the grugq

Cyber. Strategy. Deception.

Hacking for dollars is hard, innovate

by Leave a Comment

Monetizing a hack is the hard part. For a while hackers tried to impersonate the user and access their bank accounts, or they would try to steal something fungible like CCV and PII… but those methods became harder and less reliable.

Ransomware solved this by coercing the user to act as the hacker’s agent to do monetization. The data on any given computer is basically worthless to anyone but the owner. No one is going to buy a folder of family and friends pictures from Grandma. But grandma will pay anything to get those photos back.

This technique is clearly a natural future progression of cyber crime. It will also be used as cover for destructive attacks, and as obfuscation for other attacks. Innovation in cybercrime creates new opportunities for exploitation.

https://twitter.com/apsalaar/status/1168536842540654592?s=21

Apparently some “online influencer partnership agencies” in Poland got hacked. The hacker calling themselves “The Penetrator” wants some cryptocurrency in ransom and threatens the victims with releasing “massive amounts” of data, including contracts.

https://wycieksiecipartnerskich.000webhostapp.com/?fbclid=IwAR2Fd2xIfBLTujgWgQ9hK08rP8uefd2JuV8fuNX0renq87f9GCGhPBzB57o

https://archive.is/JZVkE

Today’s crimeware is tomorrow’s cyber warfare toolkit

Very important: cyber criminals and hacker communities frequently innovate techniques and technologies that are adopted by state security forces. There are strong reasons for innovation by hackers and criminals, tighter feedback loops, more incentives, and more creative latitude, among many…

Why this matters

Ransom is simply applied coercion, and there are many ways to coerce someone once you have their data. This is the next step in ransomware, or cyber enabled coercion. There is no reason to limit the method of coercion. Just a few options off the top of my head:

  • destroying data (which encryption ransomware typically threatens),
  • releasing data,
  • locking access to online accounts (easier with password manager adoption),
  • posting browser history online and mailing the link to Contacts,
  • Searching Photos for >N% skin tones, and mailing to all Contacts / post online

The future of coercion is bright. Hell, it may even be the entry vector for ML/AI into the cybercrime market!

Liked it? Take a second to support grugq on Patreon!

Leave a Reply

%d bloggers like this: