2014 could go down in history as a highlight year for cybercriminals. Cybercriminals have shown that no organisation is safe, regardless of size or reputation. The victim list now boasts the likes of Sony, Apple, eBay, JP Morgan and DIY giant Home Depot to name just a few. To finish 2014 with a bang, cybercriminals brought down both the PlayStation Network and Xbox Live at Christmas, just "because they could".
Last year cybercriminals targeted the financial industry and managed to walk away with information for 76 million households and seven million small businesses from JP Morgan, after invading its core network for two months unnoticed. The jig was finally up when a (rare) sloppy mistake gave up the perpetrators.
During the time spent infiltrating JP Morgan, the cybercriminals even deleted their tracks, making investigators' jobs harder. JP Morgan spent £165 million (around $247 million, AU$310 million) in cybersecurity measures last year, which thankfully, kept its most critical data safe from unauthorised eyes.
Cybercriminals have also hit the retail sector hard. In 2013, cybercriminals scored one of the largest hauls in history when they stole 110 million payment card details from Target. Last year, cybercriminals hijacked Home Depot for 56 million payment cards, costing it £41 million (around $61 million, AU$77 million) in remedial charges to recover from the theft.
The public, and the industry at large, is getting used to news like this and consumer confidence isn't as easily shaken anymore. It's a far cry from 2007 and 2008 when cybercriminals cracked TK Maxx parent company TJX and Hannafords – creating headline news and causing significant concern for affected consumers, as well as financial and reputational damage to the businesses targeted.
Then there was Apple. The iCloud breach created one of the bigger media storms in 2014 and drew the most attention in light of the data stolen. This one was clearly just for fun and to remind us that cybercriminals enjoy celebrity gossip as much as the rest of us. A classic phishing scam duped celebrities out of their logins and some clever third-party forensics software allowed cybercriminals to lift data right from iCloud. Then, they were kind enough to share the bounty of photos with everyone, ensuring that celebrity gossip sites and forums had a field day.
In the US, cybercriminals expanded their reach to healthcare when they swiped four million electronic health records (EHR) from Community Health Systems. The primary reason for such a theft – each EHR is worth fifty times more on the black market than a credit card number. The FBI Cybercrime Division even issued a warning to the healthcare community that security measures were inadequate and couldn't defend against a basic attack, let alone an advanced threat.
EHRs sell for about £35 (around $52, AU$65) each and can generate profit in many ways – it's possible to sell the medical identity so someone can get an operation they otherwise couldn't afford. Details, like a mother's maiden name, are most likely included as well – extremely useful for identity theft. The FBI acknowledged the value of this opportunity, calling healthcare "a rich new environment for cybercriminals to exploit."
Truly organised crime
Cybercriminals also demonstrated increasingly impressive organisational skills. They began selling hacking services, and running an organisation in a very notably corporate fashion. The BlackShades malware reflects this growing sophistication. After infecting over half a million machines across more than 100 countries, we learned that cybercriminals were running their hacking operation like a very organised and professional business, replete with paid staff, customer service personnel – even a marketing director to promote BlackShades. Now that is well organised crime!
The list goes on, pointing to an outstanding year. The cybersecurity market is estimated to be worth about £50 billion (around $75 billion, AU$94 billion) annually, and demand for security solutions is at an all-time high. Yet cybercriminals remain effective. As the industry has improved at stopping them, they have improved their methods, making them more sophisticated and advanced.
Cybercriminals caused a lot of damage and nuisance to businesses and individuals last year, but the key lesson to learn from all of this is that on a corporate and personal level, we must never let our guard down and not fall for the old tricks of clicking on malicious links in emails or websites.
Businesses will need to ensure that they drill corporate IT security policies into the minds of employees, as well as ensure that systems and any applications are patched to minimise the threat of exploitation.
A warning for 2015
While 2014 saw headlines dominated by large businesses falling victim to cybercriminals, it is worth noting that in 2015, no organisation big or small will be safe. Therefore, security measures including patching, antivirus, education and other security methods will be key. As was the case with Sony's PlayStation Network and Microsoft's Xbox Live, cybercriminals will carry out an attack "just because they can".
- Sergio Galindo is general manager at GFI Software