Where once a pickpocket would have stolen a credit card and maxed it out or used it until it got cancelled (stealing a couple of grand at most), cyber criminals can now siphon thousands of credit card details from organizations, creating millions of dollars’ worth of profit for themselves.
It may be something we haven’t really pondered over before, but how do hackers turn the data they steal into hard cash?
According to organized crime expert Misha Glenny, turning this scale of business into real money requires a remarkable level of international organization, involving the coming together of criminals and the smuggling of huge amounts of cash across borders.
Here’s how one group of hackers managed to steal $40m from more than 36,000 ATM withdrawals in late 2012…
By breaking into a credit card processing system used by Bank Muscat (a large bank in the Middle East), hackers were able to discover the hidden numbers found on the magnetic stripe of credit cards, remove the credit limit and change the PINs.
They then used underground websites to recruit teams of low-level criminals across 26 countries to come together for this one project.
Each armed with credit card-making hardware, blank credit cards (which are both readily and inexpensively available on the web), and the magnetic stripe data, the gangs were able to make their own cards from the data provided.
Given the all-clear and the new PIN from the criminal organizers, the gangs were able to walk the streets and withdraw money from every ATM they could find.
After keeping an agreed percentage, they then passed the money on until it finally reached the masterminds of the operation.
What’s frightening in this operation is that it was a faceless crime: the criminals behind the attack didn’t even have to step out of their front door to make their millions, which is probably one of the main reasons they are still at large today.
Man in the middle: black hat hacker makes $15k to $20k an hour…
Another example of how criminals make their money is by simply running an online business.
During an AMA on Reddit’s /r/netsec, a black hat hacker under the username throw4way1945 explained the process of running his 3 million-PC botnet, which he calls the “Black Shadow Project”.
Offering spamming and phishing services, clients pay him to target their victims – e.g. 1 million spam messages sent in blocks of 50,000 for $150, or DDoS attacks on targets of their choice. He claims to send out 90 million spam emails a day to “anyone and everyone”, accepting bitcoin and litecoin for his services, and then converting them into US dollars and depositing it in a bank account.
Regularly test your network and web applications
Organizations are strongly recommended to test their network and web applications regularly to identify vulnerabilities and fix them before black hat hackers exploit them. While it’s not always possible to do this yourself, there are penetration testing services available to do this for you.
Penetration testing involves simulating a malicious attack on an organization’s information security arrangements, often using a combination of methods and tools. It has to be conducted by a certified ethical professional tester (such as CREST-qualified staff), and the findings will provide you with information about security measures your organization can improve.
As a CREST member company, we’ve been verified by an independent body attesting that our work will be carried out to a high standard by qualified and knowledgeable individuals. Our Web Application Penetration Test combines a number of advanced manual tests with automated vulnerability scans to ensure every corner of your web applications are tested.
The Web Application Penetration Test includes:
- Carefully scoping your testing environment
- Performing a range of manual and automated tests
- Providing a detailed report that explains the vulnerabilities found and recommending measures to address them
- Delivering an executive summary that is perfect for your management team