The Hacker’s Economy

Written by Joseph Poppy on 01/03/2019

The root of all evil

80% of all human endeavour is committed to making money, with the remaining 20% spent finding interesting ways to spend it. These are figures that I’ve just made up, but I said it in the Bulletproof office, and everyone nodded, which either means it speaks a certain truth or, once again, everyone is doing their best to ignore me. With this in mind, it’s fair to say people tend not to put a lot of effort into something unless they know they’re going to be financially rewarded for it. This includes hacking.

Whilst there are undoubtedly those who just hack for fun, the majority of malicious hacking is done, unsurprisingly, for financial gain. There are a lot of ways a hacker can monetise their misdeeds.

From simple, age-old tactics to clever new strategies, there’s a lot that keeps the hackers’ economy afloat. Remember, most hackers are going to give all of them a go at the same time, so you need to be alert.

Hackers are finding more and more ways to monetise their time and effort

Hackers can just nick your credit card

Starting with the obvious, cyber criminals can just swipe your credit card, or rather your credit card data. Throughout 2018 there were a number of card skimming instances. One high-profile attack involved over 300,000 British Airways customers losing their credit card details to hackers. The main culprit was a nefarious line of JavaScript called Magecart. If this script was placed into embedded payment pages, then hackers could steal credit card details as they are entered and submitted. There was no need to go to the bother of compromising databases themselves.

Big names such as Ticketmaster (and aforementioned BA) were hit last year with this type of attack. Whilst it could be argued that adhering to compliance packages such as PCI DSS would prevent these types of attack, recent events show that this is not necessarily the case.

Creditcards on a fishing hook
Card details stolen online can be cloned, sold or simply used to buy nice things

A backlit keyboard in a dark room
The dark web... backlight keyboards essential

Selling data on the dark web

Compromising a confidential corporate database is a challenging hack more often than not, so why do hackers do it? Well, for the hundreds of millions of records containing personal information. Whilst this information can be used to commit identity theft, those who purloin such data tend to sell it on the dark web instead.

The dark web might sound like something from a cheap fantasy book, but there’s a lot of dodgy activities that goes on there. Personal data lifted from compromised databases (particularly email addresses) can be sold. Personal data is valuable as it can be used by those in the know to commit identity theft. This could be done fairly easily with the amount of data stolen from the Marriott hack, as this contained a wide range of data including passport numbers.

In addition to this, email addresses can be sold on to enable fraudsters to commit phishing campaigns, which in turn could lead to identity theft or the spreading of malware for other monetisation streams, such as whaling (we’ll get to that later). That malware in question could be adware, cryptomining software or even our old friend ransomware. Speaking of which…

Even after paying a hackers ransom, there’s no guarantee you’ll get access to your files

Never forget the classic

Ransomware may have taken a temporary dip in popularity after it’s sell-out 2017 tour, but it’s certainly still an effective way for hackers to make money. We spoke of this iconic cyber villain at length in our annual cyber security report. Theoretically, it’s the simplest way to monetise a hack. Through sophisticated phishing tactics or simply by dropping malware once access has been gained to a network, hackers can begin encrypting crucial files and charge a hefty sum (usually in Bitcoin) to unencrypt them.

If that wasn’t bad enough, a lot of companies found that when they paid the ransom (something you should never do) they didn’t actually get their files back. You can’t trust hackers these days. Worryingly, ransomware is evolving. Some strains deliberately slow the rate of encryption and spread in order to keep under alerting thresholds and therefore stay undetected for longer. Some have even showed devious tactics like directly encrypting the hard drive’s Master Boot Record, meaning there’s no need to waste all that time going from file to file.

Bitcoin on a chessboard
Some hackers use Bitcoin to monetise their ransomware attacks

WannaCry alone is known to have earned hackers at least £108,000 in Bitcoin. The cost to businesses is of course a lot higher than this once loss of sales and cost of recovery is tallied up. This is a good haul, so hackers are unlikely to let it go.


Monero coin sitting on a CPU
And once you’ve been mining long enough, a coin grows inside your computer. That’s how it works.

Hi-ho hi-ho, let’s mine some Monero

As someone astutely pointed out in the Bulletproof annual cyber report 2019, cryptojacking became more prominent on the cyber landscape over 2017’s ransomware trend. For reasons I still don’t understand, Bitcoin became a thing, setting a precedent that lead to a rise in digital ‘currencies’. The majority of these are obtained by using CPU or more recently GPU power to ‘mine’ for it. As said, Bitcoin is the most popular currency, but is becoming increasingly harder, and therefore less profitable, to mine. Monero seems to be the currency of choice for most hackers.

When mining for Monero (XMR), you are in fact part of a wider mining pool which uses your resources to maintain a public ledger which records transactions. For every transaction recorded you are rewarded with a small amount of XMR. If all of this sounds like nonsense, well, it’s because it is, but that’s the world we live in now.

