Hack in the box!

security laptopOn average 30,000 websites are hacked every day*, 200,000 new malicious programs/viruses are detected every day**.  Google recently reported that they detect 9,500 websites/day infected with malware used for drive-by download attacks, where the victim only has to browse the site to become infected, and 4,000 of these sites are legitimate company websites. Small business have been a target for cyber criminals for a few years now, because they are an easier target due to their lack of budget and expertise. Is your network as secure as it can be from hackers? Are you sure? Or are you helping cyber criminals distribute malicious programs to your customers, friends and family, even if you’re computers are just acting as a base of operations for attacking and infecting others.

* Sophos Labs Report ** Kaspersky Labs Report

It is estimated that cybercrime costs the world’s economy between $1 – 3 trillion per year.

Many businesses around the world have been struggling financially for a number of years, but sadly the underground hacking economy seems to be alive and well. In July of 2013, the FBI charged two Russians for hacking into US Financial Institutions that resulted in the theft of millions of dollars from more than 800,000 victim bank accounts. One of the hackers and several other undiscovered criminals, were also charged with the stealing and selling of at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars. According to the indictment, these losses included $300 million in losses for just three of the corporate victims not to mention the immeasurable losses to the identity theft victims, due to the costs associated with stolen identities and fraudulent charges.

Underground Prices for Stolen Credentials and Hacker Services

Hacker Credentials and Services Details Price
*Visa and Master Card (US)   $4
American Express (US)   $7
Discover Card with (US)   $8
Visa and Master Card (UK, Aus & Can)   $7 -$8
American Express (UK, Aus & Can)   $12- $13
Discover Card (Aus & Can)   $12
Visa and Master Card (EU and Asia)   $15
Discover and American Express Card (EU and Asia)   $18
Credit Card with Track 1 and 2 Data (US) Track 1 and 2 Data is information which is contained in digital format on the magnetic stripe embedded in the backside of the credit card. Some payment cards store data in chips embedded on the front side. The magnetic stripe or chip holds information such as the Primary Account Number, Expiration Date, Card holder name, plus other sensitive data for authentication and authorization. $12
Credit Card with Track 1 and 2 Data (UK, Aus & Can)   $19-$20
Credit Card with Track 1 and 2 Data (EU, Asia)   $28
US Fullz Fullz is a dossier of credentials for an individual, which also include Personal Identifiable Information (PII), which can be used to commit identity theft and fraud. Fullz usually include: Full name, address, phone numbers, email addresses (with passwords), date of birth, SSN or Employee ID Number (EIN), one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs). $25
Fullz (UK, Australia, Canada, EU, Asia)   $30-$40
VBV(US) Verified by Visa works to confirm an online shopper’s identity in real time by requiring an additional password or other data to help ensure that no one but the cardholder can use their Visa card online. $10
VBV (UK, Aus, Can, EU, Asia)   $17-$25
DOB (US) Date of Birth $11
DOB(UK, Aus, Can, EU, Asia)   $15-$25
Bank Acct. with $70,000-$150,000 Bank account number and online credentials (username/password). Price depends on banking institution. $300 and less
Infected Computers 1,000 $20
Infected Computers 5,000 $90
Infected Computers 10,000 $160
Infected Computers 15,000 $250
Remote Access Trojan(RAT)   $50-$250
Add-On Services to RATs Includes set up of C2 Server, adding FUD to RAT, infecting victim $20-$50
Sweet Orange Exploit Kit Leasing Fees   $450 a week/$1800 a month
Hacking Website; stealing data Price depends on reputation of hacker $100-$300
DDoS Attacks Distributed Denial of Service (DDoS) Attacks– throwing so much traffic at a website, it takes it offline Per hour-$3-$5
Per Day-$90-$100
Per Week-$400-$600
Doxing When a hacker is hired to get all the information they can about a target victim, via social engineering and/or infecting them with an information-stealing trojan. $25-$100

*Note: All Credit Cards sold with CVV Codes

As always, there is no shortage of stolen credit cards, personal identities, known as Fullz, for sale. However, the hackers have come to realize that merely having a credit card number and corresponding CVV code is not always enough to meet the security protocols of some retailers. Hackers are also selling cardholders’ Date of Birth and other personal information. Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card. VBV (Verified by Visa) data is also being sold.

