-sharing servers are high-value targets for cybercriminals. In this example, let’s say that your company has a file-sharing server that everybody has access to. This server contains sensitive data such as payroll information, plans for mergers and acquisitions, and customer records. This could all be valuable information to the discerning cybercriminal. Customer records and payroll information contain personally identifiable information that could be sold on the darknet black market. Information about your company’s business strategies could potentially be sold to competitors, depending on how scrupulous your competition is.

Let’s examine how to prevent this hypothetical attack, but let’s do it backwards – starting with the file-sharing server.

File-shares should have the accessibility of their files and folders divided up by groups. People from payroll should never be able to access the shared files for sales, and vice versa. This won’t stop an attacker from having some access to the file-sharing server, but it does prevent an attacker from being able to access everything on the shared drive. If the attacker has compromised somebody from marketing, they still can’t see what’s in the management folder. File and folder permissions are a common slipping point for organisations but it’s simple to implement and is a highly effective way to reduce risk.

Now we move back to your computer. Remember how the attacker was able to install new software on your computer because UAC was turned off? UAC plays a pivotal role in security because whenever new software is being installed, the user should be notified to make sure that they intended to install it, even better, the IT administrator might need to provide their credentials for installation to proceed. If the victim’s computer in this scenario had UAC turned on, or if their user account was not a local administrator, when the attacker tried to install their Keylogger and RAT, the user would have been alerted and might have had the chance to report the incident. Unrecognised software trying to install itself should be an immediate cause for concern and investigation.

The next thing that would have helped to prevent this attack is having the user’s software up to date. The user’s browser was out of date and was missing security updates. This presented the attacker with an easy way to infect the computer with malware as soon as the user visited a link provided by the attacker.
Moving further up the stack to the incident that presented a point of entry to the attacker: the phishing email. The user clicked on a link in an email from an unknown sender posing as a trusted source. In situations like this, where you may not be 100% sure of the veracity of an email, I like to remember the old Russian proverb popularised by Ronald Reagan during the Cold War:

“Trust, but verify”

If you get an email claiming to be from your bank telling you that your account has been frozen, and you need to provide your PPS to un-freeze it, call your local branch and see if they know anything about it.

If you get a phone call from someone saying they’re from Apple support and that they need to verify your iCloud username and password, tell them you’ll call them back. Look up Apple’s support email on their website and send an email to Apple yourself, asking if they need to verify any of your details.

The final step that could have been taken by the company to prevent this specific attack would be to use a service like Spam Titan to automatically detect emails from unknown senders and mark them as suspicious. These emails can then be reviewed with a sceptical eye to determine if the sender is legitimate or not.

We often think “Sure why would anyone hack me?” and when we ask ourselves that, rather than dismiss the question with a “We’re only a small outfit” or “We’re in the shticks!”, instead, try to really answer the question. What makes you a valuable target? Maybe it’s that you are an employer and you’re a possible stepping stone. Then ask yourself “Why would anyone try to hack my employer?” and again, attempt to answer that question. What kind of information does your company have that could have value, even in the darkest markets? Would anybody have reason to want to damage the company’s image or operations? These are genuine questions that we should ask ourselves regularly as part of a good security process.

A thought experiment I find useful is to think about the following: if I walked away from my desk right now – with my computer unlocked – and somebody with malicious intent sat down straight away, what would they be able to do? What would they have access to? Are they logged into my email? What about my Facebook? What about my company’s CRM or Ticketing service? Even worse, if they’re able to use my browser, and they have my computer’s password, can’t they see all my saved passwords in Chrome or Firefox? This is the kind of access we grant to cybercriminals when we click on a link in a phishing email. Yikes! It’s a scary thought to have, but time and time again, when you see a company has suffered a data breach, had their systems held for ransom, or had their computers used for illegal purposes, it always comes down to the simple things we fail to do that could save us a world of hurt.

As an organisation, we can take certain precautions to ensure that we are doing all we can to prevent successful cyber-attacks on our systems:

1. Have clearly defined and comprehensive Information Security and Data Protection policies and procedures
2. Have periodic training for staff to update or refresh their knowledge on the current policies
   (Security Awareness Training is now a requirement for GDPR compliance)
3. Perform internal checks to ensure that the policies and procedures set out in step 1 are being followed
4. Get a third party to perform a periodic audit of your IT systems.

At Intuity, we offer services related to Cyber Security in the form of IT Vulnerability Assessments, Penetration Testing, and IT Security training and consultation services. We would love to work with you to keep you and your customers safe, secure, and cybercriminal-free.

Email us today to arrange a demo or a complimentary consultation from one of our security experts.