- Brett Johnson
Can and Will: The Reality of Cybercrime.
Just because a criminal CAN do it, doesn't mean a criminal WILL do it.
This needs be said. Because in an age of RFID-Blocking Wallets, SS7 Attacks, and other useless trinkets and ideas? Someone needs to set the record straight.
I've been on both sides. And I've been fortunate to have achieved a level of status and respect on both those sides.
One thing I can tell you about committing crime is you aren't going to commit a crime unless it's worth it. And you aren't going commit that crime in a difficult way if an easier way is available.
This is something the Good Guys don't understand.
Why would I go out and spend money on a bunch of equipment to read RFID signals so I can capture credit and debit card details when I can launch a phishing attack, use MageCart, or get me a nifty skimmer? I wouldn't. It's not worth it. There are easier, Tried and True Ways to accomplish the crime I am wanting to commit. And those Tried and True Ways are cheaper than that RFID reader.
And it's not just RFIDs. We see it today with a host of Marketing Peeps scrambling to discuss how ChatGPT is being used to commit Cybercrime. Or how Fraud is hitting the Metaverse.
Stop, Pause, and think about that for a second. If I'm a Fraudster (with a capital "F") why would I concentrate on defrauding people in the Metaverse when no one knows what it even is yet and the user numbers are so damn low? DeCentraLand and Sandbox have less than 1000 daily users. The victim pool is too low for me to be successful as a Fraudster. I'll hit Twitter instead. Or Reddit. or Match.com.
Same for ChatGPT. Can it be used to go through code? Absolutely. Is it? Completely different answer. Why would I have a program which scrapes everything it comes into contact with go over my malware before I release it to the wild? And yes, I know there has been some chatter and evidence of it on criminal networks. But I suggest it is just chatter and maybe some peeps where it’s their first day on the job as Cybercriminals (with a capital "C").
Will those things be used to commit or facilitate crime? Maybe. But not until it’s worth it to criminals. Not until it's easier to do so than other methods.
You may not realize it, but this is a very unpopular thing for me to state in this industry. This is an industry where many companies profit based on FUD--Fear, Uncertainty, Doubt. They need a constant influx of boogeymen and things to be worried about in order to sell products and services. Hell, there is even a set of global conferences built around showing off exploits and crimes that no real world criminal will ever commit. They even call the conference "Black Hat." Ask yourself how much that comes out of Blackhat do we ever see in the wild? Right.
Truth is? You don't sell products or services by saying:
Over 90% of Attacks Use Known Exploits. It isn't the stuff we don't know about which causes the Problem. It’s the stuff we do know about, the stuff we haven't done anything about that's the issue. Now go forth and fix your shit.
You say that to a prospect and you might piss them off. They will not buy from you. You say that to a journalist, they aren't going to pick up your story--you aren't going to get your company name in the papers. So better to present each with a set of scary things that aren't likely to happen.
So, it becomes an idea of:
Better to Baffle them with Bullshit than try to Dazzle them with Brilliance.
Clients are shown tools and techniques to scare them into buying. The Press is shown stuff that doesn't happen, but that's really scary. Products and Services are developed to address issues that aren't really issues. Why? Not to fix a problem, but to profit.
Those things do not happen 100% of the time. But it happens enough to make it endemic in cybersecurity.
Cybercrime isn't Rocket Science.
If I want to get a few hundred dollars off my order at Home Depot I'm not going to "Hack" into Home Depot and change prices. I'm going to go to Etsy and buy a coupon which gives me 15% off my order for $10. Or I'll call up Home Depot and tell them I didn't receive their shipment.
If I want to intercept someone's text messages I'm not going to launch a SS7 Attack, I'm going to do a Sim Swap or Social Engineer the victim into telling me the message.
Can a criminal do those other things? Yes. Will they? Completely different answer.
Understanding that is difficult when profit gets in the way.
Its also difficult because so many in this industry say people need to think like a criminal.
News Flash: Unless you are a criminal? You ain't gonna think like one.