These are difficult times for organizations trying to protect themselves and their customers from cybercriminals. Global cybercrime costs will hit $6 trillion a year by 2021 — up from $3 trillion in 2015, according to the “2019 Official Annual Cybercrime Report” by Cybersecurity Ventures. Verizon’s “2018 Data Breach Investigations Report” says that 30 percent of phishing emails in the U.S. are opened by recipients. And 780,000 records were lost in 2017 as a result of cybercrime, according to the McAfee “Economic Impact of Cybercrime” report, released in February 2018.
With the multiplying number of tools available to hackers on the dark web, it’s little wonder that more of their attacks are succeeding, said Angel Grant, director of identity, fraud and risk intelligence with IT security technology firm RSA. But Grant, speaking at the RSA Conference 2019 in San Francisco on March 8, said the dark web is “not the thing people should be concerned about,” at least not compared with what she called the “gray web,” where cybercriminals are “acting in plain sight.”
While cybercriminals are often imagined as tech geniuses working feverishly in dark rooms on sophisticated hacks, the truth is that many use simple scams and social engineering to gain entry to corporate networks and personal information. Take reverse phishing, for example. This is where cybercriminals search for companies that haven’t tagged their company phone number yet on Google. When consumers Google the company’s name, they then see the phone number the cybercriminal supplied and call it. Then the fraudster can ask personal questions that allow them to steal personal information.
Cybercriminals' Favorite Industries to Target
“We’re seeing the value of credentials for sale vary based on industry or on the type of stolen information — a card with a signature is worth more than a card without,” said Grant.
Grant cited some of the top industries cybercriminals are targeting:
Retail: “Cybercriminals target e-commerce more these days because the new chip cards put down a barrier and make it harder to steal in traditional retail,” said Grant.
Entertainment and social media: Video streaming companies, social media and gaming platforms, and even dating sites are popular targets for hackers because people volunteer an extraordinary amount of personal information about themselves on such platforms, Grant explained.
Finance: It’s obvious why hackers target the financial industry, Grant said: “It’s where the money is.”
Travel/Leisure: Loyalty programs for airlines and hotels are most often tied to credit cards and passport information that cybercriminals can exploit.
What is ‘Credential Stuffing’ and How Do Hackers Use It?
One favorite tactic of hackers is “credential stuffing,” in which criminals use user names and passwords they obtained from previous breaches to run automated programs to log in with those same credentials on other sites. It’s effective because people typically use the same login information from site to site. “We see a 5 percent success rate on credential-stuffing tools,” said Grant.
One of RSA’s customers, for example, started to see a spike in traffic on its login page. The site had been logged into by the same IP address more than 200,000 times, and a criminal was able to access 18,000 valid credentials using this tactic.
“When you hear in the news about another organization getting hacked, your company is not off scot-free,” warned Grant. “Chances are, those credentials are being sold on Facebook and could be used to target your organization.”
What Companies Can Do to Foil Hackers
“We need to take a moment to think of what we can do to better protect ourselves from these types of attacks,” said Grant. “We need to think about the fact that as we are embracing digital transformation, and it has provided a lot of opportunities, it has also brought a lot more risk.”
Grant recommended some steps to better secure your organization. First, monitor social media to see if your company is being targeted. Next, investigate potential points of vulnerabilities within your organization and determine who is watching those and communicating any issues. Also, create a plan to mitigate an account takeover and roll out identity analytics.
“Finally, unite your security village and collaborate not only within your company, but also with third-party vendors you engage with,” advised Grant. Make sure to roll out threat detection and fraud prevention tools and have a governance, risk and compliance strategy.