If one were to think of robbers, you might think of the kind immortalized in Hollywood movies, resplendent in masks, striped jumpers, and a weapon they use to hold up the bank, store, or in Pulp Fiction’s case, a diner. Traditionally, such a rationale was a simple one. People would try and rob these places because that was where the money was.
Now, of course, that isn’t the case, and cyber-thieves are capable of stealing just as much money, if not more, armed with nothing more than bits of code. It’s an industry that is believed to be worth several trillion dollars per year across the various forms of cybertheft, including ransomware, intellectual property theft, phishing, and so on. This enormous bounty has attracted a plethora of organized criminals and state actors alike, with hackers linked to the North Korean government, reported to have stolen over $100 million from Bangladesh’s central bank back in 2016.
A new report from Swift and BAE systems highlights a new approach, called “ATM cash-out,” which involves hacking cash machines so that they release large quantities of banknotes, which are then picked up by “money mules.”
The report suggests that such an approach has been honed by BeagleBoyz, a hacking group widely linked to the North Korean spy agency. They’re believed to have been responsible for attempts to steal around $2 billion over the last few years.
Obviously, each individual cash machine only has a limited supply of cash inside, so such attacks are designed at scale, with the most ambitious attacks targeting machines in over 30 countries. One attack cited in the report was conducted over two hours across 28 countries, with 12,000 withdrawals made in total. The money mules then launder the money back into the system to render it legitimate.
A second report, from technology firm Akamai, highlights how the retail sector is just as threatened as the banking sector. The paper illustrates the scale of attacks made against the retail, travel, and hospitality sectors over the last few years, with darknet activity spreading the word about vulnerabilities so that attackers can exploit them en masse.
For instance, the general panic and uncertainty caused by the lockdown measures introduced to slow the spread of COVID-19 during the first half of 2020 saw a spike in the number of password combination lists circulating on the dark web. These lists were typically targeting specific industries. They were often compared with older lists, which were re-circulated, to identify new vulnerable accounts. This resulted in a spike in criminal activity, especially in areas related to loyalty programs.
The report highlights that between July 2018 and June 2020, around 100 billion credential stuffing attacks were observed, with over 60 billion of these in the retail, travel, and hospitality sectors alone.
Of course, credential stuffing isn’t the only way criminals are targeting these sectors, with attacks also commonly using SQL Injection (SQLi) and Local File Inclusion approaches. Over the same timeframe, Akamai observed nearly 4.5 billion attacks on the sector using these methods, with SQLi-based attacks particularly popular.
We’re rapidly entering peak retail season, with Christmas shoppers likely to be doing a large amount of their shopping online due to COVID-related restrictions that will almost certainly render the enormous queues of shoppers outside the biggest stores hunting bargains for Christmas. Instead, their bargain-hunting will have a digital focus, with loyalty points used to snag discounts and various other perks that have been dutifully collected over the course of the year.
These loyalty programs are not only enormously valuable to the retailers but to cybercriminals too, who can use the vast quantity of data held within them to embark on an extremely creative crime spree that could involve everything from account theft to identity fraud. While the treasure trove of data surrounding each customer may not be literally for sale in the way that users of Facebook kind of are, for the cybercriminal, the difference is a largely material one.
“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” Akamai say. “Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”
While banks, retailers, or diners may not be at risk of a physical hold up in the same way that a previous generation of bankers and retailers may have been, the risk from cybercriminals performing much the same deeds from the comfort of their living room is no less grave. Hopefully, in time, it’s a threat that the industry will wake up to.