Social Engineering exists since humans exist – but since we are using omnipresent Information Technology, Social Engineering has come to a next level: phishing, imposter ad business email compromise. A Multi-Billion Dollar industry is now trying to trick you into divulging secrets, install malware or send money somewhere. Another Multi-Billion $ industry is fighting to protect organizations and individuals.
More than a decade ago, the revenue of cybercrime surpassed the revenues of the worldwide illegal drug market. It is still easy today to earn money with phishing emails. The criminals are from the whole bandwidth of social background and intelligence: some less bright individuals forget to attach payloads to their emails or put the wrong urls into their phishing emails. Some more intelligent phishers are using phishing services – they don’t need to have deep technical knowledge. 20$ in bitcoin and you get a few weeks of limited phishing kit services. This makes it easy for many people with financial problems to just start their own “phishing business”. And of course there are sophisticated cybercrime groups or even state-sponsored hackers with very targeted actions. Their attacks might never be seen by more than a few corporations making it hard to detect. Most of those threat actors are doing it for a living.
Getting a ransom is one of the goals of cybercriminals. Today, the vast majority of ransomware attacks are still starting with an email. Years ago, threat actors used mass mailings for that. Those times are long gone. Todays email based attacks are highly sophisticated:
Profilers are researching every bit of information about a target: do you have a dog? When do you usually get up? What is your educational background? Who are your business and your private colleagues? Most of those questions can be answered through social media research.
Those information are passed to the content creators who actually write the targeted messages
Other ways of using such information is imposter: emails claiming to be from the boss asking to transfer money quickly because of a great business opportunity. If only 1 of 1000 of those imposter threats produce a wire transfer, all the effort is paid
Criminals also use compromised business email accounts to deliver their links to ransomware or to just ask for the change of a receiving bank account of a regular wire transfer. This might seem odd, but those attacks have a high rate of success if they rely on the personal trust that might stand behind a business email you are frequently in contact with.
Whether the 2nd step is to get someone clicking a url, to install some software or to make a phone call: the final goal is mostly to make money.
On a side note: If it’s not for money directly, then someone else pays for the attacks – either a competitor or a state. No matter if the state sees itself on the bright side or on the dark side – nearly all states are cybercrime attacker and cybercrime target at the same time. However the workshop will not cover state induced cybercrime.
The workshop shows recent examples of how criminals are using technical and social approaches to make money. We’ll show the parts of the multi-country production chain of cybercrime. Test your knowledge in the workshop: would you fall on phishing examples?