It has been found that credit cards and personal identities for non-US residents continue to sell for more money than the credit cards and identities for US residents. An example of the pricing discovered for stolen credit cards, Track 1 and 2 Data of Credit Cards, Fullz, Date of Birth and VBVs for cardholders is listed in the table above.

Online Bank Accounts for Sale: Name Your Bank and Country Preference

Just as with stolen credit cards, there are hundreds of online banking credentials for sale. It has found that one can purchase the username and password for an online bank account with a balance between $70,000 and $150,000 for $300 and less, depending on which banking institution the account is located. Also one can specify the login information for an account within a specific bank and country.

Malware Infected Computers for Sale

There are thousands of compromised computers (bots) for sale by bot salesmen. The price per computer typically decreases when they are bought in bulk. The costs for infected computers (bots):

  • 1,000 bots = $20
  • 5,000 bots= $90
  • 10,000 bots = $160
  • 15,000 bots = $250

Infected computers in Asia tend to sell for less. It is thought that infected computers in Europe & U.S. are more valuable than those in Asia, because they have a faster and more reliable Internet connection.

Once scammers buy the malware-infected computers, they can do anything they want with the machines. They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers. If you don’t think there is much money in the spam business think again. Research into one of the largest spam botnets, Cutwail, it is estimated that the Cutwail gang’s profit for providing spam services was approximately $1.7 million to $4.2 million over two years.

Malware and Exploit Kits for Sale

A variety of Remote Access Trojans (RATs) are for sale ranging from $50 to $250. Most of the RATs are sold with a program to make it Fully Undetectable (FUD) to anti-virus and anti-malware. However, there were some hackers who sold the FUD component for an additional $20. For those RAT buyers who want the seller to do all the work for them, eg: setting up the RAT’s Command and Control Server, configure the malware to be FUD and possibly infect the target, they could pay an additional $20 to $50.

Exploit Kits – One of the offerings the Sweet Orange Exploit Kit for lease charged between $450/week and $1800/month. Sweet Orange is certainly more expensive to lease than the once popular BlackHole Exploit kit. Before BlackHole’s supposed creator was arrested, the leasing rates for BlackHole were:

  • 3 months—$700
  • 6 months–$1,000
  • One year–$1,500

Hacker Services for Hire: DDoS Attacks, Hacking of Websites, Doxing

Hacking into a Website

The cost to hire a hacker to break into an organization’s website runs between $100 – $300. Generally the higher the fee, the more reputable the hacker. What is worth noting is that most hackers for hire will not hack into a government or military website.

Distributed Denial of Service (DDoS) Attacks

A DDoS is where 1000’s of computers, controlled by a RAT, are used to attack a website and bring it to a halt through sheer volume of traffic. Those customers wanting to purchase DDoS Attack Services could pay by the hour, day or week. Most hackers who provide the DDOS attacks guaranteed that the target website would be knocked offline.

The rates were as follows:

  • DDoS Attacks Per hour = $3-$5
  • DDoS Attacks Per Day = $90-$100
  • DDoS Attacks per Week = $400-600

Doxing

Doxing is when a hacker is hired to get all the information they can about a target victim. Their methods include searching public information sites, social media sites, as well as manipulating the victim via social engineering and infecting them with an information-stealing Trojan. There are a lot of Doxing services for sale on the hacker underground, A “Vouch” from customers is used to verify that the hacker providing the Doxing service is legitimate. Doxing services range from $25 to $100.

Name Brand Products, Get Them For Cheap

Another service being sold on the hacker underground is where hackers will sell popular products, below the retail price. The hackers will obtain a specified product for a buyer either by using a stolen credit card or by working a scam, where they contact the retailer’s customer service representative and pretend to have purchased the item from the vendor, and it was damaged. The customer service representative is convinced that the complaint is legitimate, and they send out a replacement to the scammer, who in turn sells the product below the retail price.

