1. Account Takeover
Account takeover is considered one of the more harmful ways to access a user’s account. The attacker typically poses as a genuine customer, user or employee, eventually gaining entry to the accounts of the individual they’re impersonating. Scarier yet, user credentials can be sourced from the deep web and matched against e-commerce sites with the help of bots and other automated tools for quick and easy entry.
FitBit even fell victim to this type of attack when hackers exposed log-in details to customers’ FitBit accounts, changing the email they registered with and then called up customer support with a complaint about the device so that they could get a replacement under their warranty.
Rather than stealing the card or credentials outright, account takeover is more surreptitious, allowing the attacker to get as much use out of the stolen card as possible before being flagged for suspicious activity. Banks, major marketplaces and financial services like PayPal are common targets, and any website that requires a login is susceptible to this attack.
Some of the most common methods include proxy-based “checker” one-click apps, brute force botnet attacks, phishing and malware. Other methods include dumpster diving to find personal information in discarded mail, and outright buying lists of “Fullz,” a slang term for full packages of identifying information sold on the black market. Once the profile of the victim is purchased or built, an identity thief can use the information to defeat a knowledge-based authentication system.
An enormous volume of our transactions — financial and otherwise — take place online. For cybercriminals, acquiring account credentials and personal information (like social security numbers, home addresses, phone numbers, credit card numbers and other financial information) is a lucrative business, whether they choose to sell the acquired information or use it for their own gain. As such, these kinds of attacks can originate anywhere in the world.
2. Advanced Persistent Threat
In one of the most notable data breaches in U.S. history, the attack on the U.S. Office of Personnel Management(OPM). security experts found that state-sponsored attackers used an advanced persistent threat sponsoredby the Chinese government.
The attack on OPM compromised over 4 million records, including information on current, former and prospective federal government employees, as well as their family members, foreign contacts and even psychological information.
An advanced persistent threat (APT) is a highly advanced, covert threat on a computer system or network where an unauthorized user manages to break in, avoid detection and obtain information for business or political motives. Typically carried out by criminals or nation-states, the main objective is financial gain or political espionage. While APTs continue to be associated with nation state actors who want to steal government or industry secrets, cyber criminals with no particular affiliation also use APTs to steal data or intellectual property.
An APT usually consists of highly advanced tactics, including a fair amount of intelligencegathering, to less sophisticated methods to get a foothold in the system (e.g., malware and spear phishing). Various methodologies are used to compromise the target and to maintain access. The most common plan of attack is to escalate from a single computer to an entire network by reading an authentication database, learning which accounts have the appropriate permissions and then leveraging them to compromise assets. APT hackers will also install backdoor programs (like Trojans) on compromised computers within the exploited environment. They do this to make sure they can gain re-entry, even if the credentials are changed later.
Most APT groups are affiliated with, or are agents of, governments of sovereign states. An APT could also be a professional hacker working full-time for the above. These state sponsored hacking organizations usually have the resources and ability to closely research their target and determine the best point of entry.
3. Amazon Web Services (AWS) Attacks
The number of creative attacks on virtual environments has exploded with the rise of cloud computing. And as one of the largest cloud-service providers, Amazon Web Services has certainly had its share of threats. There are several vulnerabilities that threaten the security of cloud providers. One digital marketing company, for example, didn’t password protect its Amazon S3 bucket when it went out of business. The lapse exposed the data of 306,000 people. The full leak exposed 50,000 files, totaling 32GB of full names, locations, email addresses, phone numbers and hashed out passwords, from clients such as Patrón Tequila.
Amazon’s “shared responsibility” model says AWS is responsible for the environment outside of the virtual machine but the customer is responsible for the security inside of the S3 container. This means threats that take advantage of vulnerabilities created by misconfigurations and deployment errors have become a bigger problem as companies have adopted cloud technologies rapidly and the organization using AWS is responsible for securing their environment. The problem is there are more threats that AWS customers have to worry about.
An attack on an AWS instance can happen in a number of ways. The accelerated shift to the cloud brought on by the global COVID-19 pandemic increased the number of threats for cloud providers. It’s important to stay vigilant for activities that may be as simple as suspicious behavior inside of an AWS environment. Other activities to look out for are S3 access from unfamiliar locations and by unfamiliar users. It’s also important to monitor and control who has access to an organization’s AWS infrastructure. Detecting suspicious logins to AWS infrastructure provides a good starting point for investigations. Actions, such as abusive behaviors caused by compromised credentials, can lead to direct monetary costs because users are billed for any EC2 instances created by the attacker.
