The 2022 Verizon Database Breach Investigations Report (VDBIR) shows that 88% of all incidents have a human element as partial causation for the breach. Why are people not getting this? Why are they so bad at basic security? Yes, some of them are just stupid. But that's the minority of people so we can't hang our hat on that. Maybe it's because we security practitioners, law enforcement investigators, and crime-prevention specialists are just not very good at our jobs. Maybe?
Leadership expert Simon Sinek has a model called the Golden Circle which provides a vehicle to help leaders better communicate company goals and achieve employee buy-in of the mission. Traditional top-down communication starts from what. What to do, or not to do, and then moves to how to get it done. The “why” of a task is only explained if the subordinates ask enough, and even then the answer is usually something along the lines of “because we said so”.
Sinek proposes that true leaders start with the “Why”. The conversation starts with an explanation of why something needs to be done and details the positive benefit the task will have on the organization and the employee. The leader gets buy-in for the project before they move to the hard details of the what and how.
As security and crime-prevention practitioners we are super at telling people what to do, and how to do it, but do we ever really explain the why? Our awareness training sessions usually go something like this: This is a phishing email. This is how you can tell it's a phishing email. “Bad things” will happen if you click the link in this email. O.K. Thanks for your time and we'll see you all again next year.
Did we get buy-in? Or did we only do security theater?
Internet-enabled crime is largely underreported. Those affected by cybercrime may not know how or where to report their victimization. Some are too embarrassed to report it while many others don't even know they've been victimized. Regardless of the reason, the majority of persons victimized by cybercriminals fail to report it to law enforcement. A 2020 crime survey of England and Wales suggested that only 16.6% of frauds are being reported and only 1.7% of those victimized by “computer misuse offenses” are self-reporting their victimization.
Businesses aren't much better at reporting their victimization. This 2019 report by global IT and cybersecurity association ISACA found that enterprise and other business entities are vastly under-reporting cybercrime victimization, even when legally mandated to notify law enforcement and regulatory agencies.
The underreporting of cybercrimes makes the 2021 Internet Crime Report from the Internet Crime Complaint Center even more remarkable.
The Internet Crime Complaint Center (IC3) is the cybercrime reporting and analysis mechanism for the Federal Burea of Investigation. The center facilitates an easy and efficient way for citizens and businesses to self-report their victimization and losses. The collected information is then analyzed to look for trends and investigative leads. The results are distributed to FBI field offices for follow-up investigation and for information releases to educate the public. Each year the organization creates a summary of the previous year's numbers and publishes it as the Internet Crime Report.
The 2021 Internet Crime Report follows the trend of its predecessors in revealing that cybercrime has increased from the previous year. In 2021, the IC3 accepted 847,376 reports which is a 7% increase over the number received in 2020. The reported dollar loss is greater than 6.9 Billion dollars.
Remember that cybercrime victimization is grossly underreported? Yeah, so what are the true numbers for 2021? It's mind-boggling.
I stopped making new year's resolutions a long time ago because I wasn't very good at keeping them. The pressure to maintain the effort became another stressor in my life. You can only fail at losing 15 pounds or daily teeth flossing so many times. I still set yearly goals but they are something that I have developed a plan and a roadmap to achieve.
Making new years resolutions is still popular for others and I have heard many declare their ill-fated intentions over the past few days. One of the most frequent themes I've heard has been the desire to “return to normal” referencing the Covid-19 pandemic and the way it's turned our lives upside-down since 2019.
What is normal at this point? I can only assume the declarants mean a return to life as is it was in December 2019. Do we really want to go back there at this point? And how would we do that? You can't put the past two years back in the bottle.
This longing for “normal” is foreign to those of us that defend against, or investigate cyber-financial crime. The concept of normalcy doesn't exist. Well, other than the bad guys are unrelenting in their attacks and continuously evolving their tactics to defeat us. There isn't a normal because the game is continuously evolving. Much like a virus, ransomware, phishing emails, business email compromise attacks, money laundering methods, and social engineering techniques are continually mutating in response to the tactics of security and law enforcement. There are new variants every day! The theme may be the same but the characters and their schemes are ever changing.
