Big data is the lynchpin of new advances in cybersecurity. Unfortunately, predictive analytics and machine learning technology is a double-edged sword for cybersecurity. Hackers are also exploiting this technology, which means that there is a virtual arms race between cybersecurity companies and black hat cybercriminals.
Datanami has talked about the ways that hackers use big data to coordinate attacks. This should be a wakeup call to anybody that is not adequately prepared.
Black Hat Hackers Exploit Machine Learning to Avoid Detection
Jathan Sadowski wrote an article in The Guardian a couple years ago on the intersection between big data and cybersecurity. Sadowski said big data is to blame for a growing number of cyberattacks.
In the evolution of cybercrime, phishing and other email-borne menaces represent increasingly prevalent threats. FireEye claims that email is the launchpad for more than 90 percent of cyber attacks, while a multitude of other statistics confirm that email is the preferred vector for criminals.
This is largely because of their knowledge of machine learning. They use machine learning to get a better understanding of customers, choose them them more carefully and penetrate defenses more effectively.
That being said, people are increasingly aware of things like phishing attacks and most people know that email links and attachments could pose a risk. Many are even on the lookout for suspicious PDFs, compressed archives, camouflaged executables, and Microsoft Office files with dodgy macros inside. Plus, modern anti-malware solutions are quite effective in identifying and stopping these hoaxes in their tracks. The trouble is that big data technology helps these criminals orchestrate more beleivable social engineering attacks.
Credit card fraud represents another prominent segment of cybercrime, causing bank customers to lose millions of dollars every year. As financial institutions have become familiar with the mechanisms of these stratagems over time, they have refined their procedures to fend off card skimming and other commonplace exploitation vectors. They are developing predictive analytics tools with big data to prepare for threats before they surface.
The fact that individuals and companies are often prepared for classic phishing and banking fraud schemes has incentivized fraudsters to add extra layers of evasion to their campaigns. The sections below highlight some of the methods used by crooks to hide their misdemeanors from potential victims and automated detection systems.
Phishing-as-a-Service on the rise, due to big data
Although phishing campaigns are not new, the way in which many of them are run is changing. Malicious actors used to undertake a lot of tedious work to orchestrate such an attack. In particular, they needed to create complex phishing kits from scratch, launch spam hoaxes that looked trustworthy, and set up or hack websites to host deceptive landing pages. Big data helps hackers understand what factors work best in a phishing attack and replicate it better.
Such activity required a great deal of technical expertise and resources, which raised the bar for wannabe scammers who were willing to enter this shady business. As a result, in the not-so-distant past, phishing was mostly a prerogative of high-profile attackers.
However, things have changed, most notably with the popularity of a cybercrime trend known as Phishing-as-a-Service (PHaaS). This refers to a malicious framework providing malefactors with the means to conduct effective fraudulent campaigns with very little effort and at an amazingly low cost.
In early July, 2019, researchers unearthed a new PHaaS platform that delivers a variety of offensive tools and allows users to conduct full-fledged campaigns while paying inexpensive subscription fees. The monthly prices for this service range from $50 to $80. For an extra fee, a PHaaS service might also include lists of email addresses belonging to people in a certain geographic region. For example, the France package contains about 1.5 million French “leads” that are “genuine and verified.”
The PHaaS product in question lives up to its turnkey promise as it also provides a range of landing page templates. These scam pages mimic the authentic style of popular services such as OneDrive, Adobe, Google, Dropbox, Sharepoint, DocuSign, LinkedIn, and Office 365, to name a few. Moreover, the felonious network saves its “customers” the trouble of looking for reliable hosting for the landing sites – this feature is already included in the service.
To top it all off, the platform accommodates sophisticated techniques to make sure the phishing campaigns slip under the radar of machine learning systems and other automated defenses. In this context, it reflects the evasive characteristics of many present-day phishing waves. The common anti-detection quirks are as follows:
- Content encryption: As a substitute to regular character encoding, this method encrypts content and then applies JavaScript to decrypt the information on the fly when a would-be victim views it in a web browser.
- HTML character encoding: This trick prevents automated security systems from reading fraudulent data while ensuring that it is rendered properly in an email client or web browser.
- Inspection blocking: Phishing kits prevent known security bots, AV engines, and various user agents from accessing and crawling the landing pages for analysis purposes.
- Content injection: In the upshot of this stratagem, a fragment of a legitimate site’s content is substituted with rogue information that lures a visitor to navigate outside of the genuine resource.
- The use of URLs in email attachments: To obfuscate malicious links, fraudsters embed them within attachments rather than in the email body.
- Legitimate cloud hosting: Phishing sites can evade the blacklisting trap if they are hosted on reputable cloud services, such as Microsoft Azure. In this case, an additional benefit for the con artists is that their pages use a valid SSL certificate.
The above evasion tricks enable scammers to perpetrate highly effective, large-scale attacks against both individuals and businesses. The utilization and success of these techniques could help explain a 17 percent spike in this area of cybercrime during the first quarter of 2019.
The scourge of card enrollment
Banking fraud and identity theft go hand in hand. This combination is becoming more harmful and evasive than ever before, with malicious payment card enrollment services gaining momentum in the cybercrime underground. The idea is that the fraudster impersonates a legitimate cardholder in order to access the target’s bank account with virtually no limitations.
According to security researchers’ latest findings, this particular subject is trending on Russian hacking forums. Threat actors are even providing comprehensive tutorials on card enrollment “best practices.”
The scheme starts with the harvesting of Personally Identifiable Information (PII) related to the victim’s payment card, such as the card number, expiration date, CVV code, and cardholder’s full name and address. A common technique used to uncover this data is to inject a card-skimming script into a legitimate ecommerce site. Credit card details can also be found for sale on the dark web making things even easier.
The next stage involves some extra reconnaissance by means of OSINT (Open Source Intelligence) or shady checking services that may provide additional details about the victim for a $6–$7 fee. Once the crooks obtain enough data about the individual, they attempt to create an online bank account in the victim’s name (or perform account takeover fraud if the person is already using the bank’s services). Finally, the account access is usually sold to an interested party.
To stay undetected, criminals leverage remote desktop services and SSH tunnels that cloak the fraud and make it appear that it’s always the same person initiating an e-banking session. This way, the bank isn’t likely to identify an anomaly even when the account is created and used by different people.
To make fraudulent purchases without being exposed, the black hats also change the billing address within the account settings so that it matches the shipping address they enter on ecommerce sites.
This cybercrime model is potent enough to wreak havoc in the online banking sector, and security gurus have yet to find an effective way to address it.
These increasingly sophisticated evasion techniques allow malefactors to mastermind long-running fraud schemes and rake in sizeable profits. Moreover, new dark web services have made it amazingly easy for inexperienced crooks to engage in phishing, e-banking account takeover, and other cybercrimes. Under the circumstances, regular users and organizations should keep hardening their defenses and stay leery of the emerging perils.
Big Data Makes Black Hat Hackers a Horrifying Threat
Hackers are using big data to perform more terrifying attacks every day. We need to understand the growing threat and continue fortifying our defenses to protect against them.