Disclaimer
This post about a specific cyber attack is for educational and entertainment purposes only. Accessing or attempting to access a computer that you do not own and are not contracted to access is a crime. Anyone using any techniques or ideas in this article does so without knowledge, consent, or cooperation of the author. The author bears no responsibility for any harm that results from any events that are similar to in spirit or nature to those presented in this article.
Introduction
Ransomware may be the sexiest thing (cyber attack or otherwise) in the computing world since a photo of a person sitting in front of a bright screen wearing a hooded sweatshirt while sitting in a dark room. The problem is, both these things are products of popularity. They denote sensationalism. Is ransomware really the most invasive and pervasive attack? The answer is a strong “hell no”. As detailed in my “B.L.E.E.D.” methodology they are not designed to have a shelf life or to be concealed. They are essentially a “smash and grab” attack. I would like to take a moment to discuss the “1 million Thumbtacks Attack”.
Why This Cyber Attack Works
Many types of intrusions can infiltrate organizations and remain undetected for great lengths of time. For instance, there is a mobile phone malware that disables VPNs when the screen is turned off or when there has not been activity and enables the VPN when activity is detected. Most people who are infected do not know, will never know, and if they find out won’t care because they do not see the harm being performed by malware that simply disables the VPN.
1 Million Thumbtacks Delivery
There are many ways to infect organizations with malware. Yes, there have been some sensational stories about employees being bribed, blackmailed, coerced in other ways, but let’s face it, there are easier ways. The easiest and most reliable way to infect an organization with malware is to send a massive amount of fraudulent emails to employees with a link to malware or with a file attached which has malware embedded or automatically downloaded.
Cyber Attack Explained
Once the initial user is infected numerous ways for an attacker to increase access exist. Fraudulent emails are the most effective and widely used tactic. This set of emails is usually spear-phishing targeting privileged accounts in the financial or supply organizational departments or offices. Once those departments or offices have been compromised the attacker begins to add purchases for consumable items like thumbtacks. (Hence 1 million thumbtacks attack.) The goal of the attacker is to choose consumables that are common purchases that are recurring at the organization. Then staying below any threshold that would attract scrutiny or be identified during an audit becomes the goal.
Why Choose This Cyber Attack
The reason an attacker would choose this cyber attack is because of its potential for massive return on investment. For anyone who has been in the field for a bit or has knowledge of traditional attacks think salami. An attacker may only take a handful of money from an organization every month. With the relative difficulty for organizations to identify any (allegedly) sophisticated attacks, it is conceivable that an attacker could infect many organizations and build a sustained high-level profit margin for an extended length of time.
Why Publish This Cyber Attack
Organizations need to look past the sexy. They need to understand that attackers come in a variety of types. Ransomeware actors are spiders that sneak in and bite when they are ignored or undetected. But what about cockroaches, mosquitos, ants, and other pests? Organizations need to pull back the rug, install window screens, and use pesticides. Organizations need to prevent infestations before they find half a cockroach and some maggots in their burger.
Conclusion
Defending is the best defense but no defense is impregnable. Identification of intrusions is critical when defenses fail because the intent and motivations of intruders are only limited by the creativity bestowed upon humanity. If defense is priority one then intruder identification should be priority 1.1 because in many ways it is more critical than defense. If you can identify 100 percent of intrusions you can track 100% of intruder actions and can counter act 100 percent of those actions.