“Are the cybercriminals getting smarter? Are they really that much smarter than we are?”
That was MPD CEO Karen Webster’s question for PayPal’s VP of Consumer Risk Mike Vergara during their discussion about the recent episode of Starbucks fraud that many, many people initially misidentified as a breach of the most famous purveyor of coffee’s mobile payment app.
Starbucks, as it turns out, wasn’t breached and was very much like the Apple Pay security kerfuffle earlier this year. The fraud perpetuated was the use of stolen data to create fraudulent accounts that were used to get some fraud cooking. However, 2015 is beginning to show itself as something of a distinction without a difference. Between the various high profile breaches (and it doesn’t get much more high profile than the White House itself) and the fraud that information liberated during said breaches goes on to perpetuate, some are, in fact, beginning to conclude that cybercriminals have gotten so smart they are now just smarter than our best ideas about data security.
And while the conclusion is tempting and may make some want to retreat to their doomsday bunker and resign to only pay with cash from now on, the reality according to the various experts PYMNTS has spoken to on this topic have come to a different — but not entirely comforting — conclusion.
It’s not that criminals are that much smarter now – they’re just more specialized.
“Cybercrime has evolved – what used to be the domain of individual actors who had to build all their own tools, scout their own leads and do all of their own heavy lifting, has now developed into its own malignant and dynamic ecosystem,” Forter CEO and Founder Michael Reitblat told Karen Webster. “Now [the cybercriminals] are becoming more institutionalized or organized, but not in the ‘Godfather’ sense of the phrase, but in the online ecosystem sense. There are people who are only building cybercrime tools and selling them and that is literally all they do. There is now cybercrime as a service. You can have a botnet built for $2 an hour. This is why collectively, the cybercriminals have become so much better.”
And, as PayPal’s Vergara noted, also why cybercriminals are able to behave more efficiently — they have managed to divide out the effort of crime in a way that lets each cybercriminal really focus in on what their best contribution to the illegal economy is.
“If you look at the criminal underworld, there is amazing specialization in these areas,” Vergara told Webster. “Different people specialize in credential capturing and hacking – that might be through malware or through phishing campaigns. But what they do exclusively is capture data they shouldn’t have. They then sell those credentials to people who are better at monetizing through fraud.”
The “good” news here, Vergara said, is that fraud itself is highly inefficient - which is to say that hackers steal so very much data - most of which is taken but never actually used. The bad news, however, is that because consumers are required to create lots of passwords in an increasingly digital world - but have limited memories - they often create simple ones and repeat them. This means that some stolen credentials act as digital skeleton keys that pick the locks to all kinds of fraud opportunities.
And, possibly in a fit of even worse news, it seems that some members of the cybercrime community are getting fairly brazen.
Like, for example this phishing gang known as the “Manipulaters Team” which has a nice, easy to access website where they boast their skills as brand research and development specialists. Note – they may be cybercriminals and have learned to hack into websites like crazy, but they have not mastered spellcheck.
Take a look.
The Manipulaters' main area of expertise is Apple’s iCloud - according to security blogger Brian Krebs - and “a whole mess” of U.S., European and Asian banks. And that is not speculation apparently - Team Manipulaters is good enough to “sign” all of their work via a calling card in the WHOIS website registration records for most of the phishing domains that they register:
So what does a phishing operation that specialized in the iCloud and banks advertise themselves as doing on their very, very public website?
“[Manipulaters] is an institute that caters to brand research & development. We have studied computer related products immensely, and are confident that we can get the job done. The learning never stops for us though, as we are always looking for ways to improve.”
“Our goal is to help each business and brand reach their ultimate potential,” explains the “Our Members” section of the site. “We have contracts with our members that allows us to have guidelines for them to follow on their path to success. We have put these in place for a reason. This provides the stability and direction that companies/brands need to succeed.”
And because this site is not quite ridiculous enough, they also advertise to those who want to become members. Just pay $15, provide a copy of a driver’s license/ID card plus a phone or electricity bill. Nothing more beautiful than watching predators predate on each other.
And it seems Manipulaters are also renaissance thieves, since according to Krebs they also appear in the Web hosting space as well. Most of their phishing pages are in fact hosted on Internet address space assigned to Manipulaters[dot]com: In fact, the group is listed as the current occupants of an entire Class C range of Internet addresses, from 22.214.171.124 to 126.96.36.199.
A quick tour around the site would perhaps not immediately present itself as a locus for questionable data gathering process - unless of course one tried to purchase membership - at which point the telltale sign of their industry would appear.
They only accept payment in bitcoin.
“Ahhh bitcoin, the world’s most wonderful tool for the diversification of cybercrime,” a banking security official told PYMNTS on the condition of anonymity. “The reason they can specialize better than ever before is because they support activities for cybercrime - the phishing and botnets - are all things they can be paid for easily and individually. Criminals want to get paid, but until rather recently there was no good way to pay for things like cybercrime - where the 'mastermind' with the big plan and the 'support staff' live on opposite sides of the planet who are unlikely to ever physically need to be in contact. Bitcoin solves that problem - which is why cybercriminals like it so much better than drug dealers.”
So, to sum up, specialized cybercriminals are becoming increasingly brazen and are currently being buttressed by an easy to use, international digital payment platform that is regulated by essentially no one.
The news might have been better when it just looked like they were getting smarter.
However, the bad news remains only part of the story.
And yet, the good guys like PayPal’s Mike Vergara remain optimistic. Fraud is part of doing business, he told Karen Webster, but really, that is not exactly news to anyone in payments and retail.
“The security mindset overall is, ‘we have to try for zero fraud.’ But that’s not the way you look at it from a payments or commerce perspective,” Vergara said. “There’s always shrinkage – even all the way down to a Mom and Pop shop, it’s something you deal with. You aren’t going to shut down your store because someone steals Twinkies; you manage that, and as long as you’re making money you’re OK.”
And, as Forter’s Michael Reitblat noted, criminals are not the only ones who can evolve and specialize.
“We create a fraud free environment for online retailers,” Reitblat told Webster. "Generally we are very experienced in dealing with fraud or cybersecurity – this team has been working together for many, many years.
“We know our stuff, we know our fraudsters, we know how this world works and we know how to adapt very quickly," he added. "In this world if you don’t adapt quickly, you die. There is no perfect silver armor or Chinese Wall to keep the Mongolians out. Weak links will always be there, you have to find a way to block them quickly enough.”
There is no world without cybercrime in anyone’s future - but then there is no real world without regular crime in anyone’s future either. But perhaps that isn’t the worst news in the world, just an indication that the fight between cybercriminals and the security pros that take them on has become less a clash of the Titans and more a race to become the most specialized specialist.