As COVID-19 swept the globe, sending most of the world’s office workers home, what happened to the world’s cyber criminals? Did they rush to take advantage of this newly distributed workforce, and did they make more money?
According to Geoff White, a British journalist and author of a book called Crime Dot Com, a history of hacking, cyber-criminals, just like many businesses, struggled during the pandemic.
Speaking at the ITWeb Security Summit 2021 this week, White quoted from the Mimecast state of email security report from 2021, which said that since the onset of the pandemic, employees began clicking on three times as many malicious emails as they had before. One reason for this, said White, is that people felt more isolated, and there had been an ‘information vacuum’.
While this is a worrying statistic, he said that companies such as Mimecast had an agenda, which is to sell more security products. What the Mimecast report doesn’t say is if this increased clicking led to more infections, and these statistics, said White, are hard to come by.
He also wondered if the pandemic had created more spam, and quoted Microsoft as saying in April last year that while 60 000 malicious Covid-19 themed URLs had been spotted, the overall volume of threats had not increased.
Malware down
Quoting from a Malwarebytes report on overall malware rates from 2019, he said there were 125 million infections. In 2020, the figure was 12% down, to 111 million. What he termed ‘commodity infections’ emanating from malware gangs were also down. Infections from the Emotet trojan declined by 89%, and attacks by the TrickBot Trojan were also down by 68%. White also said Emotet has since been taken offline. The Malwarebytes report said, however, that attacks by outfits such as KMS and InfoStealer were increasing.
White also looked at crypto crime report from the blockchain advisory firm Chainalysis. The report tracked the flow of money to and from wallets being used in cyber-crime campaigns, and that in 2017 the figure was between $3.5 and $4 billion. This declined in 2018 to about $2.5 billion, but there was massive increase the next year – to $10 billion – but the figure halved in 2020.
“Again, during the year which people said cyber criminals are doing really well, the figures from Chainalysis indicate that 2020 had been a worse year,” said White.
The spike in 2019 was due to a massive increase in crypto scams, mainly because of one called ‘PlusToken’ which targeted mainly the Asian market, and by some reports made off $3 billion. PlusToken has since been taken offline.
The Chainalysis report also said business appeared to be booming on darknet markets, which White attributed to the fact that people are stuck at home, and bored, and in the mood for illegal drugs. He said one particular market remarkable for its longevity is called Hydra, perhaps because it appears to confine most of it business to within the borders of the Russian Federation.
There had also been a rise in ransomware, said White, and that 2020 had been a ‘bonanza year’, according to Chainalysis. Total crypto-currency value received by ransomware addresses was $27.3-million in 2018, and was at $92.9 million in the following year.In 2020 it was $406.3 million, and is at $81.5 million so far this year.
Pipeline attack
He said it had been fascinating to watch the Colonial Pipeline hack unfold, and that according to the US’s Cybersecurity and Infrastructure Security Agency (CISO), the operational technology of the company had not been affected by the ransomware.
“The concern for researchers has been hackers being able to hop over from the IT side to the operational technology side,” he said.
“CISO said the (Colonial) hackers didn’t bother, they didn’t need to,” he said, and that the attack targeted the company’s billing and administration systems.
“Colonial Pipeline lost the ability to work out how much gas it was providing to people, and how much money should pay.”
He said at this stage, it had to cease pumping, ‘not because they couldn’t pump anymore, or not because the hackers had destroyed their ability to pump, but because they couldn’t work out when they would get the money back for the stuff they had pumped’.
He said while the Chainalysis report showed the ransomware value in dollars, the ransom was most often paid in crypto, which has seen massive rise in value over the last year.
“The bitcoin currency price is actually more of a dynamic impact on the amount of ransomware money the gangs are making.”
White recounted the tale of how police officers arrested a man in North London, who was thought to have been harvesting money from the hacking of a bank in Malta. The hackers are believed to be the Lazarus group from the Democratic People’s Republic of Korea. The money was transferred to accounts in multiple countries, including the UK, and then used to buy expensive watches and cars.
“It’s classic crime stuff,” he said, and that the money had to be turned into moveable assets so that it can be moved across borders. This, however, required recruiting people to take the digital assets and turn them in physical ones, and ‘this is where cyber crime starts to hit the real world’. The pandemic has also made it harder to cross borders.
“It’s harder to recruit people and it’s harder to get money mules out and about. It’s harder to get hold of the physical assets. And getting people and money is harder because borders have been sealed.”
“Cyber crime is an industry like any other, and like any other industry, it’s starting to hit the same headwinds as the rest of society. That’s interesting, because a lot of police departments have thought that cyber crime was beyond them. One of the encouraging messages about this is that cyber crime has its feet in clay, and it does have to deal with the real world.”
Share