Today, I am a hacker.
I have breached your system; I have stolen
your customer and employee data, your financial account information and your
intellectual property. I have your
databases of stored email accounts and a large supply of employee personal data
you did not know was stored on your system. (ITunes accounts, Facebook logons,
software credentials, etc.)
So now, how do I make money? I mean that's why I attacked you, I’m a
financially motivated hacker. I didn’t
attack you because I’m a spy or I wanted to destroy your network or even to
embarrass you for your corporate politics, beliefs or lifestyle.
I attacked you to make money.
The easiest play is to use the credit cards
right? No not really, carding is a more
of an art now as it requires special know how to circumvent address
verification systems. In addition, I
need "mules" to collect the goods I buy and then reship them.
The credit cards, I have stolen I will sell
or trade. Going rate is about $.06 per
card. Alternatively, I can trade them to
other hackers for services, software or exploits.
Next up is banking details. If I have full access to your bank accounts I
can make transfers to accounts I own. Again,
this takes some planning, as I need to make sure the accounts the money will be
paid into are not in my real name and that as soon as the money arrives in
those accounts, I transfer to a second and third account, thus hiding the
trail. This takes pre-planning and a
good network of people to move the money around and extract the cash.
Now to the email address and employee/customer
data. Much of this can be sold to others
who are set up to use it for various schemes like phishing to spread malware
and botnets.
I’m going to use it for advertising. I have a program that will try to access all
the email addresses, social media and other online system by inputting the
email addresses and passwords I stole.
Since 85% of people use the same password for everything, this should be
very successful.
Once I access their (your employees' and
customers') email and social media accounts, Ill harvest various data sets like
financials to commit fraud. Ill likely
use the access to install ransomware, encrypting the user’s hard drives and
demanding payment of about $500 to provide the password to free up the
data. However, Ill also start impersonating
the real account holder.
It’s not really identity theft as most call
it it’s more like as account takeover.
I’ll send out email and posts, comments and
tweets as the true owner of the account encourage people to go to websites or
click on links. Why? Because I get paid by advertisers to drive
traffic to websites with a bonus if I can get them to click on ad links (it’s
called performance marketing)
The payment ranges for $2 to $200 per
sign up. So I take all the data I have,
bounce through VPN's, proxies and TOR to sign your employees up for Teeth
Whiting ads, Netflix, Airline Miles, Ringtones, etc. All of which pay me cash and the victims have
no idea "How those companies got their details!" On a good day, this will pay me $500-700/day.
Now for the other data, your intellectual
property will go to the highest bidder, as there are always people interested
in what new products your company has or the real numbers behind your earnings
reports. I will also extort you offering
to return the data if you pay me. Of course,
if you negotiate, it means the data is valuable and I can use that when selling
to the bidders on the underground.
The vulnerability I exploited, will garner cash
and a reputation online, when I publish it.
Equally, the software and ITunes
credentials can be sold or traded on the underground market, just as accounts
on various online games like World of Warcraft have a special marketplace.
So let’s see because I stole data from you
and your company I (Actually me and the crew I work with) can:
- Extort you, your company, your employees and your customers
- Commit fraud against everyone's accounts
- Sell or publicize your intellectual property
- Impersonate everyone to drive traffic and sales
- Sell the program I used to exploit the vulnerability in your system
- Create a bot net to steal and monetize more data
- Trade the data for service and build my hacker reputation
- And if I want to, do some stalking, attack your reputation and/or spread corporate lies.
All this without actually applying myself
and reading the data stolen to extrapolate other ways to use it like stock
manipulation or M&A activities.
Best thing about all this is you will not
try to come after me because you are afraid of the reputational damage. You might ask the police or FBI or some LE to
chase me down but that will take several years and I may not live in a country
where they have jurisdiction.
See, when most breaches or attacks occur,
everyone talks about the data stolen and the cost to the company to fix the
"hole" but no one talks about how I, the hacker, will use the stolen
data.
A cyber attack's impact depends on the
motivation of the attacker.
Crime is for
money, Espionage is for secrets, Warfare is for destruction and Activism is to
embarrass.
The way the attack occurs; phishing, social
engineering, malware installs, etc. is likely the same but, what is taken and
how it will be used, is often dramatically different. So is the response. Most Incident Response deals with how the bad
guys got in and stops there. But, that
is only a fraction of the impact.
But then again, I’m the hacker, I encourage
you to continue to do the same thing as has been done for the past 15 years
when an attack occurs. Just worry about
how I got in and plug that hole. I’ll
find another hole.
Right now, I’m busy making money off of what I
stole.
