The excitement around NFTs, rich digital experiences and Internet-connected devices, highlights the craftmanship of digital professionals. This streak of creativity, however, extends to cybercriminals who are developing highly imaginative, sophisticated and cutting-edge approaches to crimes that are difficult to detect and identify. The period of digital acceleration we’re experiencing and the ‘Internet of Things’ are fueling opportunities for thieves, requiring businesses to focus on better protecting themselves and their customers.
About the author: Jamie Bartlett is an award-winning author and broadcaster. He’s the author of The Dark Net and The People Vs Tech. His current project is the hit BBC podcast series, The Missing Cryptoqueen, which investigates the multibillion dollar crypto Ponzi scam, OneCoin.
The creativity of criminals
Browsing through Spotify a couple of years ago, you might have come across ‘Music from the Heart’ or ‘Soulful Music.’ Both were highly popular playlists — although the music was dreadful: Soulful Music contained 467 hastily arranged songs, nearly all under a minute long and composed by artists no one had ever heard of. But someone was listening. An ingenious cyber gang had created these playlists and used machines to generate each song (so they owned the copyrights). It then set up thousands of premium accounts to listen on a randomised repeat loop, always skipping to the next song after 30 seconds — at which point the $0.004 royalty payment kicked in. For months, thousands of fake accounts listened to fake songs on fake playlists. The only thing that was real was the nearly $1 million they made off with.i
It's hard not to feel a little admiration for the audacity, ingenuity and business acumen of the fraudsters behind this ruse. They might be immoral, but most cybercriminals, whether it’s the cliché kid-in-a-hoodie or a well-paid foreign government agent, are just as smart, creative and motivated as you are. And they don’t have to worry about ‘GDPR’ either.
There are examples of creative and opportunistic cybercrime everywhere. Who first figured out how to make cryptocurrencies work for ecommerce? Dark net drug dealers. And no sooner had COVID-19 arrived, scammers were posing as NHS Test and Trace staff — trying to obtain personal details, selling fake vaccine passports, and firing out emails offering fraudulent COVID-19 support packages. Although they’re often technically skilled, their real talent is playing to human foibles, especially laziness and greed. The biggest crypto-scam ever — a Ponzi pyramid scheme called OneCoin — fleeced almost one million people out of at least €4 billion, mostly by playing on people’s fear of missing out on ‘the next bitcoin.’
Cybercriminals remaining talented and opportunistic is a given, which is worrisome because two important trends will make their craft even easier — and we must be ready to respond.
The Internet of everything
The first issue is everything is turning into a computer because everything is getting chipped and connected. The fridge of tomorrow might look like a fridge, but in reality, it will be a computer with a fridge application. The same is true of a growing number of our everyday devices: the smart TV, car, office desk, coffee machine, clothes, etc. Soon, writes cybersecurity specialist Bruce Schneier, “Saying ‘I’m going on the Internet’ will make as much sense as plugging in a toaster and saying ‘I’m going on the power grid’.” This means computer security will be everything security. The problem is hackers are already ahead of the curve: In 2018, a casino in the US was hacked via its Internet-connected, fish-tank ¬thermometer. Cars have been hacked through the DVD player, navigation system, and even computers embedded in the tires.ii
The second issue computers will keep getting faster and smarter. No one knows if ‘Moore’s Law’ (the number of transistors that fit on a microchip doubles every two years) will continue unabated, but either way, computers will get better at spotting trends, discerning patterns and predicting human behaviour. Again, cybercriminals have been quick to spot the opportunity. In one recent case, hackers created 250 bank accounts and then used machine learning AI to launder money around the accounts with machine-generated labels like ‘buying a car’ or ‘present to my dad.’iii It’s even plausible within a decade or so, machines will be better at hacking systems than the very best human.iv
Fully automated crime
You don’t need a PhD in software engineer¬ing to work out what will happen. Crime will become more automated, which is no different from many other industries. And the more connec¬ted we become, the more vulner¬able we’ll be.
Here’s a scenario that many businesses might face before too long. Phishing emails will continue flooding customer inboxes, but they’ll be far more personalised. An AI-powered malware will scan the net for all publicly available information about a company’s staff to build profiles: main contacts, calendar, social posts, friendship groups, personality type. If Julie always goes to the same restaurant on Thursday, our AI malware would send her an email on Wednesday evening asking her to ‘click here’ and confirm the booking. It could even accurately mimic the style and tone of the manager; perhaps throwing in a few little details about her last visit. The AI might even phone her up using the latest voice imitation software.v And every employee would get their own, highly personalized, machine-generated trap — all with the click of a single button.
Is that so hard to believe? Is it no stranger than someone telling you 20 years ago that one day criminals would hack into company servers via fish-tanks. Anyway, specific examples matter less than how these broad dynamics — more connectivity, smarter machines and ingenious hackers — will transform cybersecurity. But it’s not a counsel of despair — there’s plenty we can do to fight back.
Staying ahead in the cyber arms race
First, the old adage will still stand: The human is usually the weak link. Getting the basics right (not using the same passwords or clicking on dodgy links; all the things you’ve heard a thousand times before) will still help. But in a world of perfect machine fakery, the challenge will be knowing you’re speaking to whom you think you are. Some mild paranoia will be essential and should even be encouraged by bosses: The CEO is phoning at 5 p.m. on Friday to urgently process an unusual invoice? Check it in person. Your bank emailing you asking you to ‘click here’ to verify some details? Go to their website and phone them directly.
Second, the risk profile might change. As cybercrime becomes more automated, attacks will be less about targeting a company and more about targeting a weakness. Machines will scan ports, software types, Internet-enabled devices, and dark net forums for corporate email accounts — any points of entry that can then be automatically exploited. Smaller businesses sometimes imagine they fly under the radar, but automated systems don’t work that way. In one recent test, researchers put a fake finance firm online and waited. Within two hours it was found by an automated hacking bot. Fifteen seconds later, it had found and exploited all weaknesses, scanned the network, stole and shared user names and passwords, and created new user accounts for its creators to use.vi This is especially relevant now, as many previously offline businesses have been forced online during COVID-19, and others have implemented working from home with all its accompanying security problems.
Finally, be prepared. Even when you do everything right, you still might get hacked. As more horror stories come to light — which they undoubtedly will — most people will understand it’s impossible to stop everything. But, they won’t accept a company failing to take the issue seriously. Consumers will increasingly expect convenient and seamless digital products and services. They’ll also want to know companies have strong measures in place to spot and stop fraud, accurate ways to verify identities, trustworthy back-up solutions, and they use consumer data responsibly. Without all that, when the inevitable happens, customers will blame you rather than the criminals behind the action. In a world where user data is more important than ever, the last thing you want is a negative hit to your reputation, brand and bottom line.
ii Bruce Schneier, Click Here to Kill Everyone, p1
iv Bruce Schneier, Click Here to Kill Everyone, p85