Our last blog dove into a brief – and perhaps shockingly long – history of cyber threats. We were able to look at how cybercriminals have evolved their tactics throughout the years, as well as how cybercrime has proliferated and resulted in the cybersecurity industry of today.
As a follow up, and because old habits die hard, this blog will show how some of the most popular cyberattacks throughout the years have stayed the course, despite our best mitigation tactics and wishes that they would just disappear.
Old threats that won’t go away
As these decades-old threats indicate, hackers apparently subscribe to the belief of ‘not fixing what ain’t broke.’ Yes, these virus and/or fraud schemes may have undergone some form of modification to adapt to the changing times, but the fact that they’re still around can only mean one thing: they’re effective, and they continue to rake in the money (or the highly sought notoriety) for criminals.
Remember the WannaCry ransomware attack we mentioned? Well, this wasn’t your typical ransomware attack. Unlike most ransomwares that infect a few victims through drive-by downloads or malicious email attachments, WannaCry had worm-like capabilities. Meaning, it had the ability to propagate on its own, explaining how it was able to spread across 150 countries so quickly.
Worms have been around and causing disruptions for quite some time. The Morris Worm, largely credited as the first worm, was discovered in 1988 and consisted of self-propagating malware that basically crashed a large chunk of the Internet. It infected 2,000 computers (of the 60,000 in existence) in 15 hours, left $100,000 – $10,000,000 worth of damages in its wake, and forced the Defense Advanced Research Projects Agency to create the CERT/CC or Computer Emergency Response Team Coordination Center. CERTs were the precursors of today’s security operations centers.
As the Internet grew, so did the scale of worm outbreaks. Here’s a snapshot of some of the most destructive worms in history, the estimated cost of their damage and the year they wreaked havoc:
Nigerian Prince Email Scam
While it’s difficult to pinpoint a specific incident that launched the Nigerian Prince Scam phenomenon, there are claims that its history began as far back as 200 years ago. In an era long before people could even imagine the possibility of email, this con underwent many name changes–Spanish Prisoner, Nigerian Letter, 419 (the Nigerian legal designation for fraud), advance-fee fraud, but the basic premise for the scam has remained the same throughout the years.
In the modern day iteration, this is how it works: Go to your spam folder and browse through each email (just be careful not to download any attachment). Pretty soon you’ll come across a story similar to this:
An important person, usually a government official, president of a company, or royalty, is seeking assistance to transfer a large sum of money (typically millions of dollars) to your account. The reasons can vary. Some of the most common are that you’ve been chosen to be:
- a beneficiary of a will;
- the recipient of a fund;
- the winner of a special lottery; or
- an investor in a high-return investment.
However, to inherit or claim your fortune, you need to provide the sender something first. The usual requirement is to send a ‘minimal amount’ (say, $500) as a processing fee. Sometimes, they could require personal information, like your social security number, birth date and so on, plus your bank account number. The intention, of course, is simply to defraud you.
This attack highlights one of the most difficult systems to secure in cybersecurity, the end user. Human nature is notoriously tricky to patch and no firewall can protect us from ourselves.
Over the many years that it has been used, this modus operandi has evolved both in form (the story) and delivery (email, fax, snail mail, social media, instant messaging, etc.). Yet because most individuals appear to somehow be wired to fall for get-rich-quick schemes, the Nigerian Prince Scam has never grown old.
Credit card skimmers
Another age-old cyber threat that has simply evolved is credit card skimming. A skimmer used to just be a physical device inserted into a card reader to steal credit card data. This data was then sold to unscrupulous individuals in carding forums in the Dark Web, who in turn sold the data to the manufacturers of fake credit cards.
Until now, that supply chain was intact. But due to various countermeasures employed by the payment card industry which have made it difficult to use physical credit card skimmers, several cybercrime outlaws have sought other means of stealing credit card data.
One of those in vogue is the use of point-of-sale (PoS) malware. Once it infects a PoS system, this type of malware usually grabs credit card data via RAM scraping. It then temporarily stores each set of data in a file. Once it has accumulated enough, the malware connects to a C&C server for exfiltration.
As long as credit cards continue to exist, credit card skimmers are likewise here to stay.
Technologies that won’t die (but we wish would)
Timeless cyber threats aren’t the only things we wish would disappear. Ironically, there are also certain security controls – passwords, in particular – that appear to have overstayed their welcome.
Want to know what the Morris Worm, Conficker, Mirai (the IoT botnet that launched one of the largest DDoS attacks in history), and many of the biggest data breaches in history have in common? Passwords. The bad guys just love passwords. We use them to protect our digital assets. Bad guys either break them or steal them, and end up with our digital assets. It’s a vicious cycle.
Even if we use strong passwords, crafty cyber criminals are still able to get hold of them through phishing, social engineering, MITM attacks and other techniques. The crooks responsible for mega data breaches, like the Sony PlayStation Network breach of 2011, the Yahoo breach of 2013 and the Adult Friend Finder breach of 2016, ended with a massive data loot that included stolen passwords. That means, because most users use the same password for all their accounts, those crooks likely already have the keys needed for future breaches.
Because no amount of strong password policies have been able to curtail attacks on passwords, several organizations have banded together to devise alternatives to this archaic control. Their initiatives look very promising, and we look forward to the time when we can finally say goodbye to passwords.
Oh, what we’d give for the relatively threat-free days of old. But then again, that would also mean giving up the world of information and communication (among many others) that’s right at our fingertips. You have to take the bad with the good, and in this instance, I’d prefer to keep working against threats and strengthening security controls than give up the luxury of the technology available today.