From compromised machines to mass email lists for spamming, electronically-transferring funds out of bank accounts to phishing attacks—India’s 100 million internet users have become prime targets for hackers across the globe.
A report, titled “Global Risks for 2012”, shows cyber attacks on governments and businesses are considered to be one of the top five risks in the world. Be it cybercrime, cyber-espionage or cyberwarfare — they are on a steady rise. The reason: highly lucrative payout hackers get from stealing data. “There are high profit margins and low-detection rate by law enforcement agencies. Further, half of the data thefts (on both individual PCs and enterprise PCs) are executed from remote or stolen server locations, which only makes prosecution difficult,” points an ethical hacker employed with a large Indian IT outsourcing company.
E-mails, personal data and financial data are the most sought after “goods” in the black market, says Pankaj Jain, director, ESET India. “The e-fraud business that has been traditionally flourishing in India is credit card cloning. The cloning itself is mostly performed by Nigerians living in India, though the card data they get are usually from Russian and former Soviet Union hackers on underground forums,” he says.
The fast-maturing cyber crime economy
Even as enterprises and individuals struggle with internet threats, the underground cybercrime economy has moved on to organised entrepreneurship. An ethical hacker from New Delhi, who regularly accesses the digital black market where cybercriminals advertise and trade stolen information and services, shared how the advertisements are done. “Search, compare, and if you find a better offer we will return your money…,” reads an ad selling user data in black market journals. With the economic crisis looming large, such claims and ads are on the rise.
“Today, the main concern for the data sellers is to generate trust among their clients,” the ethical hacker tells Business Standard. He added that data sellers have started offering free “trial” access to stolen bank or credit card details as well as money-back guarantees and free exchanges. “Since there is a great deal of competition in the cyber black market, the rule of supply and demand ensures that prices are competitive, with operators even offering bulk discounts to high-volume buyers,” says a security consultant at a leading pharmaceutical R&D unit in Bangalore.
Preying on enterprise data
The booming Indian economy, coupled with the growing buying power of individuals, is attractive to hackers. “Many industries like BPO, software, automobiles, pharmaceuticals among others are doing business across the globe from India. This certainly brings India on the wish list of hackers for data breaches and monetary gains,” says Amit Nath, country manager (India & Saarc), Trend Micro.
Hackers mostly use chance or targeted approach. “Chance approach is used when volume matters, ie, for stealing credit card, bank account and email account information. Such attacks usually consist of sending malware, trojans through mass emails, social network scams and infected links,” says Jain of ESET.
Targeted approach is used when the criminal has a certain intent or victim in mind and the attack is tailored to make use of certain security flaws in the system. These attacks are usually used to target organisations, government or celebrities. A compromised PC could be used by a hacker in his network for attacking other computers, and also for studying the web browsing pattern or interaction of the user on the internet.
Today, teams of ethical hackers or security consultants work with most leading corporates and R&D outfits, tinkering with corporate IT networks to ensure the data exchanged between employees is not mishandled or, worse, stolen by rival companies.
Threats are not always limited to financial fraud alone, says Atul Khatavkar, VP (IT Governance Risk Compliance), AGC Networks. He says, “There could be cases of intellectual property theft, too. For example, the vice-president of an e- learning firm – sacked from the company later – was accused of stealing the source code of the company’s future product. He subsequently used the product for his new venture, and the e-learning firm had to book nearly Rs 47 crore in losses due to the theft.” Government and defence data, too, is always in demand, especially by hackers in China and Pakistan, lists ESET.
Not wishing to be left behind, many enterprises are leveraging on social media tools. In a report, ISACA advises that enterprises must consider the risks of employee access to social media sites while on the corporate network.