We never have the desire to return to normal because there is no normal. Normal is chaos. Everyday.
Welcome to 2022 and another year of combating cyber-financial crime. Normalcy is not an option.
I have previously written about the rise of “dog fraud” and the increase of fake websites and Internet marketplace ads offering designer dogs that don’t exist. Well, the breeds of dogs exists, the seller just doesn’t actually possess any to sell. These fraudulent sellers are usually found operating on web marketplaces such Facebook and OfferUp but have also gone to the extreme of creating entire websites. And some of them are well designed and functional, not just a Weebly template with some stock photos.
I suspect the next breed that will be the focus of scammers is the Shiba Inu. The rapid ascent of the Shiba Inu cryptocurrency has resulted in images of the dog posted front and center of just about every mainstream press website and periodical. It is a really good-looking dog and with a price range of $900 to $2500, it will also look good to the scammers.
In my experience, dog scammers had been focusing on the trendy and highly sought after, French Bulldog. I compared searches for the two breeds on Google.
“Shiba Inu for sale” (red) versus “French bulldog for sale” (blue)
Searches for the Shiba Inu are trending up, not as dramatically as I assumed, but have certainly risen to equal that of searches for French bulldogs.
I suspect that the Shiba Inu will create a lot of empty wallets, crypto, and leather.
This week President Biden claimed to be “committed to the cybersecurity of the country” and promised to hold those that threaten our nation's security accountable. He also announced that his administration was hosting a meeting with 30 countries from the NATO and G7 alliance to discuss the problem of cybercrime and come up with a plan to combat it. The statement asserted the group would bring the “full strength” of their capabilities to disrupt the malicious cyber actors.
Israeli defense minister Naftali Bennett describes Iran as an Octopus that spreads its influence across the middle-east through its long tentacles. Mr. Bennett is the original proponent of the “Octopus Doctrine” declaring the only way to successfully beat an octopus is to target its head. “When the tentacles of the octopus strike you, do not fight only against tentacles, but strike the head also”. Life comes from the head, not the tentacles.
Previously the Biden administration outlined a new strategy for combating ransomware and cybercrime as detailed in this Wall Street Journal article. The administration plans to target the financial infrastructure of ransomware gangs hoping to remove the financial incentive of cyber-criminality.
Targeting the financial systems is just striking at one of the tentacles. You may cut it off but seven more exist and as you battle those the injured one will grow back.
The 2020 Internet Crime Report was recently released by the FBI's Internet Crime Complaint Center. The one stat that stood out was the significant increase in extortion reports. The center received 43,101 reports of extortion in 2019. That number jumped to 76,441 in 2021, accounting for a 78% increase.
That increase in crime is certainly more palatable than the 110% increase in phishing complaints the center received, but a 78% increase is still significant. And extortion?
My immediate thought was IC3 is now considering Denial of Service for Ransom attacks as extortion which would be correct. These cyber-shakedowns are nothing less than criminal extortion. Think of the 1920's gangster walking to the local butcher shop, “Nice shop you have here, would be a shame if you had a fire” but apply it to a website ala “Nice website you have here, sure would be a shame if it was taken offline”. I have previously written about RDOS (Ransom DOS) attacks.
Several years ago, I was a guest on a local radio show where I spoke about Internet-enabled fraud. The final question asked by the show host was, “what are 'three quick things' that someone can do to protect themselves from cybercrime?”. It was such a simple question but it really caught me off guard. How could I hesitate on this? I just spoke about fraud schemes for the past 30 minutes. I was able to quickly name three things so I didn't look like a complete fool but as I looked back, the three tips that I gave weren't the best. It wasn't that I didn't know the answer, in fact, the complete opposite, I knew too much. The struggle was taking a huge volume of information and distilling it down into three bullet points. The quick and immediate “musts” of your topic.
Since that time, whenever I go speak publicly, I always prepare my “three quick things” answer for the given topic. These prepared responses also come in handy during a regular conversation. It's nice to immediately have a coherent response when friends, family, and colleagues ask for your opinion on a topic where you are recognized as being more knowledgeable than others.
