Contrary to the robbers shown in movies, ones who held banks and stores at gunpoint and demanded money, robbers nowadays are much cleverer and more dangerous in their execution. Cyber-thieves can steal just as much, if not more, armed with nothing more than bits of code.
The cybercrime industry is believed to be a multi-trillion-dollar industry, and this massive wealth potential has led to many organized criminals and state actors joining this crusade. Hackers linked to the North Korean government reportedly stole over $100 million from Bangladesh’s central bank back in 2016.
A recent report from Swift and BAE systems discusses a scheme called “ATM cash-out.” This process involves hacking ATM machines to make them eject large quantities of banknotes, which are then picked up by “money mules” who then launder the money back into the system to render it legitimate. According to the report, this has been carried out by the North Korean hacker group BeagleBoyz, who have made attempts to steal around $2 billion over the last few years.
Another report from technology firm Akamai illustrated the scale of attacks made, over the last few years, against the retail, travel, and hospitality sectors. Dark web activity spread the word about their vulnerabilities allowing attackers to exploit them in masses.
The aura of panic and uncertainty caused by the COVID-19 lockdown measures implemented in the first half of 2020 saw a surge in the number of password combination lists circulating the dark web. These lists were often compared with re-circulated older lists to identify weaker, more vulnerable accounts.
This caused a spike in criminal activity. According to the report, between July 2018 and June 2020, around 100 billion credential stuffing attacks occurred, with over 60 percent of these in the retail, travel, and hospitality sectors.
Aside from credential stuffing, criminals commonly use SQL Injection (SQLi) and Local File Inclusion techniques to target these sectors. During the same period, nearly 4.5 billion attacks using these methods were observed, with SQLi-based attacks particularly prominent.
As we enter the peak retail season, Christmas shoppers are likely to opt for an online shopping experience due to COVID restrictions. Due to this, their bargain-hunting will be digitally focused, with the reward points collected over the year being spent to obtain exclusive discounts and offers.
These loyalty programs allow cybercriminals to hack and retrieve the personal data of customers, which they graciously use to conduct various crimes ranging from identity fraud to account theft.
Akamai states that “Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”
There may no longer be as physical a threat for banks and stores as previously; however, the danger of cybercriminals being able to do much worse from anywhere in the world is nothing to be taken lightly. It is time for the industry to acknowledge this threat and ensure protection against it.