Summary

For the most part, it does not appear that the types of hacker services and stolen data for sell on the hacker underground have changed dramatically in the past several years. The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or Personal Credentials. In 2011, hackers were selling US bank account credentials with balances of $7,000 for $300. Now, accounts with balances ranging from $70,000 to $150,000 go for $300 and less, depending on the banking institution where the account is located. In 2011, hackers were selling Fullz for anywhere from $40 to $60, depending on the victim’s country of residence. Fullz are now selling between $25 and only go up to $40, depending on the victim’s location. It is believed that the drop in prices further substantiates that there is an abundance of stolen bank account credentials and personal identities for sale. There is also no shortage of hackers willing to do just about anything, computer related, for money, and they are continually finding ways to monetize personal and business data.

Key Protective Security Steps

Companies should adopt a layered approach to security and consider implementing the following:

  • Firewalls around your network and Web applications
  • Intrusion Prevention Systems or Intrusion Detection Systems (IPS/IDS). These inspect inbound and outbound traffic for cyber threats and detect and/or block those threats
  • Host Intrusion Prevention Systems (IPS)
  • Advanced Malware Protection Solution
  • Vulnerability scanning
  • 24 hours a day x7 days a week x365 days a year log monitoring, and Web application and network scanning
  • Security Intelligence around the latest threats (people working on the latest threats in real-time, human intelligence)
  • Encrypted email
  • Educating your Employees on Computer Security. A key protective measure is to educate your employees to never click on links or attachments in emails, even if they know the sender. Employees should check with the sender prior to clicking on the email links or attachments. Client side attacks using email attachments and hyperlinks to malicious code on the web are the two major infection vectors.

The good news for SME’s is that there are some products out there that are open source and free that can cover a lot of the above. Configured correctly will help to protect the network from malicious hackers, at least make them want to bypass you and attack an easier target.

Individuals Should Implement the Following Security Steps

  • Computer users should use a computer dedicated only to doing their online banking and bill pay. That computer or virtualized desktop should not be used to send and receive emails or surf the web, since Web exploits and malicious email are two of the key malware infection vectors.
  • Avoid clicking on links or attachments within emails from untrusted sources. Even if you recognize the sender, you should confirm that the sender has sent the specific email to them before clicking on any links or attachments.
  • Reconcile your banking statements on a regular basis with online banking and/or credit card activity to identify potential anomalous transactions that may indicate account takeover.
  • Make sure your anti-virus is current and can protect against the latest exploits. Also, make sure that your anti-virus vendor has signatures for detecting the latest Trojans and that you have the most up- to-date anti-virus protections installed.
  • Do not use “trial versions” of anti-virus products as your source of protection. Trial versions of anti-virus products are good for testing products, but do not continue to use the trial version as your protection for your home or work PC. The danger is that the trial version does not receive any updates, so any new Trojan or virus that is introduced after the trial version was released will have total access to your PC.
  • Make sure you have your security protections in place. Patch management is key. It is critical that as soon as they become available you install updates for your applications and for your computer’s operating system.
  • Be cautious about installing software (especially software that is too good to be true – e.g., download accelerators, spyware removal tools), and be conscience about pop-ups from websites asking users to download/execute/or run otherwise privileged operations. Often this free software and these pop-ups have malware embedded.

Make sure your company is not an easy target for the cyber criminals by having a penetration test by a trained and experienced Certified Ethical Hacker.

Penetration testing is the process of evaluating both your physical and digital security systems and finding all areas that are insecure and that need attention. The main goal of penetration testing is not only to find security vulnerabilities, but to attempt to exploit them as well, which can decrease the chances of data loss or allowing unauthorised persons access to secured data. Common problems discovered by penetration testing include software bugs, design flaws and configuration errors. Once these have been identified, they need to be quickly repaired in order to ensure that safety isn’t compromised for longer than necessary. Testing is vital for any business, no matter how large or small, as data has become the most important currency available to organisations and hackers.

Penetration testing should be performed by an experienced tester from outside the organisation or the service provider whom has configured the solution, website, network, etc. It is all too easy to ignore or turn a blind eye to a known issue, or to have the attitude of ‘Nobody could possibly find that flaw!’ or ‘Who would want to hack us? We’re not interesting enough!’ As this involves the security of the business, no half-measures can be taken. Security breaches happen every minute of every day, and unless you have a dedicated team for penetration testing, it may be wise to consider outsourcing the procedure. Having an in-house team is ideal, but there are many businesses that find good reasons to outsource the testing and security of their information systems.