Most small businesses, say less than 100 employees, do not have any dedicated employee for IT services, let alone security. Most time it is a collective effort to keep the Internet on and the printers connected. The lucky ones can afford contract services but for most, security is a wing and a prayer.
“What are some things I can do to keep my business secure?” is the most frequent question I get asked by these small business owners.
I was recently involved in a conversation with colleagues where we marveled over the abundance of suitable victims that perpetuate cyber-criminality. Police agencies around the country receive daily calls from people who wish to self-report their technology-enabled victimization. I am cautious to not engage in victim shaming but the majority of these reports leave investigators speechless. Literally, head shaking and speechless.
Our conversation begged the question: Why do we even show up to work anymore? We could be sitting on a sunny beach, drinking pina-colada’s, and running Craigslist frauds from our prepaid cellphones!
The conversation was obviously in jest, but the underlying questions have stuck with me. Internet-facilitated crimes are fairly easy to conduct, remain a relatively low risk, and are very profitable. So what keeps those of us who understand the methods and mechanics of cyber-fraud from committing them ourselves? There are thousands of law enforcement and private security practitioners all around the world that have a deep understanding of how, and why these fraud techniques work. They know the capabilities of law enforcement and are aware of what gets investigated and what does not. And yet, they continue to show up every day to fight the good fight and never engage in any criminality. Even when crime is the easier and much more profitable choice.
In October of 2020, the Treasury Department issued a warning to domestic financial institutions that facilitating ransom payments on behalf of ransomware victims could be an Office of Foreign Asset Control (OFAC) violation. The warning noted that many ransomware attackers are seated in countries that are on the OFAC sanction list. These countries include North Korea, Russia, Ukraine, Iran, and Syria. Shortly after that warning was issued I published an article titled “Ransom and Rats” where I explained why law enforcement strongly discourages ransom payments. Paying the ransom perpetuates and broadens the crime by rewarding the bad guys for their criminal conduct. I likened the ransomware actors to the rats used by psychologist B.F. Skinner. If every time the rat hits the bar it gets food then it is going to keep hitting the bar. If ransomware actors continue to get paid they are going to keep spreading ransomware!
Of the classical criminological theories that can be applied to cyber-enabled crime, the Rational Choice Theory fits perfectly when applied to ransomware actors. The theory holds that people are free to choose their behavior and makes these choices based on the avoidance of pain and pursuit of pleasure. People choose to commit crime because it is in some way rewarding, either mentally, physically, or financially. Offenders will commit a crime when it is fun, satisfying, easy, and financially rewarding. Crime is discouraged through the fear of punishment. If offenders believe they will be identified, captured, and punished, they are less likely to engage in a given criminal activity. People consider the cost to benefit factors when deciding to commit a crime and act accordingly in their own best interest. They make a rational choice.
This is the basis of the current ransomware epidemic. Ransomware attacks are easy to facilitate, there is a low likelihood of identification or capture, and it is profitable. If you have no moral convictions prohibiting you from engaging in criminal activity there is no reason to not give ransomware a try. It is a rational choice.
Did I mention that ransomware attacks are profitable?
Bitcoin is surging with the price breaking the $28,000 price point this week. By all accounts, it will continue to rise through the new year. An Internet search yields dozens of explanations for this meteoric price increase but one of them, and probably the true reason, is rarely discussed. The current price of bitcoin is being driven not only by speculation but by crime.
Legitimate investors are purchasing Bitcoin for much the same reason you place your money in any investment instrument. You hope to sell your holdings at a price much higher than you paid for them thereby yielding a profit. Whether corporate stocks, artwork, real estate, or Pokeman cards, you hope to turn your money into more money as the price of the property you hold becomes more valuable over time. Digital currency is no different. People are purchasing bitcoin in the hopes of selling it at a later date for a much higher price than they paid for it.
The steep rise in Bitcoin price over the past few months has drawn the attention of the media. As people learn about the price increase they decide to enter the game and try to ride the rising tide to profitability. As more and more people buy the price continues to rise. As the price rises so does the media attention which brings more people into the game. It is a perfect example of the snowball effect.
But the real question should be, what spurred the initial increase in price from it's 2020 low price of $4900 in March?