Botnets, consisting of compromised devices forming a... net, are getting larger. This is in part due to the relatively recent explosion of IoT devices, particularly cheap variants that have taken a slapdash approach to security (if they took any approach at all). If a computer, server or IoT device is added to a botnet, the chances are you’ll never know, as the malware used won’t cause any noticeable disruptions. Hacking groups are forever struggling to have the biggest botnet, because in this instance size really can matter.
These botnets can then be used to commit targeted DDos attacks. This is where a site or service gets bombarded with so many requests that the server can’t process them quick enough, causing it to fall over and take the service offline. Think of it like a pub with only one person manning the bar, but thousands of customers barking out orders. Eventually, the poor bar person will curl up on the floor and cry and then no one can get a drink.
Hacking groups can charge an hourly rate for use of their botnet. There are a number of reasons for people to want to take a service offline, from cyber extortion, to people who are just angry at a site for their own reasons.
We touched upon phishing earlier. This practise can easily cause a business no end of mischief. A more extreme version is whaling. Like phishing, whaling is the practise of sending an email in order to trick a user into doing something, only it specifically targets those higher up the chain of command. This is an easy way to commit CFO (or CEO) fraud by tricking a user into authorising a payment in response to a false invoice or simply stating that a wire transfer has to occur.
Whilst not technically ‘hacking’, there has been a rise in sextortion emails. These usually say something along the lines of:
“Dear user, we have managed to compromise your email box. To prove we have done this, your password is PASSWORD. Through this, we have managed to install malware on your computer which lets us see your screen and take control of your webcam. We’ve seen you accessing adult content, so send us lots of money in bitcoin or we will send the videos we have to all your contacts.”
Though the grammar will usually be much worse. Whilst this shows a distinct lack of understanding of how malware can work its way onto your computer, the inclusion of your actual password (or more likely, a former password) lends it a sense of authenticity. If they know this, what else could they have done?
Hackers would have received this password from previous data breaches, which unfortunately you have been involved in. You can see just how many breaches have included your email address on Troy Hunt’s superb (and free) haveibeenpwned service. If it’s any less than three, you either don’t use your email for much or you are very selective.
Surprisingly, some of these sextortion campaigns have been said to have earned $50k in the span of a week. Not bad for a simple bit of spam. This just goes to show that an extra bit of information can lend an air of believability to an email. Or some people have guilty consciences. The more data appearing in breaches, the more convincing these emails could become.
There are yet more ways for hackers to make money. We haven’t even mentioned those paid to commit dubious acts on behalf of nations. Of course, the easiest way for a hacker to make money would be to become a penetration tester. Penetration testing is basically ethical, licensed hacking. You can earn good money and get great job satisfaction without the falling foul of the law.
Naturally, all the above tactics will adapt to changing environments and continue to plague the cyber landscape. Unfortunately, as long as there is money to be made, hackers will continue to hack. However, there are ways to defend against all of these issues. Effective SIEM threat monitoring can keep watch over your important assets. Penetration testing can check for any weaknesses in your apps and infrastructure to ensure no rogue code finds its way through the net. Effective security training can help educate your staff against the threats that are forever lurking in the cyber shadows.
If you make sure your business is doing everything right and has tight defences, it’ll become less profitable for hackers to have their way. The less profitable it becomes and the harder it is, the less of a target you’ll be.
Find your vulnerabilities before a hacker exploits them. Discover penetration testing today.
Discover pen testingIf you are interested in our services, get a free, no obligation quote today by filling out the form below.