Because of the diversity of services being hosted on AWS and the new types of cloud threats being spun up daily, these attacks can virtually come from anywhere and anyone.
4. Application Access Token
Pawn Storm, an active and aggressive espionage group, uses different strategies to gain information from their targets. One method in particular was to abuse Open Authentication (OAuth) in advanced social engineering schemes, targeting high profile users of free webmail. The group also set up aggressive credential phishing attacks against the Democratic National Convention (DNC), the Christian Democratic Union of Germany (CDU), the parliament and government of Turkey, the parliament of Montenegro, the World Anti-Doping Agency (WADA), Al Jazeera and many other organizations. They continue to use several malicious applications that abuse OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.
With an OAuth access token, a hacker can use the user-granted REST API to perform functions such as email searching and contact enumeration. With a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a “refresh” token enabling background access is awarded.
Attackers may use application access tokens to bypass the typical authentication process and access restricted accounts, information or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.
Compromised access tokens may be used as an initial step to compromising other services. For example, if a token grants access to a victim’s primary email, the attacker may be able to extend access to all other services that the target subscribes to by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to counter measures like changing passwords.
5. Bill Fraud
Zelle is a financial service that allows customers to easily send money to friends and family. Yet the very same features that make Zelle so quick and efficient for transferring funds are also being exploited by cyberthieves for monetary gain. Hackers and scammers use the system to pilfer funds away from consumers in payment fraud schemes, sometimes wiping out entire bank accounts.
Bill fraud — or payment fraud — is any type of bogus or illegal transaction where the cybercriminal will divert funds away from consumers. And these schemes work — according to recent data from the FTC, consumers reported they have lost over $1 billion in fraud complaints from January 2021 through March 2022.
This attack tricks a large number of users into repeatedly paying small or reasonable amounts of money so they don’t notice the scam. In this ploy, attackers send fraudulent but authenticlooking bills instructing customers to transfer funds from their accounts.
Knowing that most customers regularly use fee-based digital services, the attackers rely on the fact that their targets may mistakenly assume the fraudulent bill is for a service they actually use. Consumers will then initiate a funds transfer or credit card payment to pay for the phony “bill.”
Bill fraud organizations originate all over the world, including the U.S. It’s typically sourced to attackers with the resources, bandwidth and technology to create fraudulent bills that look real. Like phishing, bill fraud generally targets a broad, random population of individuals.
6. Brute Force Attack
In a now-infamous brute force attack, over 90,000 PlayStation and Sony Online Entertainment accounts were compromised in 2011. Hackers attempted countless username and password combinations from an unidentified third party, eventually ransacking members’ accounts for personal information.
The now-discontinued Club Nintendo also fell victim to the same type of attack in 2013, when hackers executed a coordinated attack on over 15 million members, eventually breaking into over 25,000 forum members’ accounts. All compromised accounts were suspended until access had been restored to the rightful owners — but the damage to brand reputation had already been done.
A brute force attack aims to take personal information, specifically usernames and passwords, by using a trial-and-error approach. This is one of the simplest ways to gain access to an application, server or passwordprotected account, since the attacker is simply trying combinations of usernames and passwords until they eventually get in (if they ever do; a six-character password has billions of potential combinations).
The most basic brute force attack is a dictionary attack, where the attacker systematically works through a dictionary or wordlist — trying each and every entry until they get a hit. They’ll even augment words with symbols and numerals, or use special dictionaries with leaked and/or commonly used passwords. And if time or patience isn’t on their side, automated tools for operating dictionary attacks can make this task much faster and less cumbersome.
Thanks to the ease and simplicity of a brute force attack, hackers and cyber criminals with little-to-no technical experience can try to gain access to someone’s account. The people behind these campaigns either have enough time or computational power on their side to make it happen.
7. Business Invoice Fraud
Even the largest technology firms aren’t immune to invoice fraud. According to an investigation by Fortune Magazine, both Facebook and Google unwittingly fell victim to a massive business invoice fraud scheme. The fraudster, a Lithuanian man known as Evaldas Rimasauskas, created invoices impersonating a large Asian-based manufacturer that frequently did business with the two companies to trick them into paying for bogus computer supplies. Over two years, the fraudster duped the two tech giants into spending tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had allegedly stolen more than $100 million.
Business invoice fraud attempts to trick victims into paying out on a fraudulent (but convincing) bill addressed to your organization. In reality, the funds go to imposters mimicking suppliers. These hackers will often bill a reasonable amount so they don’t draw suspicion. But executing these scams hundreds or thousands of times quickly adds up.
