Modern-day bank robbing: How hackers are becoming public enemy No. 1
The internet is the getaway car and malware is the firearm.
Somewhere between lighting a cigarette and robbing a few banks, John Dillinger became Public Enemy Number One in 1934.
But walking through the front door of a bank with guns blazing is not the same tactic used to rob banks and steal in 2018.
For hackers, the internet is the getaway car and malware is the firearm. Stealing money or data is easier than it was in the 1930s thanks to technology.
Financial institutes are under attack from hackers just as much as any industry. The difference, however, is the immediate access to cash. For hackers, profit comes in many forms: Data is a currency that's worth stealing too.
While hackers don't quite resemble the 1930s aesthetic of Dillinger or Willie Sutton, Jr, they do showcase a certain je ne sais quoi for their ruthless pursuit of profit; it's easier to rob someone using a computer than it is walking into a bank wearing a mask.
Banks and financial institutes are the number one target on the dark web, according to Itay Kozuch, director of threat research at IntSights, in an interview with CIO Dive. Banks are easier to scheme because "you don't always have to rob the bank itself."
There are three modes of attacks for dark web inhabitants:
Launch an attack directly against a bank
Steal from the banks' customers through phishing schemes and fraudulent emails
Exploit suppliers on the bank's supply chain
Each method comes with pros and cons. Directly targeting the bank is the hardest campaign to drive, but major cyber groups have succeeded, according to Kozuch. Spear phishing individual customers is an easier tactic and still indirectly robs the bank.
If a hacker can unlawfully gain a bank customer's credentials and commit fraud, through insurance the customer is entitled to reimbursement of stolen funds from the bank.
Using the supply chain is a popular method because the targets are often smaller and more vulnerable. Hackers will typically look at marketing or law firms a bank is partnered with, according to Kozuch.
Because that's where the money is
In 2018, nearly three-quarters of breaches in financial firms were the result of hacking and malware, according to a Bitglass report. Goldman Sachs, Fidelity Investments, JPMorganChase and RBC Royal Bank were among the financial institutions that suffered a breach this year.
And these are the major banking organizations with government-scale defensive resources. But regional banks, hedge funds and private investment entities are easier targets, Mark Sangster, VP and industry security strategist at eSentire, told CIO Dive. Hackers can perform a fake redemption if the investment firm isn't paying attention.
For example, a manufacturing company was "duped" out of about $1.3 million through falsified invoices, said Sangster. The last fake bill sent from the bad actor was for $650,000 and they paid it. After the fact, the company's bank flagged the wire transfer account as suspicious and asked the company if it still wished to complete the transfer.
The manufacturer said yes.
Fortunately, for this particular company, the FBI had flagged a number of suspicious accounts and the money was returned.
Most criminals looking for a quick cyber robbery actually get too much credit for pulling off their feats. Everyone is "watching for an 'Ocean's 11' type of event," said Sangster, "and they're not."
Criminals are using simple tools, akin to putting on a mask and walking through the front door, by using companies' tools against them. Remote administration tools, which allow access to internal system for remote employees, is a trusted gateway that no one's really watching.
Sangster said when those types of functions are manipulated, it boils down to a perception of trusted identity. It's like "dressing up as the security who works for the bank" and nonchalantly slipping in through the backdoor.
Whether a robbery is done by a low or high brow criminal, there is always a victim. Banks were robbed because "that's where the money is," but Sutton's adage is dated now.
Bad actors motivated by money don't need to rob banks anymore. Anything with a vulnerability can become "cash terminals" now, Christine Meyers, director of product marketing at Alert Logic, told CIO Dive.
Hackers' immediacy to secure a profit is also changing. They are able to do this by evolving the killchain to run more efficiently and automatically and this also involves cutting out the dark web marketplace — enter coin mining and cryptocurrency. "Coin mining in aggregate, you're targeting the whole internet," said Matt Downing, principal threat researcher at Alert Logic, in an interview with CIO Dive.
The move away from stealing traditional forms of money, in favor of cryptocurrencies, is changing the risk picture. If you're able to bypass the step of extracting data, "you're able to just go straight from attack to profit," said Meyers.
Bitcoin and cryptomining are enabling hackers to directly monetize heists. Cryptominers are the poster children for moral ambiguity because they can play it off as a victimless crime since they're stealing resources, according to Downing. They are also able to work in a fairly undetectable manner.
Traditional bank robbing has declined over the years because the risk is not worth the payout … like a deadly shootout with law enforcement in Dillinger's case.
Fraudulent wire transfers, credit card exfiltration or "a series of mule accounts to hide funds transferred to empty a dormant account," are pretty common types of bank theft, according to Meyers. In digital heists, revered skill sets are not always a prerequisite.
The new model of killchain has condensed several steps, making it harder for companies to fully mitigate a threat and easier for attackers to exploit a vulnerability. Cryptominers can use attack scripts found in chat rooms.
The last couple of years hackers have moved into more mainstream channels, like chat rooms. Messaging platforms are used for transactional deals and manipulation because they are encrypted.
Who unlocks the safe
Because nearly every organization in every industry owns data, hackers are inclined to find the best return on investment. Sometimes stolen data is just "juicy information," lending itself for blackmail, said Kozuch.
A breach can lead to "data dumps" that includes personally identifiable information, credentials, and so forth, said Rich Bolstridge, chief financial strategist for Akamai, in an interview with CIO Dive.
The dumps can then be put in plain text, compiled in dictionaries and sold on the dark web. The hottest product on the dark web is stolen credit cards, according to Kozuch. But nearly everything is related to money, therefore putting a price tag on data of any sort.
Though profit is the shared goal among thieves, their modus operandi are different. The "smash and grab" criminal is focused on a quick return even if it is of low value, said Sangster. The second type of criminal hails from more organized crime groups that are "just like the mob" and the last type of criminal are nation-state actors, according to Sangster.
Nation-state actors tend to have more horsepower behind them, enabling a more impressive outcome.
In 2013, nation-state hackers were involved in a roundabout way of stealing from another country's economy. It was reported Chinese hackers stole the design of metal detectors from Australian-based communications and mining technology manufacturer Codan. "Cheap imitations" were sold in Africa after the heist, causing the company's sales to drop.
Attribution isn't always obvious in digital robbing, though calling cards still exist. Hackers can leave tags in the code to make their presence known, even if it can't be directly traced back to them, according to Sangster.
Similar to old robbers, some hackers crave notoriety. During his reign as one of the great bank robbers of all time, Dillinger professed "You're being robbed by the John Dillinger Gang, that's the best there is!"
Follow Samantha Ann Schwartz on Twitter