A handful if times, I was able to track down the guy distributing (not authoring) the malware via social media, youtube,discord, github and more (even opened a github issue respectfully asking them to stop distributing malware) and I was able to find the country they live in as well as their name (even a home address and cellphone in one case). I mention this because even with all that info there isn't much I can do that would be worth doing to take action against them. I have filed IC3 FBI complaints for far worse and they don't even so much as reply. I can get an "industry contact" to get me to relay that to an actual special agent but it would have to be something highly impactful like a ransomware, I can't do that for every small time crimeware I find.<p>Jurisdictions like Russia have a policy of looking the other way as well so long as you look the other way and in some countries, just having actual cybercrime laws and then the diplomatic relation strong enough to cooperate with their cops can be rare to find.<p>But focusing on the cost alone is a mistake, threat actor cost-benefit analysis is key here. In the 80s and early 90s for example, big cities were a crime horror show because cops couldn't catchup enough and the reward, relative to potential reward of law abiding life was dismal compared to today (well, that and lead babies!). I don't believe stop-and-frisk or "broken windows" policing made a difference nowhere near as much as better opportunities, entertainment, education and economy as well as "the internet" and tech making it harder to get away with crime did.
> To my mind, the old proverb “opportunity makes the thief” describes the main issue with cybercrime quite well – the internet is a very “target-rich” environment, and it is incredibly easy/cheap to create a simple piece of malicious code or launch a basic attack.<p>It's also consequence-free. You can do on the Internet whatever the fuck you want, but unless you anger the wrong people (e.g. you hack a mega corporation or a hospital) nothing will be done.<p>A large part of the "cheapness" of cybercrime is that even though we <i>know</i> where a lot of the bad agents are coming from:<p>- enemy nation states like Iran, North Korea, Russia and China where the government itself has hacker groups or tolerates their activity<p>- neutral nations like India or Turkey where local law enforcement is bought off by scammers and other criminals so the masterminds get warned of raids in time<p>- domestic agents like ISPs who don't give a shit about abuse reports if there is no legal liability attached to them (i.e. everything but CSAM and copyright) because they don't bother to hire enough qualified staff to follow up on reports and get bad actors (e.g. people with compromised IoT or other devices) cleaned up or disconnected<p>... absolutely <i>nothing</i> is done against them, even if identified.<p>And on top of that: if you drive an unsafe car on the road, you'll get fined for being a danger to other motorists. If you have an Exchange server not patched in years reachable from the Internet, you're a danger to other systems on the Internet, and yet nothing can be done against you.<p>Our collective governments need to get their act together: nation states must be told to either clean up their act or get disconnected from the Internet and the global financial system, ISPs must face regulation requiring at most 6h response time for abuse reports and evidence of corrective action taken, and people being grossly negligent in keeping up with patches must feel consequences.<p>It's time for the laxness towards criminals and bad actors to end once and for all. We don't tolerate gangs of bullies intimidating grandmas on the street into extortion schemes, we shouldn't allow their cyber equivalents to do the same.
One of the more interesting aspects of early sci-fi that hasn’t made it into reality (yet) is ICE, or security systems that “bite back” with physical feedback, pain, and potentially death. If body interfacing tech continues to develop and cybercrime becomes increasingly prevalent, this does seem like a possibility in a few decades.<p><a href="https://en.wikipedia.org/wiki/Intrusion_Countermeasures_Electronics" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/Intrusion_Countermeasures_Elec...</a>
I am probably going to get flak for this, but this "scam flow" including a forged Microsoft login, is pretty much the problem I had when I first encountered OAuth and the "Login with XY" concept.<p>Aside from the fact that I can't keep the way the auth flow works in my head for longer than 2 days before my understanding of it becomes fuzzy again, a layman is not supposed to understand what's going on at all. Because if they were, they would ask "does this service get my XY password if I enter it here?" and unfortunately, trying to get this answer will lead them down a rabbit hole of auth flows, OAuth2 vs. OpenIDConnect and whatnot, because it's only ever documented for implementers.<p>The normal user is to just believe in its trustworthiness, which may on a technical level be warranted or not, that's not the point. If you keep logging in with XY to different services, you become conditioned to not question anymore whether it's correct to enter your password right now, and where the login form, which always looks the same across different services, comes from.<p>But oh well, I don't know what the solution should be here, maybe mandatory 2FA yet again, or passkeys. The market will decide.
BTW, I suspect there is a new (to me) type of scum in US. Nonames are trying to 'collect' debts pretending to have some rights. They get fresh info on possible targets on black market.
Can’t wait for everything to be FIDO2 and security keys (phishing proof) and for these people to go get real jobs flipping burgers or something where their employers withhold their taxes…
The actual blog post:<p><a href="https://isc.sans.edu/diary/The+low+low+cost+of+committing+cybercrime/30176" rel="nofollow noreferrer">https://isc.sans.edu/diary/The+low+low+cost+of+committing+cy...</a>
Off topic, but the stylesheet for this page is just a couple of tweaks away from not being unreadable trash on mobile.<p>I don't understand how in 2023 some sites still insist on using fixed minimum values instead of just adjusting the layout for narrow viewport widths in a media query. The images just need properly scaling thumbnails, and the gutters around the single column of text need to go away.
> they target pretty much everyone, and nothing demonstrates this better that generic, “un-targeted” phishing e-mails.<p>Had to stop there, this is written like its a given, that there is no way to avoid phishing emails when there is. There's plenty of ways and alot of the criminality is maintained by those who dominate the sector, via standards or solutions.<p>>either immediately or very soon after they are delivered to their first recipients – detected and blocked by any security solution worth the name<p>I've always been taught ignorance of the law is no defence of the law, so unwarranted data sharing is ignoring various laws.<p>"Articles 13 and 14 of the GDPR require you to tell data subjects who you share the personal data with (the recipients or categories of recipients of the personal data)."<p>The email systems and associated security products, namely anti spam and anti virus software/services are knowingly breaking the law with a recipient that chooses to employ said service to scan their emails.<p>Everybody on the planet who has an email address and an AS/AV scanner is breaking the law, but I guess hypocrisy can be overlooked even in the best educational establishments, whilst ignoring the ill thought out nature of law in a global world.<p>>JavaScript loaded from the external domain was not as simple as the rest of the attack (it was heavily obfuscated and "weight in" at 155 kB)<p>I guess dialup is still an issue for some.<p>>Proving that the cost of committing cybercrime can be really low.<p>I'll agree on that.
The title is misleading. It should be called "The low, low effort of ...". There is no dollar value expressed in conducting such a simple attack. One needs to buy emails, then setup dns and host the files on some servers. How do you pay for those servers? There are a bunch of interesting parts of this that were just not covered in the article nor there was any attempt to show the actual cost, nor did it prove it is actually cheap. The cost would be dictated by the amount of valuable emails you have and the ability to squeeze them into one campaign (minus the effort).
A bigger problem for me personally is the high cost of reducing developer productivity and increasing operational risk just for the sake of cyberponies trying to defend their job.<p>Also I am not so sure the cost is that low. Well for phishing attacks maybe, but what is the return here?? Many skilled people had been caught doing 'cybercrime'. I just think if you compare this to e.g. tax-fraud then I would expect the risk/reward to be much higher than doing phishing attacks.