Recently, RIMS, the publisher of this magazine, was the victim of a ransomware attack. Fortunately, our IT department was able to quickly recognize and stop the intrusion before it could do any real damage and the attackers were turned away empty-handed. But many companies have not been so lucky. The FBI reported that, in the first three months of 2016 alone, cybercriminals extorted $209 million from businesses in ransomware schemes. By the end of the year, they expect ransomware will be a billion-dollar-a-year criminal enterprise—and that doesn’t even account for the related business costs stemming from such an attack.
What is ironic, given how lucrative these schemes are, is how easily they can be pulled off. The RIMS attack, and many others like it, was the result of an employee opening what they thought was a legitimate email attachment.
Other attacks are even more low-tech. For example, earlier in the year, Fusion network reporter Kevin Roose paid hackers to break into his accounts and, in one instance, watched as they got access to his cell phone account through basic social engineering by simply calling the company and posing as his harried wife. With a YouTube clip of a crying baby playing in the background to help set the scene, the representative took pity on his “wife” and gave her all the information she needed. Scams like this are so easy that IT experts are reluctant to even call them “hacking,” since they really don’t require any technological know-how.
Part of the reason identity theft, ransomware, or other, let’s call them, “hacking-adjacent” scams are so successful is that people either don’t fully understand the threat or don’t believe it could ever happen to them. Take for example a recent experiment conducted by researchers from the University of Illinois. For years, many IT security experts hypothesized that users could be tricked into downloading malware or viruses if USB flash drives were simply left around for them to find and plug in.
Last year, the researchers tested the theory by scattering almost 300 flash drives around the university’s Urbana-Champaign campus. Almost all of the drives (98%) were picked up and at least 45% were connected to a computer and had their files opened. Of the individuals who did plug them in, 68% took no security precautions, meaning that they could have been exposed to malware simply because their curiosity or ignorance outweighed their instinct for digital self-preservation.
In some ways, this is understandable. Many surveys have found that the average consumer underestimates their vulnerability to cyberattacks, often believing they are not of any interest to cybercriminals. But identity and data theft is a business based on volume, not huge scores. According to SecureWorks’ annual underground hacker market report, complete identities, which include name, address, email address, phone number, date of birth and Social Security number—known online as “fullz”—go for about $20 each. Credit card numbers sell for less than $10. On their own, the unit cost isn’t noteworthy, but if you can engineer a scam that nets thousands of numbers with little effort, it adds up quickly. That means that all accounts, no matter the size, are fair game. Similarly, the malware that underpins ransomware attacks can sell for as little as $10 for schemes that are often only designed to net hundreds or thousands of dollars. The goal is not to drain a company’s bank account all at once, but to set a price that the victim will be more likely to pay, then moving on to the next one.
The problem is that these scams, whether high-tech or low, can still cause significant damage to individuals or businesses. We’re all vulnerable—now we have to be more vigilant.