F-Secure's Mikko Hypponen Details 5 Top Cybercrime TrendsFrom Nation States to Ransomware Gangs, Online Crime Pays
Online crime continues to be one of the most lucrative illegal enterprises in the world. Yet many of the techniques now being successfully used by criminals aren't new, said Mikko Hypponen, chief research officer of Finnish security firm F-Secure, in a June 7 keynote speech at the Infosec Europe conference in London.
In a briefing devoted to "profiling the connected criminal," Hypponen said many seemingly new attacks have old roots, thus demonstrating the challenge of eradicating these threats. "Everything old is new again - old problems come back to bite," he said.
Here are five such trends highlighted by Hypponen:
1. Nation State Robs Banks
One of the biggest cybercrime stories of all time centers on banks that use the SWIFT interbank communications network, and the theft of $81 million from the central bank of Bangladesh (see 5 SWIFT Cyber Heist Investigations).
"SWIFT has not been hacked. SWIFT is the way independent banks move money across the borders. What has been hacked are systems of those banks that use SWIFT to move money around," Hypponen said. "We know of four banks that have been breached; there are probably more."
Hypponen said the attacks on SWIFT-using banks are notable for the degree to which they have been customized for targeted networks, for example modifying the output of printers used by Bangladesh Bank, to hide evidence of attackers' fraudulent money-moving messages.
When it comes to attributing the attacks, one smoking gun is that the communication channel for the malware used by attackers was identical to the encryption key used in the malware to attack Sony Pictures Entertainment in 2014, Hypponen said. The Sony attack was attributed by the U.S. government to North Korea, and while there was initially a skeptical reaction on the part of the information security community, he noted that a subsequent report in The New York Times revealed that the U.S. National Security Agency knew it was the North Koreans because it had hacked their computers prior to the Sony attack (see How NSA Hacked North Korean Hackers).
"Now I'm not saying that North Korea did the SWIFT attack, but North Korea did the SWIFT attack," Hypponen quipped. The question of the precise motivation for the attempted $1 billion theft from Bangladesh Bank remains unknown.
"Is this North Korea trying to fix their budget deficit by trying to steal from the rest of the world? Maybe it is," Hypponen said. "What we know for certain is that this is the first time in history that we've seen a nation-state attack that isn't done for espionage or spying or sabotage, but which is actually done for stealing money."
2. Malware: Locking PCs Since 1989
Barely a day now goes by without mention of a targeted attack successfully infecting a hospital or other business, or a warning of the emergence of a new strain of crypto-locking malware or shock tactics. While the technology associated with ransomware continues to evolve - demanding payment via bitcoins being but one more recent innovation - Hypponen said related tactics date from 1989, when floppy disk malware called the AIDS Information Trojan, which purported to be a quiz that would assess the user's likelihood of getting AIDS, emerged. But after 10 days, the virus would hide directories and overwrite filenames, unless a user paid a ransom.
"There's 27 years between these two ransom Trojans," Hypponen said. "Granted, the new one asks for the money transfers to be done in bitcoin," but in many other respects, these attacks are "really very, very similar."
3. Criminals Build Business Empires
Criminals' collective enthusiasm for ransomware means that there are numerous, distinct types of such malware targeting organizations and individuals, each competing to develop innovative new ways to exploit large numbers of victims. "We track right now about 100 ransom Trojan families, and almost every one of those is done by a different group - and these guys are businessmen," Hypponen said.
What he means is that different groups seek out different "customers" and aren't afraid to stab - or hack - their competition in the back. For example, after the "Rannoh" group customized their Trojan to shake down Finnish speakers, "the other gangs stole that from them," Hypponen said.
4. Bad Password Practices Still Bite
Hypponen said that like more than 100 million other people, he was a victim of the 2012 LinkedIn breach, and that he recently learned of that fact thanks to Troy Hunt's free Have I Been Pwned? breach notification site, which he recommended to everyone in the audience.
When it comes to passwords, vulnerabilities - such as LinkedIn failing to hash their passwords in a secure manner, or to "salt" them to make them more difficult to reverse engineer - continue to persist, he said, as does user error, such as picking poor passwords (see We're So Stupid About Passwords: Ashley Madison Edition).
5. Cybercrime Unicorns: No Myth
Hypponen noted that some cybercrime gangs appear to have amassed hundreds of millions of dollars in illicit profits, if not more. Security experts and law enforcement agencies know that thanks to the bitcoin blockchain, which is a public ledger of bitcoin transactions, and which allows them to trace the amount of money flowing to bitcoin addresses controlled by criminal groups.
If these criminal gangs were private businesses, he said, several might have public valuations over $1 billion, thus making them the startup equivalent of a "unicorn," the venture capitalist term for a startup company with a valuation of more than $1 billion (see I Believe in Cybercrime Unicorns).
"Think about it, cybercrime unicorns," Hypponen said, adding: "2016, that's where we are."