Thanks to our Guest blogger this month
Wynn Jones ECSA/LPT CEH CHFI CVE CCA MCSE
http://www.praetoriansecurity.co.uk

 

Is Virus Protection enough anymore?

virus protectionI thought I would burp a little about the recent news broadcasts detailing the attacks that have happened, as well as the ones that are about to hit in around two weeks’ time.

Let’s start with the one that already happened, the Heart bleed exploit. This affected web servers and took advantage of a flaw in a commonly used library to gather random chunks of working memory. Unfortunately these random chunks often contained people’s login details or other personal information. And so we all had to go and change our passwords for many of the web services we use, Google, Facebook, and Yahoo and so on. Wait, you haven’t done that yet? Well you better get in about it today and make it so!

The attack due in a few weeks’ time was announced on the news feeds last week, and you need to make sure that all your computers are up to date and virus protected within the next two weeks. You have been warned!

So what’s new?

Well, in actuality, nothing is new. We have been plagued with hackers, attacks, and viruses for as long as I have been in IT.  And there is even a possibly they were around before then, I am not as old as you think you know! We have long been advised to keep our computers up to date, to install virus checking software and ensure we have the latest virus definitions. Yet we still succumb to the viruses as they hit the web. Is it because we just get lazy and don’t maintain our computers? Has the computer age made us feel that the software should maintain itself? Why do we have to do anything manually?

I have repaired machines in the past, and have asked the user if they had anti-virus software. The answer was often yes, as it came with the computer. Brilliant I said have you updated it recently … a long pause … no, was the reply, doesn’t it do that itself? I then checked the machine to find that the software was on it when bought, but had never been launched and never registered. In fact, it had simply been taking up some hard drive space and doing not a lot else! Given this was roughly three or four years after purchase, I will not tell you the number of infections I found on that machine.

Which hat are they wearing?

These days you can attend college or university and do an Ethical Hacking course, and come out with a matching qualification. Now if you use this the right way (known as white hat hacking) you will become an asset to any company wanting to protect their systems. Of course, used the wrong way (black hat hacking), you can cause mayhem and leave damage in your wake.

Help me Ian; what do I need to do?

Put simply, you need to do what you have been told to do for as long as I can remember. That is: keep your computer up to date, and keep anti-virus software on it and up to date. If you are on a network, then make sure your firewalls and other barriers are up and running. Oh, and just to let you know, it could all be changing again as the mobile usage increases and the cloud becomes our storage … watch this space, but be protected.

Further info on some of this can be gained by reading our previous blog on Windows XP cover, and on Passwords security.

Take care and be safe…

Let us know your thoughts on this issue and how you are coping in the battle for safe working.

Has the Cloud changed the business weather?

Old Car PhoneI have always promoted the ways in which technology can help us, and how its advancement is changing the game in many different areas – from remote surgery via a net connection, to the way we communicate and interact. Some would say that this is great, and these changes are for the better – at least better than the sluggish old ways we used to do things. Others are more sceptical, and suggest some of what is happening is taking away from human interaction, often to the degree that we just can’t interact effectively face to face anymore.

With the above in mind, I must confess that I do a lot more typing than writing, and as a result my writing skills are just not what they used to be. Saying that, some would say my typing skills also leave a lot to be desired.

Anyway, I digress; I titled this article, “Has the cloud changed the business weather?”

This was a direct hit at what the Internet (or as it’s often called, the cloud) is doing to the way we do business. Let’s look back at the history of how it was done; again I will speak from the experience I gained over my working life.

In times gone by

In past lives I have used written reports, sending them back to my direct line manager. Then we got the marvel that was carbon paper copies, which meant I could keep a copy myself.

A fax was installed in my home office and I could fax info straight to main HQ and get it actioned. No more waiting on the snail mail to deliver. This was a revolution.

I was then made the proud owner of a pager. It would bleep to signify that I had to go to a phone and call the office. The next version had a small LCD screen where I could read a streaming text message instead of phoning in. Where was technology taking us?

