Cyber security is fast becoming a priority item for companies around the world as the headlines pile up about IoT botnets, ransomware and data theft (HBO). Most of the focus is on those kinds of elaborate technological attacks, and the measures that companies can take to thwart them – which is good.
The problem is that the majority of attacks are the old-fashioned kind that work by exploiting the weakest link in the security chain – good old human gullibility. And one reason such attacks are the bigger security threat is because far more cyber criminals can launch them easily thanks to other cyber criminals offering “hacking-as-a-service”.
Sophos principal research scientist Chester Wisniewski recently told Techgoondu that most attacks work by getting the victim to install and activate malware, whether via booby-trapped videos or the classic email attachment. Cyber criminals prefer customizing existing malware with a social engineering angle because it’s cheaper and easier than breaking into a computer, especially as companies like Google, Microsoft and Apple get better at fixing security loopholes and enterprises beef up their own security practices:
“Why would a criminal pay for US$50,000 for an exploit and it only works for a week? Social engineering is more successful and it’s free,” said Wisniewski.
What’s more, cyber criminals on the Dark Web have built well organized services to help others launch their own malware attacks, he said:
On the Dark Web, a criminal could hire a writer to draft an e-mail that mimicks a legitimate one. A graphic artist can design a website replicating a bank’s, while a translator can help get the message across in the right language to target wealthy consumers around the world.
Finally, there might be a spammer who can deliver the malware-loaded e-mails to actual targets. Some service providers even guarantee that the e-mails will be opened or they will help send another bunch for you – for free […]
There’s even “ransomware as a service”, which enables an aspiring black hat to launch a ransomware attack by simply filling out an online form. (And don’t forget that report claiming that you can rent a botnet for your next DDoS attack.)
The upshot is that cyber criminals offering hacking services are building up a customer base that then becomes your security problem – and the biggest hole in your security posture will be the gullible employee who clicks the attachment (although in the employee’s defense, cyber criminals are getting better at making a bogus email, video, website or whatever look like the real thing).