For most people, cybercrime is something that happens to other people. Unlike physical crime, the idea of hackers stealing something as intangible as data is difficult to comprehend. However, Barry Johnson, country manager for BAE Systems Applied Intelligence, says that being targeted by cybercriminals is inevitable.
When asked during an interview at Defence Services Asia 2016 if everyone will end up targeted by a cybercriminal at some point in their lives, Johnson replied, “yes, if they haven’t already [been targeted]. We all get [the] widespread generic phishing emails that go around.”
Cyberspace is particularly attractive for criminals as it is considered to be the safest attack vector. Criminals are able to perpetrate crimes with a low chance of being caught because it is easier to cover their tracks. This is increased by the fact that it can be done from the comfort of their own homes.
Of these criminals, BAE Systems believes that the biggest problem lies with what it calls the Mule. Described as a threat actor who buys banking information from hackers, the Mule is the person who converts stolen credit card information into physical cash. This is done by using stolen credentials to buy goods online, and then selling them off somewhere else.
Alternatively, there is the Professional – a person who treats cybercrime as a 9-to-5 job. This type of threat actor is not technically a criminal, but instead sells malware for third parties to use. “From his business perspective, he may not be committing the crime but he is using criminal behaviour in developing malware and selling it online,” said Johnson. “It keeps him one step removed from the risk.”
The latest threat intelligence report indicates that the growth of this sort of threat actor is in South America – with traditional drug cartels are beginning to realise that they can make money in a less risky manner. Johnson warned that these threat actors are the type of cybercriminals who would target sensitive industries like hospitals with ransomware to make a profit; referencing the two recent attacks on healthcare providers in the USA.
Despite these threats, Malaysians are surprisingly ill-equipped to deal with online threats. BAE Systems provides penetration testing support for local businesses, and has discovered that individuals fail to take potential phishing attacks seriously. A recent phishing test against corporate employees discovered that 50-percent of those targeted fell for the scam; while none actually reported the incident as instructed.
Considering how ill prepared Malaysians are for cybercrime, it is no surprise at how many of us fall victim to even the simplest of attempts. As such, BAE Systems warns that being aware of phishing attempts and cybercriminals is the most important part of cybersecurity. Perhaps more than even setting defences like antivirus or two-stage authentication.
“For me, it is almost inevitable and it’s just that awareness of how you deal with it,” said Johnson. “It is about having that awareness of how you check the authenticity of an email and not click on a link. So it’s that kind of basic awareness that is very, very important.”