Black Hats, White Collars: Cybercriminals' Secrets Revealed

These crooks truly adopt the attitude of 'work smarter, not harder.'

October 11, 2010

We can all thank the film industry for permanently skewing our perception of computer hackers.

In true Hollywood fashion, these characters ultimately experience a transformation from antagonist to protagonist, perform impossible feats of piracy to defeat the bad guys, become the noble hero, receive a pardon for past indiscretions—and even get the girl.

Although this formula may yield box office success, the sympathetic portrayals of hackers have distorted our view of real-world hackers. Unlike actors, real cybercriminals want to avoid the limelight as they seek to steal valuable data housed within corporate or government databases.

A hacker’s toolbox

Cybercriminals truly adopt the attitude of “work smarter, not harder.” They look for the simplest, most direct route to steal information, and generally use easily repeatable processes for breaking into networks.

As a precursor to a dedicated attack, the first goal is to establish a single target, or group of related targets, and gain as much information as possible about their intended victims.

Financial institutions are ripe with customer data and personal information, so naturally they’re primary targets for cyber criminals. Sensitive information about an organization can be compiled using a combination of software and physical data mining of easily accessible information and records.

Hackers use a “sniffer” program that looks for security information such as user IDs and passwords in data flowing over a network.

They also search through available resources, like the organization’s own website or social networking sites, for useful information such as staff e-mail and phone lists, vendor information, or even work schedules of mission-critical employees.

This invaluable information may be leveraged by attackers to identify possible security holes, which help them devise specific methods to stage custom attacks against personnel and information systems.

Once criminals have gathered enough information about the target, they typically deploy a vulnerability scanner against the organization’s network to find the most likely place to launch the attack.

During this process, the criminal attempts to identify any known weaknesses, such as programming errors, unpatched software, or other security holes.

Hackers often use another handy tool, port scanners, to help identify what services are available on the targeted network, and potentially what vulnerabilities can be exploited. These initial attacks not only give hackers a list of potential entry points for the main attack, but also may be used to create staging points for further attacks into the network.

Depending on how relentless the attack is—and how potentially valuable the target’s information is—cybercriminals may even resort to forms of social engineering to penetrate deeply into the network’s infrastructure.

If the attacker initially was able to gather certain types of information—like staff e-mail and phone lists, service vendor information, or work schedules—the social engineering techniques may offer a much easier path to breaching security than blunt-force hacking.

In this scenario, criminals may embed malicious code, like a Trojan or a “botnet,” within a series of phishing e-mails targeted to the staff.

If opened on an employee’s workstation, the harmful code could create a back door for the hacker to penetrate the network at will, or even allow the attacker to seize control of the infected system remotely and automatically run malicious actions across the entire network.

After the initial hack

After compromising a system, the attackers’ next step is to hide their tracks and avoid detection while exploiting the network. They typically do this by patching the vulnerability that allowed them access and modifying log files to eliminate raising any flags.

Then they set out to establish a covert channel of communication by installing a “root kit,” or piece of malicious code, which then allows attackers to remotely control the system and to attack other devices on the network.

Once they’re cloaked and communicating, criminals will head straight for the most valuable information: customer data.

Chances are, they’ve already found a list of usernames assigned to employees, and now they’re betting that at least one of the users has a simple password.

Using an automated password-guessing tool that references a huge database of common passwords, the hacker often gets critical log-in credentials quickly and is well on his or her way to infiltrating deep into the network.

Of course, targeted networks with really valuable information usually have much more advanced security countermeasures, like pass-phases or forced strong passwords, which makes a hacker’s password-guessing tool much less effective.

But an experienced crook has lots of devious gadgets in his or her hacker’s toolbox, like a sophisticated keystroke-logging program or “screen scrapers” that can be installed quickly on an individual workstation. These tiny programs can record each stroke of the keyboard or collect visual data from a computer screen, giving the hacker a wealth of information about credentials and important network paths where sensitive information is stored.

Sophisticated criminals don’t have to rely on brute-force hacking or botnets to exploit security holes. There are other methods that are equally effective, like stealing a laptop from a high-ranking employee or even tapping into the network through a wireless network with inadequate protection.

And, voila! Before the target even knows it's being hacked, the criminal is embedded in the system, has gathered a wealth of sensitive information, and is just about ready to “fence” the stolen data to a third party.

To make matters worse, criminals understand that advanced forensics technology can lead to their actions being discovered, so they take drastic measures to cover their tracks.

In an attempt to conceal their activity, some hackers will crash the entire hard drive, making it look like a common hardware failure, so the organization will simply discard the corrupted drive.

If successful, any evidence the hacker may have left behind is discarded well before the breach is ultimately discovered.

Reduce your exposure

Institutions that are committed to a strong security program should address the fundamentals of their security policies by re-evaluating their security awareness training programs, computer/network access policies, and frequency of vulnerability testing.

Security awareness training is an essential part of an overall security program and, chances are, every institution could increase the amount of security training to some degree.

A good practice is to test employees after the initial training session, then issue the same test within the year to evaluate the amount of retention.

Comprehensive security awareness training programs should also address issues related to posting work-related data on social networking sites and show how easy it is for criminals to use seemingly harmless employee information to break the outermost shell of security.

Because one of the greatest threats to a network is the ability for criminals to crack passwords, many financial institutions have deployed multifactor security controls on workstations, servers, and even laptops.

These controls require the user to perform dual actions, like swiping a badge or using a fingerprint identification system, in addition to entering a password, before gaining access to the network.

The best practice for identifying security flaws is to perform a vulnerability assessment. Although financial institutions are only required to perform periodic vulnerability assessments, remember that any single test only shows a “snapshot” of the security posture for that point in time.

Without frequent assessments, institutions may not be able to identify severe vulnerabilities before a criminal does.

One way to address this issue is to find a security compliance vendor that allows for continual testing on a daily basis and allows the institution’s information technology (IT) department to perform on-demand scans.

In the past, daily or weekly scans may have seemed like overkill. However, the changing landscape of cyber threats has made more frequent scans a necessity to help avoid zero-day vulnerability attacks.

Another crucial element is to find a qualified vendor to conduct a full IT security audit. This not only verifies that the existing controls are adequate to prevent an attack, it also allows expert analysis that can assist in discovering and remedying problems.

Using the knowledge

The global security landscape is a constantly changing environment. Imaginative criminals are working just as hard to exploit vulnerabilities and develop new hacking techniques as security and IT professionals are working to protect their networks.

But understanding that hackers, just like common bank robbers, generally target financial institutions that have less protection than the one down the street, it clearly justifies taking the appropriate steps to secure your organization’s perimeter and protect your members’ invaluable information.

DAVID BLAZIER is marketing manager for TraceSecurity Inc., a CUNA Strategic Services strategic alliance provider. Contact him at 225-612-2121, ext. 31062.