I have breached your system; I have stolen your customer and employee data, your financial account information and your intellectual property. I have your databases of stored email accounts and a large supply of employee personal data you did not know was stored on your system. (iCloud accounts, Facebook logons, software credentials, etc.)
So now, how do I make money? I mean that’s why I attacked you, I’m a financially motivated hacker. I didn’t attack you because I’m a spy nor did I want to destroy your network nor to embarrass you for your corporate politics, beliefs or lifestyle.
I attacked you to make money.
The easiest play is to use the credit cards right? No not really, carding is a more of an art now as it requires special know how to circumvent address verification systems. In addition, I need “mules” to collect the goods I buy and then reship them.
The credit cards, I have stolen I will sell or trade. Going rate is about $.06 per card. Alternatively, I can trade them to other hackers for services, software or exploits.
Next up is banking details. If I have full access to your bank accounts I can make transfers to accounts I own. Again, this takes some planning, as I need to make sure the accounts the money will be paid into are not in my real name and that as soon as the money arrives in those accounts, I transfer to a second and third account, thus hiding the trail. This takes pre-planning and a good network of people to move the money around and extract the cash.
Now to the email address and employee/customer data. Much of this can be sold to others who are set up to use it for various schemes like phishing to spread malware and botnets.
I’m going to use it for advertising. I have a program that will try to access email servers, social media sites and other online system by inputting the email addresses and passwords I stole. Since 85% of people use the same password for everything, this should be very successful.
Once I access their (your employees’ and customers’) email and social media accounts, I’ll harvest various data sets like addresses and financials to commit fraud. I’ll likely use the access to install ransomware, encrypting the user’s hard drives and demanding payment of about $1500 to provide the password to free up the data. However, I’ll also start impersonating the real account holder.
It’s not really identity theft as most call it. It’s more like as account takeover.
I’ll send out email and posts, comments and tweets as the true owner of the account encourage people to go to websites or click on links. Why? Because I get paid by advertisers to drive traffic to websites with a bonus if I can get them to click on ad links (it’s called performance marketing)
The payment ranges for $2 to $200 per sign up. So I take all the data I have, bounce through VPN’s, proxies and TOR to sign your employees up for Teeth Whiting ads, Netflix, Airline Miles, Ringtones, etc. All of which pay me cash and the victims have no idea “How those companies got their details!” On a good day, this will pay me $1500–1700/day.
Now for the other data, your intellectual property will go to the highest bidder, as there are always people interested in what new products your company has or the real numbers behind your earnings reports. I will also extort you offering to return the data if you pay me. Of course, if you negotiate, it means the data is valuable and I can use that when selling to the bidders on the underground.
The vulnerability I exploited, will garner cash and a reputation online, when I publish it.
Equally, the software and ITunes credentials can be sold or traded on the underground market, just as accounts on various online games like World of Warcraft have a special marketplace.
So let’s see because I stole data from you and your company I (Actually me and the crew I work with) can:
- Extort you, your company, your employees and your customers
- Commit fraud against everyone’s accounts
- Sell or publicize your intellectual property
- Impersonate everyone to drive traffic and sales
- Sell the program I used to exploit the vulnerability in your system
- Create a bot net to steal and monetize more data
- Trade the data for service and build my hacker reputation
- And if I want to, do some stalking, attack your reputation and/or spread corporate lies.
All this without actually applying myself and reading the data stolen to extrapolate other ways to use it like stock manipulation or M&A activities.
Best thing about all this is you will not try to come after me because you are afraid of the reputational damage. You might ask the police or FBI or some other Law Enforcement to chase me down but that will take several years and I may not live in a country where they have jurisdiction.
See, when most breaches or attacks occur, everyone talks about the data stolen and the cost to the company to fix the “hole” but no one talks about how I, the hacker, will use the stolen data.
A cyber attack’s impact depends on the motivation of the attacker.
Crime is for money, Espionage is for secrets, Warfare is for destruction and Activism is to embarrass.
The way the attack occurs; phishing, social engineering, malware installs, etc. is likely the same but, what is taken and how it will be used, is often dramatically different. So is the response. Most Incident Response deals with how the bad guys’ got in and stops there. But, that is only a fraction of the impact.
But then again, I’m the hacker, I encourage you to continue to do the same thing as has been done for the past 15 years when an attack occurs. Just worry about how I got in and plug that hole. I’ll find another hole.
Right now, I’m busy making money off of what I stole.