I wrote recently about a report that people would sell their company username and password for as little as $150. That’s just the tip of the iceberg. There’s a market, and a market price, for everything – credit card details sell for as little as $7, but bank account credentials sell for 1-5% of the account balance. Now you know what your wallet is really worth.
A whole range of hacking-for-hire services are available, ranging from DDOS-as-a-(ironically)-service for $5/hour through to on-demand email account hacking for up to $500. You can buy software toolkits for compromising everything from websites to point-of-sale systems – training extra. All this alongside every kind of forged or stolen official documentation. You can even buy stolen airmiles.
Well, first off having an efficient market creates a strong incentive for people to participate – so it breeds more hackers, helps them identify the most valuable skills and activities and provides all the associated benefits of well-functioning capitalism – like investment funds, outsourcing and formal employment structures. Hacking and cyber-theft have become major industries, not dissimilar to the global narcotics trade – and look how well we’ve done at suppressing that.
Secondly, it acts as a kind of brain-drain. Smart people who should be working to build better mousetraps find it more rewarding to build better mice. Today’s example is the sneakiest piece of lateral thinking I’ve come across in quite some time. If you’re not technically-minded, you may want to skip the next paragraph – but if you are, read and (guiltily) admire:
There’s a new variant of point-of-sale payment-card-detail-stealing malware. The clever bit is how it exfiltrates the data. These days we routinely block internet access from card-data environments (you have to, for PCI-DSS compliance). So getting the stolen data out is a major challenge. But the CDEs are still networks, so they still need internal name-resolution so that the various computers and other components involved can find each other. This latest piece of evil cunning encrypts the payment card details and then embeds that encrypted data into a DNS query. The query will be formatted as “xyz.[encoded data].evildomain.com” – where evildomain.com is controlled by the hackers. This query will route to your internal DNS, from there to your external DNS, and from there – crucially – to the authoritative DNS server for evildomain.com, at which point ET has successfully phoned home.
That’s really clever. I want the person who thought of that to cross the wall and come and work for the good guys. And this is my whole point – unless and until we start taking cyber-security seriously by spending enough money in the right places, and making it a whole-corporate responsibility, not just an IT thing, there will be far too many very smart, very motivated people on the wrong side of the fence.