Digital thieves’ most crucial adaptation in recent years has little to do with their technical tools and everything to do with their business model.
It’s a good time to be a cybercriminal. There are more victims to target, there is more data to steal, and there is more money to be made from doing so than ever before.
It would seem to follow, then, that there’s been very little progress since 2007, when hackers stole at least 45.6 million credit-card numbers from the servers of TJX, the owner of TJ Maxx and Marshalls, catapulting the now-commonplace narrative of the massive data breach to national prominence.
But the truth is that the forces of cyber law and order have made lots of headway in the past decade.
There are still large-scale data breaches, but credit card companies are getting better at detecting them early and replacing customers’ cards as needed, payment networks are pushing microchip-enabled cards that render transaction data worthless to criminals, and law enforcement has gotten smarter and savvier. Just ask Albert Gonzalez, who masterminded the TJX breach and is currently serving a 20-year prison sentence.
The biggest shift in the past decade is that it has gotten much less profitable to do what Gonzalez did—namely, steal millions of payment-card numbers and sell them to fraudsters. According to the cybersecurity firm Intel Security, the price of a stolen payment-card record has dropped from $25 in 2011 to $6 in 2016.
“We’re living through an historic glut of stolen data,” explains Brian Krebs, who writes the blog Krebs on Security. “More supply drives the price way down, and there’s so much data for sale, we’re sort of having a shortage of buyers at this point.”
Cybersecurity is often framed as a matter of keeping up with the rapid evolution of online attacks—patching software vulnerabilities and identifying new malware programs. But cybercriminals’ most crucial adaptation in recent years has little to do with their technical tools and everything to do with their business model: They have started selling stolen data back to its original owners.
To keep cybercrime profitable, criminals needed to find a new cohort of potential buyers, and they did: all of us. At the heart of this new business model for cybercrime is the fact that individuals and businesses, not retailers and banks, are the ones footing the bill for data breaches.
This represents quite a departure from the model for most cybercrimes 10—or even five—years ago. It used to be that someone would steal a huge cache of stored data, usually credit-card numbers and billing information belonging to U.S. customers, and sell this data to other criminals, who would use it to manufacture fraudulent credit cards overseas. Those cards would then have to be brought back to the U.S. to be sold, in order to avoid triggering fraud alerts.
Each stage of this process provided law enforcement with an opportunity to track the payments made between buyers and sellers of stolen information and monitor the movement of money between national borders. (Following this money trail ultimately led to the identification and prosecution of several cybercriminals, including Gonzalez.)
So, historically, the riskiest stages of cybercrimes have been the ones that come after the perpetrator has already successfully stolen data from a protected computer. Finding a way into a computer system to steal data is relatively easy, but finding a way to monetize that data—making sure that credit-card companies don’t cancel stolen card numbers before they’re sold, identifying buyers willing to pay a good price, and hiding those profits from the police—can be much harder.
But the calculus changes if victims can be persuaded to buy back their own data, in some cases because of a ransomware attack, which encrypts their computers until they pay a ransom. In other cases, some individuals and companies monitor the black market to see if their own stolen data is up for sale, and purchase it to prevent it from falling into the wrong hands. Whether victims are coerced into paying a ransom or voluntarily make a bid, the sale of stolen data back to its original owner solves a pressing problem for cybercriminals: It transforms data that was nearly worthless into a very valuable asset.
The contents of any given person’s hard drive, for instance, would be unlikely to fetch a large sum on the black market. But to that person, that data is probably worth at least a few hundred (or even a few thousand) dollars. Conveniently for criminals, this also often means dealing not with a small group of fellow criminals, but instead with a much larger population of lay users who are unlikely to disappear behind bars.
All this explains why the use of ransomware is increasingly common. The FBI reported some 2,500 incidents in 2015, from which individuals and organizations lost $1.6 million. It’s not known how much money in total is spent by companies and organizations to directly purchase stolen data or intellectual property, but such stories are increasingly common (even if few major companies,other than PayPal, openly admit to the practice).
Rodney Joffe, a senior vice president at the technology firm and domain-name registry Neustar, says he knows of individual organizations that have paid tens of thousands of dollars to criminals for stolen data.
“What would shock you is how many companies have quietly gone ahead and paid for information to be returned,” Joffe says. “It’s not the kind of thing they publicize.”
That wasn’t a choice for Hollywood Presbyterian Medical Center, a hospital that was hit by a ransomware attack earlier this year. The hospital initially tried to thwart its attacker’s demand of 9,000 bitcoins by abandoning their encrypted computers, resorting to the use of paper medical records and registration forms, and communicating with other hospitals via fax.
Those pre-digital operations proved unsustainable, and the hospital negotiated with the ransomers, ultimately making a payment of 40 bitcoins (then worth about $17,000) to restore their systems.
Ransomware has grown more popular in part because it is not difficult to deploy.
“A huge number of criminal groups across the globe are now adopting ransomware as one of their primary techniques because it is so easy to do,” says Dmitri Alperovitch, the co-founder of and chief technology officer at CrowdStrike, a cybersecurity firm. “A first-year computer-science student can do it and then you just sit back and wait for the money to hit your account.”
But its ease of implementation does not alone explain its rise. While the concept of ransomware dates back as far as 1989, only recently have other technologies allowed it to thrive. Over the years, any influx of cash into the market for stolen data has only been lucrative for criminals as long as their payments cannot be traced by the police.