The value of cryptocurrencies can fluctuate wildly, and the profitability of mining them is affected considerably by how much it costs to run the mining rig. A single computer won’t help much in the grand scheme of things, so naturally, to make any real money out of mining Monero, people will need a lot of CPU. A lot of CPU will inevitably rack up quite the electricity bill. So, instead of home mining rigs, hackers have worked out that it’s more cost effective to use other people’s CPU to mine for them.

This approach has led to a cryptojacking epidemic. Racks of servers are obviously juicy targets, so businesses have been hit relentlessly by the trend. Monero is different in the sense that the algorithm used to mine it can be injected into the code of a website or browser meaning that it anyone who happens to visit that the affected website will unwittingly provide their CPU to a mining pool. The current value (at time of writing) of XMR sits at $42.90. Obviously, it takes a long time – or a lot of CPU – to generate 1 XMR, but several hacking groups have found ways to earn thousands from these campaigns.

A man mining cryptocurrency
Is your CPU unusually high? It’s this guy’s fault
Cryptomining is a lot more cost effective if you’re not the one footing the electric bill

Botnets for hire

Botnets, consisting of compromised devices forming a... net, are getting larger. This is in part due to the relatively recent explosion of IoT devices. Particularly cheap variants that have taken a slapdash approach to security if they took any approach at all. If a computer, server or IoT device is added to a botnet, the chances are you’ll never know, as the malware used won’t cause any noticeable disruptions. Hacking groups are forever struggling to have the biggest botnet, because in this instance size really can matter.

These botnets can then be used to commit targeted DDoS attacks. This is where a site or service gets bombarded with so many requests that the server can’t process them quick enough, causing it to fall over and take the service offline. Think of it like a pub with only one person manning the bar, but thousands of customers barking out orders. Eventually, the poor bar person will curl up on the floor and cry and then no one can get a drink.

Hacking groups can charge an hourly rate for use of their botnet. There are a number of reasons for people to want to take a service offline, from cyber extortion, to people who are just angry at a site for their own reasons.

An array of computers connected as a botnet
Botnets are commonly used to perform DDoS attacks

Grab your harpoon

We touched upon phishing earlier. This practise can easily cause a business no end of mischief. A more extreme version is whaling. Like phishing, whaling is the practise of sending an email in order to trick a user into doing something, only it specifically targets those higher up the chain of command. This is an easy way to commit CFO (or CEO) fraud by tricking a user into authorising a payment in response to a false invoice or simply stating that a wire transfer has to occur.


Screenshot of have i been pwned dot com
Why not check how many breaches your email addresses has been included in?

A lovely bit of blackmail

Whilst not technically ‘hacking’, there has recently been a rise in sextortion emails. These usually say something along the lines of:

“Dear user, we have managed to compromise your email box. To prove we have done this, your password is PASSWORD. Through this, we have managed to install malware on your computer which lets us see your screen and take control of your webcam. We’ve seen you accessing adult content, so send us lots of money in bitcoin or we will send the videos we have to all your contacts.”

Though the grammar will usually be much worse. Whilst this shows a distinct lack of understanding of how malware can work its way onto your computer, the inclusion of your actual password (or more likely, a former password) lends it a sense of authenticity. If they know this, what else could they have done?

Hackers would have received this password from previous data breaches, which unfortunately you have been involved in. You can see just how many breaches have included your email address on Troy Hunt’s superb (and free) haveibeenpwnd service. If it’s any less than three, you either don’t use your email for much or you are very selective.

Surprisingly, some of these sextortion campaigns have been said to have earned $50k in the span of a week. Not bad for a simple bit of spam. This just goes to show that an extra bit of information can lend an air of believability to an email. Or some people have guilty consciences. The more data appearing in breaches, the more convincing these emails could become.

White hat hackers specialise in legally testing the security systems of organisations and applications

Money Money Money

There are yet more ways for hackers to make money. We haven’t even mentioned those paid to commit dubious acts on behalf of nations. Of course, the easiest way for a hacker to make money would be to become a bug hunter or a penetration tester. You can earn good money that way without the risk of falling foul of the law.

Naturally, all the above tactics will adapt to changing environments and continue to plague the cyber landscape. Unfortunately, as long as there is money to be made, hackers will continue to hack. However, there are ways to defend against all of these issues. Effective threat monitoring can keep watch over your important assets. Penetration testing can check for any weaknesses in your apps to ensure no rogue code finds its way through the net. Effective training can help educate your staff against the threats that are forever lurking in the cyber shadows.

If you make sure your business is doing everything right and has tight defences. It’ll become less profitable for hackers to have their way. The less profitable it becomes and the harder it is, the less of a target you’ll be.

Lock symbol on a data chip
Ensuring your business has tight security will make hacking less profitable

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.