In this attack, victims are sent fake invoices
attempting to steal money in the hopes that
marks aren’t paying attention to their accounts
payable processes. Hackers will pick targets
based on the size of their business, location
and the suppliers used and create phony
invoices that appear legitimate. With the hopes
that the victim’s accounts payable department
is backlogged, they send false invoices with
high demands like “90 days past due, pay now!”
While there are numerous individual scammers pulling off business invoice fraud, many are sourced to fraud rings that have the organization and the resources to research their victim’s banking institution and create a billing experience that feels real. Fraud rings conducting invoice scams can be found all over the world.
8. Cloud Access Management
Moving to the cloud has countless advantages, from fostering collaboration to allowing employees to work from almost anywhere in the world. The importance of this flexibility was on display when the global COVID-19 pandemic hit. But switching to a cloud-based service can carry a fair amount of risk — oftentimes due to human error.
Wyze Labs, a company that specializes in low-cost smart home products, experienced this first hand. An almost-prolific breach occurred at the startup when an employee built a database for user analytics, only to accidentally remove the necessary security protocols. As a result, a database-worth of customers’ personal information was exposed.
Managing permissions for your organization has become increasingly important in order to avoid a cloud-based breach. Lax or nonexistent security — and in this case, incorrectly configured security controls — can easily jeopardize the security of your data, exposing your organization to an unnecessary amount of risk, including significant damage to brand reputation.
This attack usually happens because of poor communication, lack of protocol, insecure default configuration and poor documentation. Once the attacker exploits the vulnerability and gains a foothold in your cloud environment, they can leverage privileges to access other remote entry points, looking for insecure applications and databases, or weak network controls. They can then exfiltrate data while remaining undetected.
Mismanagement and misconfiguration of a cloud environment isn’t considered a malicious act in and of itself, and as mentioned, typically occurs due to human error.
9. Cloud Cryptomining
Cloud cryptomining doesn’t need gas to go. Look no further than Tesla for evidence. The electric carmaker fell victim to a cloud cryptomining attack when hackers took advantage of an insecure Kubernetes console, stealing computer processing power from Tesla’s cloud environment to mine for cryptocurrencies.
Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed to ensure that the number of blocks mined each day would remain steady. So it’s par for the course that ambitious, yet unscrupulous, miners make amassing the computing power of large enterprises — a practice known as cryptojacking — a top priority.
Cryptomining has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services, Google Cloud Platform (GCP) and Microsoft Azure.
It’s difficult to determine exactly how widespread the practice has become, since hackers continually evolve their ability to evade detection, including employing unlisted endpoints, moderating their CPU usage and hiding the mining pool’s IP address behind a free content delivery network (CDN).
When miners steal a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it’s critical to monitor systems for suspicious activities that could indicate that a network has been infiltrated.
Because cryptocurrency is a global commodity, the attacks can originate from anywhere. Instead of focusing on where the attacks come from, it’s key to monitor cloud computing instances for activities related to cryptojacking and cryptomining, such as new cloud instances that originate from previously unseen regions, users who launch an abnormally high number of instances, or compute instances started by previously unseen users.
10. Command and Control
The first known take down of a country’s power grid from a cyberattack happened on December 23, 2015. The details of the hack are summarized in detail by Wired. At about 3:30 pm local time, a worker inside the Prykarpattyaoblenergo control center saw his mouse’s cursor move across the screen.
The ghostly cursor floated toward the digital controls of the circuit breakers at a substation, and began taking them offline. Almost 30 substations subsequently went down, and 230,000 residents were forced to spend a cold evening in the dark in Western Ukraine, with a blistering low of 30 degrees Fahrenheit.
A command and control attack is when a hacker takes over a computer in order to send commands or malware to other systems on the network. In some cases, the attacker performs reconnaissance activities, moving laterally across the network to gather sensitive data.
In other attacks, hackers may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These attacks are also often referred to as C2 or C&C attacks.
Most hackers get a foothold in a system by phishing emails then installing malware. This establishes a command and control channel that’s used to proxy data between the compromised endpoint and the attacker. These channels relay commands to the compromised endpoint and the output of those commands back to the attacker
There have been prominent command and
control attacks originating from Russia, Iran
and even the U.S. These attackers can come
from anywhere and everywhere — but they
don’t want you to know that.
Since communication is critical, hackers use
techniques designed to hide the true nature
of their correspondence. They’ll often try
to log their activities for as long as possible
without being detected, relying on a variety
of techniques to communicate over these
channels while maintaining a low profile.
