Whether operating as a white hat hacker that audits and pen tests systems, or capturing data to sell on the black market, most hackers can easily earn a six figure income or more. Sometimes raw data is worth more money on the black market than individual transactions. Extortion, scamming and social engineering also allows a hacker to more manually extract money from their victims, often with a much higher rate of return.
The news is quick to report a data breach, but often times it is unclear what the motivation for the attack was to begin with, or what is done with stolen assets following an attack. In order to increase your own security, you may be wondering what information or systems you actually need to secure. Before you can begin to adopt more secure practices and programs, you must first be able to get inside the head of a hacker. Knowing their motivation, habits, skills, and psychology may be the first ways towards creating a more secure environment.
Stolen credit cards, identities and digital assets are obvious motivations for an individual to become a criminal hacker. However, the organized attacks of larger groups or the penetration tests performed by white hat hackers can be harder to understand. Some hackers are motivated solely by personal passions such as political movements, fame, power or trying to protect the greater good which can be hard to distinguish from the intent of monetary gain.
Selling Stolen Data
With a combined loss of almost 100 million credit cards and customer information, Target and Home Depot suffered a significant amount of damages in an attack that only copied information. The motivation for the hackers was simple: selling valid credit cards and identities on the black market is highly lucrative. Many of these records sold from $25-130 dollars each. Selling this information on the black market gave the hackers a higher volume and made it easier for them to disperse than if they would have charge each card themselves. Furthermore, the anonymity of these hackers remains intact. They will likely walk away, giving them the opportunity to attack another business in the future.
In the case of Home Depot, their point-of-sale systems were infected with malware and remained compromised for five months. The breach occurred from an exploit of a zero day vulnerability, which is essentially to say that the initial programmers of the POS software did not test and secure their program thoroughly enough. With more time invested into testing and auditing of the code, the vulnerability may never have been released. If the penetration point was more obscure and difficult to prevent entirely, the breach could have still been discovered with more frequent auditing and white hat penetration testing.
Target’s breach is even more difficult to defend. While Home Depot was blindsided a bit more (which still is not a great excuse), Target’s newly purchased malware detection program actually caught the attack early on. The hackers leverage access to target’s system through an HVAC contractor, but still needed to deploy their infected code across their network. Target’s highly sophisticated security system, called FireEye, would have protected Target from any information lost with it’s honeypot techniques. The software, which is used at many high end agencies such as the CIA, makes a virtual clone of the network and monitors activity. When an attacker breaches the network, they are actually trapped in the fake one, and lead to believe that they are making changes to real thing. This allows security teams to respond to abnormal activity before allowing any data to be exchanged with the real machines. Rather than responding to FireEye’s warnings, Target’s security team disabled the feature and ignored the warnings. To make matters worse, their Symantec Endpoint Protection antivirus program also managed to detect the malware and escalate alerts to the security team, who then passed along the warnings higher up the chain, only for the alerts to be ignored.
Stolen credit cards or user identity are one of the most common goods sold. Most hackers have no interest in executing further attacks on the victims, instead, they sell this data to others who may have a specific agenda or operation established. Some buyers seek out user authentication databases in order to test the same email address and password on other services. Others may be interested in using stolen data for extortion. Surprisingly, there are even a large amount of legitimate businesses that purchase data on the black market to send spam emails to in order to try and sell a product or service.
Using Data for other Attacks
Just like any other petty thief, many hackers operate quietly and independently to make a less ambitious living off of smaller targets. Whether it’s to breach a well known company or deface websites to boast their name, these small time hackers like to stay off the grid and make a living off the pocket books of fewer people. By focusing on a more specific type of victim, these thieves can leverage their knowledge to draw from bank accounts or extort just one or two independently wealthy people. They may also purchase credit cards on Darknet and set up a legitimate looking monthly transaction. To the victim, these transactions look like a utility bill, but they transfer the money to the hacker’s bank account. There are many ways a petty thief can operate, and because their crimes are smaller, they may do so for years without any real threat of pursuit or prosecution.
