Crime doesn’t pay – unless, of course, it’s cybercrime
Then crime pays quite well, as criminal enterprise conducted over the internet makes billions. McAfee estimates that annually, cybercrime costs the global economy more than 445 billion dollars, the stat including security costs for companies and criminal financial gains.
We know that cybercrime is certainly a large industry, yet how exactly do hackers and cyber criminals make millions in the digital world of the internet?
Perhaps the most significant and influential cybercrimes are large, digital data heists with millions of victims worldwide. These heists, also known as data breaches, are where hackers manage to break into company servers and steal confidential information. Most of the time, the information stolen is the personal information of customers. This can be anything from customer emails, account information, credit card numbers and even medical records. This personal information can be sold on the black market and used for anything from fraud to identity theft.
In fact, in 2014, 47% of American’s had personal information exposed in some sort of data breach. So even if you personally take security seriously, there is not much you can do to protect your information when it is leaked from a company with whom you have trusted your information.
This has led to the creation of sites such as haveibeenpwned.com. This site takes the most significant leaks from data breaches, be it the 152,445,165 exposed Adobe accounts or 30 million accounts exposed in the Ashley Madison debacle, and can be used to find out whether or not your accounts have been personally affected by a leak. So even if companies can’t prevent data breaches and subsequent leaks from happening, individuals can at least attempt to clean up after a messy leak as much as possible.
So we know it happens, but how do hackers manage to break into such huge and powerful corporations?
The hackers’ main route to your data used to be from exploiting unknown and heavily technical vulnerabilities in internet facing corporate servers. However, with the growth of the cyber security industry, exploitable vectors in programs have become much harder to find, as constant streams of security patches are rolled out thanks to hordes of white hat bug hunters finding and disclosing vulnerabilities. Since most companies use the same software, once a vulnerability has been discovered and patched the update can be rolled out to thousands of servers globally. All you have to do to keep your security up to date is simply update your servers regularly. Though every system will always be vulnerable to some aspect, the surface attack vector has definitely been reduced tremendously.
Luckily for hackers, however, the increasing popularity of new and fancy web applications has led to new and easier targets. Web apps, being mostly custom built, don’t have patches that you can roll out across thousands of sites. Instead, the developer must fix every single vulnerability within a website individually. This has created a new and massive potential attack surface. The OWASP Top 10 Project was created specifically to address the need to educate the public on the most potent vulnerabilities that affect web applications globally.
The most notorious vulnerability which consistently remains at the top of the OWASP Top 10 List is SQL Injection. It exists because many programmers write web applications without a healthy suspicion of users by failing to treat for possible, unexpected requests. It is a vulnerability which takes advantage of the SQL programming language by restructuring database queries to extract more data than a site may have intended to deliver, allowing hackers to steal nearly everything within a database without necessarily gaining access to a company’s server.
The Structured Query Language is a programming language designed to interact with and make requests to a database. A database is simply a digital structured data set. For example, suppose you have a web application like Netflix, and let’s say our fictitious web application called Netflix uses a database to store information about its customers. Within this database there is a row for Bono Vox, and it has 4 columns: an id, one for his first and last name, and the last column for his email.
Let’s assume when Bono goes to the url Netflix.com/account, he will log in and then see a page which greets him by displaying “Welcome, Bono Vox!”. The web application manages to return to him his specific credentials by the use of it’s database. After logging in the url may become Netflix.com/account.php?id=3, and his request to the server will create an SQL query to the database which, in Structured Query Language, may look something like this:
SELECT first_name, last_name FROM newsletter_regs WHERE id=”3”;
The SELECT statement simply returns the first and last name data columns from the database where the id is equal to 3, allowing the website to print out “Welcome, Bono Vox”! However, a hacker can trick the server. By appending the url with extra SQL statements like so – Netflix.com/account.php?id=3‘ UNION SELECT – he can make the server return more than what it was programmed to return. The UNION statement simply combines two SELECT statements, allowing a hacker to create a unique, second SELECT statement which can return data which wasn’t originally intended to be returned by the programmer of the web application.
This is a very simplistic example of SQL Injection. In reality, SQLi is a high risk vulnerability that can be used for absolutely devastating attacks. Ultimately, SQLi can be used to return basically anything from within a database, be it credit card numbers or site admin credentials, or even be used to eventually gain control of the entire system. If programmers do not sanitize database inputs they will surely suffer the effects of Murphy’s Law eventually. For if there is a possibility of something going wrong, something certainly will.
SQL injection is but one of many vulnerabilities used by hackers to gain unauthorized access to your information. People become hackers by becoming intimate with various technologies to the point where they can exploit them to their own advantage. To find buffer overflow vulnerabilities in programs, for example, hackers used to have to know how to debug programs and control the flow of program execution at a very low and complex level. This would include exploiting the arrangement of memory addresses and registers within computer processors to exploit nearly unnoticeable errors within a program.
Unfortunately for many, hacking is actually getting easier, as more new web applications go live on the internet, ripe with vulnerabilities. A good hacker doesn’t need to be an expert programmer any longer. Nowadays they simply need to know a few tricks around web applications in order to exploit websites and steal valuable data.
Literally anyone can learn how to perform SQL injections. Free educational sites like Khan Academy offer intro courses for SQL and SQLi tutorials can be found all over the internet. There are even VM images created for the purpose of practicing SQLi, originally meant for white hat hackers to practice their skills before taking them into the real world.
So know we know it happens AND we know how hackers do it. But how do hackers make millions after breaching a database?
Well, once a database is dumped, they can take their loot and sell it, piece by piece, on the black market. From there fraudsters and carders buy this stolen customer info and use it for their own criminal purposes. Hackers, selling stolen data for a few dollars a piece can make thousands to millions when selling large amounts of valuable data.
In fact, anyone can go and purchase the fruits of the hacker’s labor on most darknet markets, showing just how simple participating in cybercrime can be. And as we move into the near future, we can only expect things to get easier as the cybercrime industry inevitably grows. Physical robbery is going out of style as the age of digital theft takes the spotlight.