This post was originally posted on Fox Business

 

Who is the adversary, our cybersecurity “enemy”? Your mind might flash to the visual of a hooded figure with a mask, hacking away on a computer in the shadows of a darkly-lit basement.

It sounds pretty scary—if it were only true. Today’s cyber attackers are more sophisticated and corporate in their conduct than ever before.

To protect ourselves against evolving cyberattacks, let’s look at the different types of cybercriminals out there, their preferred targets, the ‘loot’ they seek, and their favorite offensive tactics – starting with cyber-criminal organizations.

Cyber-criminal organizations are disciplined, profit-based entities that pursue vulnerable individuals and companies for their money, personally identifiable information (PII) and protected health information (PHI).

Almost 80 percent of black-hat hackers are connected to a sophisticated criminal organization. They perform drive-by attacks anywhere and anytime, like a typical car thief walking around a parking lot, lifting door handles to see whether any of them will open.

The adversary will collect and store credentials and personal information so they can use it themselves; supply it to a client; extort the victim(s) in question; or sell them on the Dark Web – an anonymous form of web browsing that requires a unique Tor browser.

The Dark Web credential reselling business has grown substantially. Carder’s Paradise is a popular service that sells account credentials priced according to the victim’s FICO credit score. Compromised information like Social Security numbers, dates of birth, and billing addresses can sell for as little as $1 to the highest bidder.

Almost 80 percent of black-hat hackers are connected to a sophisticated criminal organization. They perform drive-by attacks anywhere and anytime, like a typical car thief walking around a parking lot, lifting door handles to see whether any of them will open.

PayPal credentials go for the highest price—$274 per account, followed by bank account credentials ($160), Western Union accounts ($100), and credit card numbers ($20-60). Using this information, malicious actors can assume someone’s identity, open accounts in their name, make fraudulent purchases, and exhaust all credit channels.

U.S. health care industry is a treasure trove for bad actors – from crooked doctors who bill Medicaid for fraudulent treatments and claims that were never performed, to attackers who impersonate you to receive treatment and send your insurer the bill.

Anthem, the second-largest health insurer in the United States, experienced a breach of 78.8 million patients’ PII in 2015.

Criminals also steal medical details like policy numbers, diagnosis codes, and billing information to obtain insurance, receive payments for fake medical treatments, and even generate counterfeit medical IDs for illicit access to healthcare treatment, prescription drugs, and medical equipment.

Bad actors are also 35 times more likely to steal a child’s identity rather than an adult’s because children usually don’t have a credit history. Each year, 1.3 million children have their identities stolen, and 50 percent of those victims are younger than 6-years-old.

Because of the ease and low detection rate of child identity theft, kids’ SSNs are exploited 51 percent more than adults. Since children don’t need to use their credit report until they apply for employment, student loans, or their first car or credit card, thieves can run rampant for many years without setting off alarms. — Unless you are actively monitoring for a credit file in your child’s name, illegal tactics like this can go unnoticed, sometimes for 15 years or more.

Criminal organizations typically use a combination of phishing attacks, “back -door” breaching of exposed databases, and malicious malware to steal information, sending out massive amounts of phishing attacks to see who will be tricked into handing over their credentials.

For example, because bad actors know I am the CEO of Agio (based on information pulled from LinkedIn and Agio’s website), I receive spear-phishing emails claiming to be from our finance department, trying to trick me into approving wire transfers directed towards an outside account.

Other common phishing emails include fake social media requests, UPS ‘package undeliverable’ notices, free product offers, and tactics that create a sense of urgency. Scare tactics are more effective than reward-based lures because bad actors prey on our hardwired ‘fight-or-flight’ response to perceived threats.

Another example of financially-driven cyberattacks comes from May 2017 when WannaCry became the most significant outbreak of ransomware in history.

Cybercriminals from the Shadow Brokers gang used the leakage of powerful U.S. NSA cyberweapons to spread devastating ransomware that incapacitated hospital systems, businesses, and computer systems worldwide until they literally paid the price.

Readers should set a unique username and password combination, be wary of suspicious-looking emails and websites, and test any wire information provided for payment before moving large sums regularly.

By practicing these basic tenets of cybersecurity hygiene, you can disrupt a bad actor’s attempt to access your accounts, so they will set their sights on “weaker links” instead.

Bart McDonough is CEO and Founder of Agio, a hybrid managed IT and cybersecurity services provider servicing the financial services, health care and payment industries. He is also the author of cybersecurity best seller “Cyber Smart,” and a member of Forbes’ Technology Council, which convenes leading CIOs, CTOs and technology executives from around the country.