As a wise man once said, “Never put down to malice what can be ascribed to stupidity.” This adage could easily be applied to the founders of ‘hackers for hire’ web site needapassword.com, who were arrested by the FBI on (strong, it has to be said) suspicion of running a web site which stole passwords to email accounts.
Is ‘stupid’ too strong? Given the fact that the site used Paypal as a payment mechanism, probably. The pair didn’t go particularly out off their way to cover their tracks, and even had terms and conditions on their web site which warned users against illegal use of their services.
The Arkansas duo weren’t the only people involved in what amounted to an internationally co-ordinated investigation, covering the USA, Romania, India and China. Security experts often point out that a chain is only as strong as its weakest link - in this case, the spread of the hackers-for-hire network was broad enough to offer investigators a route in. Once one part was compromised, so was the rest.
As we know, however, such examples are just the tip of the hacking iceberg, the technological equivalent of stealing tools from an open shed. Of greater concern are smarter groups which work for richer, and more desperate clients.
We shouldn't be surprised that financial companies - involved in asset management, investment banking, mergers and acquisitions - are the ones most targeted by such groups: after all, according to the old adage, "That's where the money is." Geography doesn't appear to be a limitation - while many attacks are currently in South Korea and Japan, a major attack cited by the paper (VOHO, which involved a 'watering hole' campaign) was in the US.
In our September 2013 Intelligence Report, we reported that such attacks are not only increasing, but the organizations involved are becoming more corporate. For example, Hidden Lynx has been set up to offer hacking services to other groups. Hidden Lynx appears to be a highly professional outfit, the goal of which is to "gain access to information within organizations in some of the wealthiest and most technologically advanced countries."
A darkly vibrant market in hacking services is developing for such organizations, essentially, showing others how it is done. We do not believe that the information being accessed is particularly easy to sell in its own right, leading us to believe that the hacking attacks are more likely to have been commissioned for express purposes such as corporate or state espionage or fraud.
For our enterprise clients, the message is clear: leaving confidential information weakly protected is becoming like entering a war zone without armor. You might not get hit, but any idea of 'security by obscurity' should be consigned to the past. Even if you do not fully appreciate the value of your information and the importance of protecting it, the chances are, others will.