OK, you have probably guessed by now that I am not a newcomer to the work environment. In fact I have been through a good number of changes to the way things are done.

The next development was a phone mounted in my company car. This was a large brick like device in the cabin, connected to a larger box that was taking up most of my boot space. The aerial was attached to the roof of the car, and off I went. However, my sales area included the highlands of Scotland, and the signal at that time was really very poor, so generally I was uncontactable unless I found a landline.

The car phone I was given after that was the first that could be considered truly mobile, and could be removed from the car and taken, yes taken with you, anywhere. WOW! This was just amazing. I could text and phone from anywhere and no longer needed to be tethered to my car.

I was then simply given a mobile phone, and along with that my first mobile computer. It had details of all the products I used to sell on it, and had the ability to allow searches and pricing on the spot in front of a client…

How could this be I hear you cry? Well that was technology for you, and it was driving sweeping changes to what we were able to do in business.

Obviously things have moved on greatly since these bygone days, and companies have had to accept technology moves one. They also have to deal with the way it has influenced what they do, and landscape of their proposed market places.

Access to the Internet started very slow, I still remember connecting via a dial up modem (33.6k which by today’s standards is the slowest thing ever) but it was new and exciting at the time. Then ADSL has superseded that, and now ADSL is on the wane due to Fibre broadband being rolled out nationwide.

With this advancement, and mobile broadband reaching similar speeds, it finally means that the cloud has come of age. The idea of ‘Always there Internet’ has truly arrived.

What we can do now in the cloud, and through the cloud, is an order of magnitude more impressive than my first work experiences of technology.

Where will it all go?

The question now, I suppose, is where will it all go? But what I want to ask you is where will you take it?

Will you adopt the latest technology and keep pushing what you can do beyond what you do now? Beyond what others are doing? The cloud is truly changing the weather in the business world in ways that a younger me could only dream of.

We can collaborate worldwide as if we were in the same office. We can have instant access to real-time information that allows us to make informed decisions faster than ever before.

We can access information at any time and any place, which means we don’t have to be tied to an office desk. Mobile Internet usage (or cloud usage if you like) has increased year on year to around 68 to 70% of all Internet traffic. Technology has improved beyond a large bulky desktop computer or chunky laptop, the information is now actually in the palm of your hand.

Our mobiles (and remember I started with a brick in my car) have now turned into smart phones. We can do all sorts of tasks using them, and that includes good quality business work.

Conclusion

I am still excited about where technology can take us, and would like to think I’m still a people person. It will never make me a recluse, so that I do not interact, but it can make my life and business world  easier. It can change the weather on the business front, and for me this has meant more sunshine and less rain, even though there will still be clouds.

What are your thoughts on adopting new technology for you or your business?

That gut Feeling?

gut feeling, intuition

Should we ignore it?

I am always fascinated by the detective dramas on TV, as my wife would tell you, and the way they portray the detective trawling through the clues and the evidence to catch the culprit of the crime.

They also use a phrase quite often where they say, “I can’t prove anything, but I just have that gut feeling he did it.” We also hear about intuition, that feeling that you know it is right or going to happen but there is no evidence or scientific proof that it will.

I have been around this world now for around 51 years and over that time I have picked up info and facts as well as experiences that allow me to make decisions on various areas that I operate in. Generally called experience. Some people keep records and statistics to back up their experience so they can actually prove what they believe. I haven’t been as smart as that, but have I feel over the years gained a degree of Intuition if you like. That built in experience that allows for you to make a call on something before all the facts are in. Now granted sometimes you are wrong. But if I have learned one thing since I setup on my own in business, it is time sometimes is not on your side and you have to be able to turn on a sixpence to make decisions and fly by the seat of your pants.

The more I read about entrepreneurs that have been successful. The more I see that they had this type of approach, and they had the, “Gut feeling”, so to speak.

With 2014 approaching, are you evaluating what you have done in 2013 and looking at all the statistics and making a call just on them, or are you using all your senses and making a call using them as well.

Now, I am not advocating ignoring the obvious, but I am advocating that sometimes the obvious is not what lies around the corner for you and your business. Sometimes we just have to go with our gut feeling.

Have a great 2014 and step out of the statistical comfort box and do something based on just that gut feeling and see what happens.