In April, Trend Micro released a research paper about sextortion, the means through which cybercriminals obtain compromising personal images or videos of Internet users, which they then hold hostage until their demands have been met. Fast-forward to July and we have seen the hack of controversial adultery/dating site Ashley Madison, in which cybercriminals wreaked havoc as they threatened to slowly leak the data of the adulterers using the site, until it and its companion site, Established Men, were shut down.
An article in Time calls this tactic “Hacking 2.0” — this new hacking method is not about the data, but the context. Making money from stolen data, like credit cards, is a lot of work and cybercriminals have latched onto the fact that they have a larger pay cheque to gain from those that stand to lose more than just money. Hence, a hack like Ashley Madison’s, which could — and has — destroyed reputations and families, is a gold mine for the team responsible for the hack, The Impact Team.
Moral opinions about Ashley Madison aside, no one appreciates their personal information being kidnapped and held for ransom. But cybercriminals are cunning and they know that if they keep the sums low enough, people that stand to lose more than money would rather pay up. In this case, the Ashley Madison hackers offered users the ultimatum of paying US$19 to have all their information wiped off the site or having it leaked. But there is of course, no guarantee that you can trust a cybercriminal.
According to Time, there is a new reality that’s making matters worse for corporate security teams. This is that in recent years there has been heavy investment in protecting financial data — spending money to fortify the most valuable data. So, while credit cards may be protected, e-mail servers may have been left in the lurch, but this will slowly change as personal data of different contexts becomes a bargaining chip for cybercriminals.
Ashley Madison is just one example of an enterprise that has been targeted in this manner. Another example is the malware Cryptolocker, which forced victims to pay a sum to unscramble their data. This racket made $27m in just the first two months from small home owners and businesses. And then there was the Sony hack in December 2014, in which cybercriminals stole corporate e-mails and embarrassed the company. In Hacking 2.0, cybercriminals don’t need to steal your money, all they need is any data that is valuable to you.
This means that executives should be working tirelessly to do an honest assessment about their enterprise’s valuable data really. Then wise investments need to be made in protecting data that might seem inconsequential if stolen in one context, but a disaster if stolen in another. The bottom line? Every company will now have to plan for ransom and extortion scenarios.
- Ihab Moawad is regional vice-president at Trend Micro