Abney Associates Tech Blog, Online fraud – why Heartbleed isn’t the only cyber threat

More than a decade ago, I attended an excellent talk by well-known cryptographer and security expert Bruce Schneier, where his key point was that there was nothing new under the sun when it came to security issues.

Yes, the scary stuff happening on the internet at the time, involving hackers and algorithm-cracking and malware, might seem particularly alarming because it was, or seemed, as if it had never been seen before. But actually, he argued, it was all the same old crimes, just done with new tools. Theft, identity-stealing, fraud – they’d all be familiar to a Roman.

Every time I attend a security event, or, as last week, the launch of a security report, his point comes to mind, as it puts the latest trends in malware, or the most recent outrageous hacker exploit, in a useful context. It isn’t so much what’s being done, as how it’s being done. And that, as I discovered way back when I stumbled into my first security conference in Silicon Valley and was hooked like a phishing victim, is endlessly inventive and fascinating.

And so it was, out at Symantec’s security centre in Dublin, as researchers talked through Symantec’s 2014 Internet Security Threat Report , which looks back over key developments in 2013.

Hence Heartbleed, the internet security bug that has made headlines this month, didn’t feature at all. But there were many bizarre and intriguing developments.

I found particularly fascinating a discussion on some of the potential ways to get money out of an ATM.

Most ATM crime still involves boring old “skimming”, the practice of getting hold of people’s account information, generally using some sort of card reader, coupled with a secret camera for recording passwords.

But, said Symantec security operations manager Orla Cox, in South America and more recently the US, groups are beginning to use malware to attack ATMs. They open up the front of the machine by picking the lock or using a duplicate key, then use the USB port on the machine’s computer innards to launch malware.

‘Surprisingly open’

“The actual computer part of the ATM is surprisingly open,” she noted. There are only a limited number of keys to open the tops, too, and unsurprisingly, these are now bought and sold on the internet, and are even produced by 3D printer.

Thieves can then attach a USB key to launch malware which enables someone to use the machine’s screen to access cash. Some have attached a mobile phone to the USB port inside and can simply walk up to the ATM and send a text from their phone to the ATM phone, signalling it to dispense cash.

Another interesting development has been the huge increase in targeted “spear phishing” attacks, where hackers aim to dupe individuals at a certain level, within particular industries, because they are most likely to have access to sensitive accounts and information. And who do you think might be the ideal attack target? Most would likely guess a senior executive in, say, financial services. But it’s actually a personal assistant at a mining company.

It turns out mining companies have a lot of sensitive information, including on oil exploration, which can be stolen (perhaps by corporate or state agents, or by hackers selling to same).

Also, they tend to make a lot of large payouts to suppliers and contractors, making it easier to fake invoices and hide fraudulent payouts. Symantec said one in 2.7 attacks overall was against a mining company, the highest for any industry.

Medium-sized targets

I was also intrigued by the shift away from big multinationals as a target for attacks. In 2011 and 2012, big firms with more than 2,500 employees accounted for 50 per cent of all targeted attacks. In 2013, that declined to 39 per cent, with the difference accounted for by a shift towards medium-sized companies.

That now makes SMEs the leading targets for spear phishing, said Cox, probably because security at smaller firms is poorer as the budget is smaller. Yet SMEs tend to have sensitive account information for big companies.

This is the most significant take-away for Irish businesses, she told me, as Ireland is full of SMEs that act as suppliers to multinationals here and elsewhere, or buy from them. “Smaller companies are the stepping stone,” she said. “They’re the soft touch to get into the larger companies.”

There’s plenty more to read about in the report – a rise in ransomware attacks, for example, where criminals lock down a person’s PC remotely and require them to pay up to then unlock it. Or not – once the money is sent, some just leave the poor victim’s computer in limbo. (“Back up regularly,” says Symantec.)