Fully capitalizing on this demand requires an anonymous mechanism for transferring payments from victims to thieves. So, ransomware began to flourish as cryptocurrencies like bitcoin, which offered just such anonymity, came into their own.
At some point, cybercriminals are likely to want to convert their bitcoin profits back into a traditional currency. In order to convert cryptocurrency into cash, cybercriminals would need to use a bitcoin exchange, and today it’s still easy for them to mask their identity there.
“A lot of these places right now don’t subscribe to any of the ‘Know Your Customer’ laws that typical institutions have to abide by, that require customers to show their driver’s license, or passport,” says Alperovitch. “More can be done to apply these KYC regulations to these virtual currencies and bitcoin exchanges worldwide.”
Alperovitch says that these regulations could be applied to bitcoin exchanges more rigorously, but individuals can take other defensive measures, including being cautious when clicking on suspicious links or attachments and keeping thorough backups of personal data. However, the question of how much individual users can and should do to protect against these sorts of breaches raises the larger issue of who is responsible for them when they occur—and who should be footing the bill.
In many cases when victims buy back their own data, they are the ones responsible for the breach, perhaps because they clicked on an email attachment containing ransomware. So it often seems fair for the victims to bear these costs. But that means that the companies who are best equipped to tackle these threats effectively at scale—the operating-system and browser developers that could flag suspicious downloads, or email providers that could block suspicious attachments, or internet service providers that could quarantine the machines being used to deliver those emails en masse—have relatively little incentive to do so. Instead, the burden falls primarily on individual users and companies, whose best options are to learn to be a little more careful and to make a lot more backups.
Of course, backing up personal data only protects against certain types of attacks.
“I expect in the future that we’ll see more attacks along the lines of targeting a manufacturing company, finding their formulas and blueprints, and then telling the company, ‘I’m going to send this to your competitor tomorrow if you don’t pay me today,’” says Ben Johnson, the co-founder of and chief security strategist at Carbon Black, a cybersecurity firm.
Agreeing to that arrangement comes with its own set of concerns.
“In almost every case, the criminals still have the data,” Joffe points out. “There’s nothing to buy back—you’re buying the silence of whoever has stolen it. There’s a much clearer case historically for buying back stolen goods that belong to you than there is for buying the silence of someone who’s committed a crime. It’s much more of a gray area.”
Indeed, deciding whether or not to pay for access to stolen data is complicated by the possibility of dealing with a dishonest seller.
“If you pay there’s no guarantee that you will get the actual decryption key,” says Chris Stangl, a section chief at the FBI's Cyber Division. “The latest trend we’re seeing is a company will attempt to negotiate with the criminal and then they pay and the next day the criminals want more money.”
So, just like sellers in legal marketplaces such as Amazon and eBay, sellers of stolen information are now focusing on their online reputations, which can signal to victims that they are “trustworthy” criminals, Krebs says.
“Thieves at the end of the day are dependent on their reputation in the underground, and if they have a reputation for ripping people off then they won’t get customers,” he explains. Recently, as more criminals have entered the market, “Good criminals’ reputations are being ruined by bad criminals,” Joffe says.
Regardless of what individuals and organizations should do when presented with the opportunity to buy stolen data, what are they legally allowed to do? The guidance from law enforcement on whether victims should pay ransoms or directly purchase stolen data remains ambiguous.
Last year, Joseph Bonavolonta, an FBI agent, stirred controversy when he spoke at a security conference in Boston and told the audience, “We often advise people just to pay the ransom.”
But Stangl, of the FBI’s Cyber Division, tells me that “the FBI doesn’t condone payment because payment in our view allows for that criminal model to develop and may allow the activity to continue.” Still, he adds, “We do recognize that companies need to make informed decisions and … sometimes you have to pay to get access to your data back.”
The Jusitce Department has no position on whether or not buying back stolen data is legal, according to a spokesperson. However, John Delmore, an assistant general counsel at the FBI’s Cyber Law Unit, says that “in the vast majority of situations, you would not be breaking the law when you do that, and it’s certainly not something the FBI would pursue in an investigation.” (He says that an exception to this could be any transaction involving a terrorist group.)
The reluctance of law-enforcement agencies to take a clear stance is surprising.
“In the physical world, you have law enforcement coming out against paying ransom for hostages, but in this case we’ve seen law-enforcement agencies not only recommend it but actually paying it themselves,” Alperovitch says, referring to incidents in which police departments have paid bitcoin ransoms to recover control of their systems. “The problem you have here is that literally everyone is experiencing this problem. No one is immune. Luckily, hostage-taking is a pretty rare activity in our society, so it’s easy to recommend not paying a ransom when they know they’re not likely to experience that issue themselves.”
Trusting criminals to do right by victims is a treacherous business, but for now, it seems, enough of them will keep their word if paid. And as long as those payments keep coming in, this new business model is likely to remain effective. Possibly the only way, short of a global crackdown on cryptocurrency exchanges, to put a real dent in the profits of cybercriminals is to organize a concentrated campaign to stop people from paying. But it’s hard to see such a campaign gaining much traction, given how valuable targeted systems tend to be.
“I don’t think it’s realistic to encourage people not to pay these ransoms,” Alperovitch says. “How do you tell a hospital that has to keep people alive not to pay the ransom?”