Mail alert: an older generation of cyber con artists were let down by unconvincing emails © Getty
Experimental feature

Listen to this article

00:00
00:00
Experimental feature
or

Fraudulent emails used to be easy to spot. They were written by people who did not know their target victims and had a weak grasp of language.

“In the past, recipients would find such emails unconvincing because of poor spelling, grammar, punctuation and choice of words,” says Cameron Brown, an independent cyber defence adviser. But hackers are becoming more professional. Employing linguists to make their emails more plausible is just one example of this.

“Today’s cyber criminals,” he says, “are well organised, with their own premises and teams assigned to specific tasks. They are flexible, nimble operations that even bring in specialists for particular projects.” And they are recruiting computer science graduates by offering big salaries, he says.

Hackers are hard to trace as they use part of the internet called the “dark web”. This enables them to act anonymously and hide their tracks. However, Sian John, a security strategist at Symantec, a cyber security company, says online crooks “operate on a standard working week, continually refining malware [software designed to disrupt or damage a computer’s operations] and putting significant effort into disguising spam as legitimate email”.

One of the most dangerous threats over the past year has been the Dridex “trojan”, which targets bank customers. Trojans are named after the Trojan horse. They are found in links or attachments in seemingly friendly emails but attack your system when opened.

Dridex comes in an email with a Microsoft Office document attached. If opened, it triggers a malware download that tries to generate fraudulent transactions. Symantec believes millions of Dridex emails are sent each day.

Ms John adds that about 16 per cent of malware now knows when it arrives on so-called “virtual” computers, which security professionals use for tests. On these it lies dormant, only activating when it lands on a “real” computer.

There has also been a rise in attacks that combine two or more approaches. While security professionals are busy worrying about the first, the second can steal in unobserved.

John Shaw, a vice-president at UK-based Sophos, says one of the most effective new forms of attack is ransomware. This encrypts data then removes the keys that open it. Recovery is usually impossible without paying the gang that launched the attack.

Last October, the FBI told US companies they might not be able to recover data from criminals who had deployed tools such as CryptoLocker, CryptoWall and Reveton, unless they paid a ransom. Ransomware is often delivered by unskilled people who pay tech-savvy experts to supply their needs.

David Emm, principal security researcher at Kaspersky Lab, a cyber security provider, says such attacks are profitable for criminals. “They are growing dramatically and we think it’s likely that they will even outpace banking trojans as a way for cyber criminals to make money.”

Criminals are even setting up false identities on social media networks to gather personal information about targets. This can range from knowing what clubs people belong to, the holidays they have booked and online orders they have made.

Such information allows fraudsters to compose persuasive emails, says Don Smith, technology director for Dell SecureWorks. “You are much more likely to click on a ‘track my parcel’ email if you have ordered something.”

Instead of writing malware, cyber criminals often focus on gaining a foothold in a target organisation’s systems. They then hijack legitimate software and use it for fraudulent operations.

Hackers quickly change methods of approach if they think it will deliver better returns, says Dell’s Mr Smith. For example, they are switching focus from consumers to businesses when attempting to steal money from bank accounts. “A business is likely to take much longer than a consumer to notice when £50,000 is removed,” Mr Smith says.

There is a diverse online market for hacking products and services. Adwind, which has been used against more than 400,000 organisations globally, is a ready-to-use malware toolkit that can be bought by anyone.

Mr Emm expects to see more platforms hackers can subscribe to that will provide them with services, and forecasts a rise in the number of “cyber mercenaries” who sell attack expertise and provide access to high-profile victims.

Another worrying development is the planting of malicious software in computers during manufacture.

In the past year malware has been found pre-installed on some devices from Chinese companies, including Huawei, Xiaomi and Lenovo. Once installed it is almost impossible to remove.

Copyright The Financial Times Limited 2017. All rights reserved.
myFT

Follow the topics mentioned in this article

Follow the authors of this article