In April Trend Micro released a research paper about sextortion: the means through which cybercriminals obtain compromising personal images or videos of Internet users – which they then hold hostage until their demands have been met. Fast forward to July and we have seen the hack of controversial adultery/dating site, Ashley Madison. Cybercriminals wreaked havoc as they threatened to slowly leak the data of the adulterers using the site, until it and its companion site, “Established Men”, shut down.
An article on time.com calls this tactic “hacking 2.0”, stating that this new hacking method is not about the data, but the context. Making money from stolen data, like credit cards, is a lot of work and cybercriminals have latched onto the fact that they have a larger pay cheque to gain from those that stand to lose more than just money. Hence, a hack like Ashley Madison’s that could – and has – destroyed reputations and families is a gold mine for the team responsible for the hack (The Impact Team).
Now, moral opinions about Ashley Madison aside, I’m sure that no one appreciates any of their personal information being kidnapped and held for ransom. But cybercriminals are cunning and they know that if they keep the sums low enough, people that stand to lose more than money would rather pay up. In this case, the Ashley Madison hackers offered users the ultimatum of paying $19 to have all their information wiped off the site or having it leaked. But there is of course, no guarantee that you can trust a cybercriminal.
How does data kidnapping affect my business?
According to time.com, there is a new reality that’s making matters worse for corporate security teams and it’s that in recent years, there has been heavy investment in protecting financial data – spending money to fortify the most valuable data. So while credit cards may be protected, email servers may have been left in the lurch, but this will slowly change as personal data of different contexts becomes a bargaining chip for cybercriminals.
Ashley Madison is just one example of an enterprise that has been targeted in this manner. Another example is the malware Cryptolocker which forced victims to pay a sum to unscramble their data and subsequently made $27 million in just the first two months from small home owners and businesses. And then there was the Sony hack in December 2014, in which cybercriminals stole corporate emails and embarrassed the company. In hacking 2.0 cybercriminals don’t need to steal your money, all they need is any data that is valuable to you.
This means that executives should be working tirelessly to do an honest assessment about what their enterprise’s valuable data really is. Then wise investments need to be made in protecting data that might seem inconsequential if stolen in one context, but a disaster if stolen in another. The bottom line? Every company will now have to plan for ransom and extortion scenarios.
So what now?
In addition to a stealthy security policy, companies now need a data kidnapping and extortion policy in order to properly protect themselves. This is on top of robust business security solutions. Employees, and in turn the business, for example, could benefit from having Trend Micro Security 10 on the mobile devices of employees. Trend Micro Security 10 is a recently launched security and privacy tool that’s fully compatible with Windows 10.
The new version’s security features are simple-to-use, yet provide state-of-the-art protection for employees’ data, delivered with optimal performance. This allows users to securely connect and engage safely online – on the company network – while protected from today’s evolving threat environment. The software will feature protection from exposing private information or becoming susceptible to data-theft and other malicious online threats on both personal and business devices.
Trend Micro Deep Discovery is also an option for business as is detects, analyses and responds to today’s stealthy targeted attacks in real time and then Deep Security delivers automated and highly scalable cloud security. But really, what you should do is speak to a Trend Micro professional about a customised security solution for all your business’s security needs. As is the case with any form of cybercrime, prevention is better than cure, and you don’t want to wait until you’ve had data kidnapped to react to hacking 2.0.
* Ihab Moawad, Vice President MMEA and CIS at Trend Micro