Hacker for Hire
Keep in mind, the word “hacker” is not always representing the criminal. Many hackers are for hire as security exports or certified ethical hackers. There are quite a few companies, such as Tekkis, that help businesses by performing security audits, risk assessment, penetration testing, HIPAA/PCI/Meaningful Use compliance, and many other services. These hackers for hire are on your side, and the best ones know how to think like a black hat.
Of course, black hats are often for hire as well. Some of the more novice black hats advertise their services in various places around darknet. The more advanced hackers tend to take some time to track down, and can often only be found by getting in touch with their group. Malicious hackers are often hired to for personal vendettas to deface websites or by businesses or government agencies looking to infiltrate and steal secrets.
Everyone has to earn a living, and some hackers make a great living by working for governments. The United States and Israeli intelligence agencies are often funded to create offensive measures by employing some of the best and brightest hackers. One of the most incredible and scary attacks executed by these governments was the creation of Stuxnet. The Stuxnet program was a virus designed to infect Microsoft Windows based Seimen controllers. This dangerous virus was deployed at uranium enrichment facilities in Iran with a function to spin the centrifuges in the nuclear power plants at uneven speeds while hiding the data from operators. Given the control and secret nature of the program, it could have been used to create much more disastrous results, especially if deployed with more malicious purposes.
Another suspected government attack comes from China. They have been unofficially blamed for many cyber attacks against the United States government in recent years, as the cyber wars begin to escalate. The US Pentagon has released reports implying that Chinese black hats have executed a few successful attacks, breaching networks and retrieved schematics for many critical systems, including the missile defense systems.
Unless you are the Chief Executive Officer for utility company or the head of security for your nation, you may not be too worried about these types of attacks. Nonetheless, it is important to recognize the implications and the fact that governments will sanction such attacks. Preventative measures against these organizations are difficult as you have to outsmart some very sharp hackers. The best measure of defense in this case, is to better understand and consider abstract possibilities like a hacker does.
Passion Projects Pay Too
Emotions can be highly motivating. Hackers in particular tend to be highly egotistical and proud, leading them to respond with extremes. One example of this is the DDOS attack that was executed against Spamhaus in 2013. Spamhaus is one of the world’s largest anti-spam services, protecting millions of users from malicious material and annoying content. When they blacklisted emails coming from an Internet Service Provider, called Cyberbunker, they probably did not expect a retaliation that would not only cripple their own network, but also much of Europe. The attack hit Spamhaus with traffic rates of up to 300 GB per second, making it one of the largest attacks in history.
The positive outcome of the Spamhaus attack is that many of the world’s largest internet tech companies have rallied together to create tools and systems which aim to help businesses protect themselves. Google, CloudFront and others have now created and opened services which help businesses mitigate risks against their servers or websites, often for a very affordable fee. With businesses small and large now having the ability to leverage powerful services, there is little room for excuse these days, in being crippled by a DDOS attack.
Many small hacker secs love to get public recognition and stroke their egos. Impressive attacks can also be proving grounds, which gain them access to more powerful organized crime units. When lizard squad, a black hat hacking group known for distributed denial-of-service (DDoS) attacks to disrupt gaming related services, decided to set their sites on the PlayStation Network and Xbox Live, they likely had one of these goals in mind. Usually these attacks are executed by smart, but amateur script kiddies and black hat hackers. Other times, they are an ego boost by a single hacker who wants to be recognized for his skills. Whatever the case, these attacks tend to be fairly common and the most annoying to most organizations.
Fame and Power
Many small hacker secs love to get public recognition and stroke their egos. Impressive attacks can also be proving grounds which gain them access to more powerful organized crime units. When lizard squad decided to set their sites on PlayStation Network and Xbox Live, they likely had one of these goals in mind. Usually these attacks are executed by smart, but amateur script kiddies and black hat hackers. Other times, they are an ego boost by a single hacker who wants to be recognized for his skills. Whatever the case, these attacks tend to be fairly common and the most annoying to most organizations.
Protecting against these attacks is actually fairly easy. DDOS attacks can be mitigated by leveraging cloud services, points of failure can be identified by security consultants, and application code audits can be performed by software development companies. The most secure systems and businesses are the ones who regularly consult experts and audit and update their software.