The sheer persistence of cybercriminals is impressive. Every day seems to bring fresh discovery of a breach, hack, phishing attack, or ingenious new technique for getting around IT defences.
The baddies clearly have a work ethic. They’re on the job day and night, hammering away at corporate networks so they can steal or reveal sensitive information.
What drives such tireless striving? Money is an obvious motivator, as is espionage – corporate and otherwise. Politics is another, with hacktivists looking to expose wrongdoing or punish perceived corporate greed. Ego must play its part, with bragging rights for those clever enough to pierce supposedly impenetrable cyber walls.
But hacktivism is apparently on the decline, and espionage is limited to an elite group of highly skilled engineers. For the vast majority of cyber rogues the motivation has to be monetary. The latest evidence suggests those cash rewards are considerable.
The hundred million dollar hack
Authorities in Europe and the US announced the takedown of an organised cybercrime network last week that stole an estimated $100 million USD. According to Europol, 41,000 victims lost money, primarily businesses and financial institutions.
The syndicate used a well-known malware called GozNym to infect victims’ machines and capture online banking logins, which were then used to access to victims’ online bank accounts and steal money. Stolen funds were laundered through US and foreign bank accounts.
Dismantling it took a co-ordinated international law enforcement operation involving Europol, Eurojust, the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria.
The time and resources needed to bring the 10 individuals accused of running the operation to justice – had to be substantial. But the hundred mil they’re chasing is just the tip of a very big iceberg.
A global cybercrime economy
A nine-month study by researchers at the University of Surrey calculates the cybercriminal economy is worth $1.5 trillion USD. That’s revenue being generated, spent, and re-invested in cybercrime ‘enterprises’.
Researchers sponsored by Bromium and IBM looked at revenues and distribution of profits from money laundering, ransomware blackmail, data trading, and other commercial activities.
They found that small and medium-sized cyber criminal organisations could generate between $30,000 and $50,000 in profit annually, while big ‘multinationals’ can make more than $1 billion.
Cybercrime is now ‘an interconnected web of both nefarious and legitimate activities’ – their words, not ours.
If cybercrime were a country, it would be the world’s 13th largest economy by GDP.
Hacking as a career choice
The Surrey study confirms what security experts have been saying for years. There is a parallel cybercrime business ecosystem with features you’d only expect to see in the legitimate economy. As we reported earlier in May, once they’ve secured a prized information asset, hacking groups have the commercial and organizational nous to profit from it.
For example: A group calling itself Fxmsp hacked into three major anti-virus companies in March, nicked their pre-release software and then brazenly put the stolen code up for auction.
The group operates its own reseller network, who’s members help it promote stolen products in online criminal marketplaces. The group made more than $1 million USD last year selling its ill-gotten wares.
That level of business ingenuity and, if we can use the word, ‘professionalism’, confirms again that cyber criminality has evolved well beyond bedroom malcontents or isolated hackers having a go.
It’s become a career choice or side-hustle – forming a parallel IT industry of its own.
They have people. We have people.
Against such a determined and well-organised opponent, organisations have to think beyond technical solutions as the only way to stop a breach. The profitability and sophistication of cybercrime means attempts to break into your systems and steal your data crown jewels won’t stop anytime soon.
From technical vulnerabilities to poor processes and human error, IT systems have invisible vulnerabilities that criminals can exploit. Given enough time, the highly-motivated, well paid ‘threat actors’ out there will find them.
But as good as they are, we can be better.
Empowering everyone in your organisation to see the signs of an attack or spot the conditions that could enable a breach, will strengthen your technical investments in information security.
A programme of security awareness training adds an intelligent, human-centric defence capability by switching people on to everyday cyber risks, whether from a phishing email, botnet infection, or an outside caller with an unexpected information request.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.