Making It Up in Volume

On June 2, 2011, Adriana Carrillo was about to start her commute to work—her family’s store in a market on the outskirts of Mexico City —when she was suddenly and forcibly taken at gunpoint by three men showing police badges. ²⁰ Her terrifying ordeal would last 37 hours, confined in the back of a Nissan, before her father would successfully arrange the drop of $12,000 in ransom to her kidnappers. ²¹ Upon release, the brave Carrillo would only take three days respite before returning to work. Soldiering on, she vowed, “I don’t want to live as a victim.” ²²

Despite her empowering and admirable assertion, two years later, Carrillo would once again find herself the target of kidnappers. This time around, her nightmare was worse, as her captors regularly beat and threatened her while awaiting an astounding $1 million payout from her father. With the help of a professional negotiator, ransom was negotiated to $24,000 before Carrillo was released. ²³ The kidnappers would abscond with more than her freedom over nine days’ captivity and her father’s money—this time, they would also bankrupt her trust. The once resilient Carrillo cocooned in the safety of her home for a month. Upon venturing out, she regularly varied her routine and abandoned flashy jewelry that would warrant undue attention. The forever-changed Carrillo reflected on her new paradigm of the world: “I was an idealist. I thought all people were good, at first.” ²⁴

Like Italy several decades before it, in 2015, Mexico held the unenviable position as the top country for modern-day kidnappings for ransom. ²⁵ While the rich and famous were the preferred targets for Italian gangs, Mexican kidnappers employed a much more democratic approach , as criminals expanded the aperture of targets to include “everyday” people. Victims were increasingly cut from the same cloth as Carrillo, part of Mexico’s “informal” economy of workers with quick access to cash (such as shopkeepers, taxi drivers, service employees, parking attendants, and street vendors). ²⁶ This larger addressable market afforded thieves more targets, albeit at smaller payouts. While Carrillo was initially held for $1 million, some victims found their lives valued for as little as a couple of hundred dollars, a new microwave or refrigerator, or even a bag of groceries. ²⁷

It was estimated that as few as 10 percent of Mexican kidnapping cases were ever reported, making it the silent crime that affected as many as 76 victims per day. ²⁸ Making matters worse, local law enforcement was not simply ill-equipped to address the exponential volume of attacks; corrupt officials were many times complicit in the crime, leaving victims and their families wary of whom to trust. For the targeted, the stakes couldn’t have been higher: thugs would send proof of kidnapping with a severed finger or two, rape or beat their victims while in captivity, and kill as many as 20 percent of their prey. ²⁹

The boom in kidnapping was a result of criminals diversifying their own portfolio of activities to generate cash flow historically provided by other means. To understand it, one must think like a criminal. The goal for the financially motivated with unscrupulous intentions is to generate cash—preferably lots of it—quickly and with minimal risk. Covering one’s tracks is paramount; hence the reason cash has been king for the criminal. It leaves no trace (assuming, of course, the bills aren’t marked) and allows thieves to toil in the anonymity they need.

Without a Trace

Let’s consider a criminal industry where cash flow has historically been abundant: drug trafficking. Illegal drugs are clearly a market traded with cash. However, if one is part of an international drug cartel, the challenge of cash becomes that of pure logistics—simply put, money is heavy and difficult to transport. The US Justice Department once estimated that a pound of cocaine sold on the street generated six pounds of cash. ³⁰ For heroin, the ratio was worse: one pound of heroin resulted in ten pounds of currency. ³¹

Let’s assume, for a moment, that you are the leader of a drug cartel operating in Mexico. You employ drug dealers throughout the United States, who peddle your wares on their streets, collect their cut, and remit to you the proceeds. You’ll need creative bookkeeping and an intricate supply chain to ultimately get your unfair share of the take while simultaneously averting attention from authorities. If you were fortunate enough to operate your illegal business before 1970, you would be hard pressed to find many US banking regulations deterring you from routing your illegal profits out of the country. To do so, you simply employed street couriers whose role consisted of collecting revenues from area dealers and depositing the riches in local banks. From there, wire transfers to overseas banks completed the transaction. Banks converted the cash flow to profitable, low-risk loans to community businesses and residents, unaware of and unconcerned with its true origin. According to journalist David Andelman:

• The banks turned a blind eye to the source of this wealth. They never questioned the propriety of fish stands or vegetable markets that were generating half a million dollars a day in cash, all in small-denomination bills. ³²

With the financial industry happy to look the other way, the US Government offered its own “incentives” to banks to report suspected offenders. In 1970, Congress passed the Bank Secrecy Act (BSA ), which required banks to report cash transactions in excess of $10,000. ³³ Over the next several years, the government continued to turn up the heat on banks failing to comply with the new regulations, prosecuting those that did not adhere to the BSA, along with the drug dealers they deliberately or inadvertently protected. Such regulation had little impact on cracking the drug crime problem. You, as the Mexican drug kingpin, simply innovated your supply chain to remain under the radar. If $10,000 had to be reported, you limited your couriers’ deposits to $9,900. ³⁴

Enter the Money Laundering Control Act of 1986, which essentially upped the ante of punishments for banks failing to comply with the BSA. It also allowed banks to provide customer information to the government without violating privacy laws. ³⁵ Rather than risk prosecution, more banks opted to adhere to the increasing regulations, placing pressure on you and your drug lord compatriots to find other solutions to evade officials. The stakes got higher after 9/11, which ushered in a new era of scrutiny for international banking transactions in the United States and elsewhere.

So, now what do you do? You face intense scrutiny for wire transfers and cash is too unwieldy and conspicuous to cart out of the country in briefcases, à la what is glamorized in the latest gangster movie. You either find other options for transporting the cash (yes, including using appliances like toasters and washing machines to smuggle your spoils ³⁶ ) or you find other means of generating the profits altogether, such as kidnapping. Ironically, some blame the booming kidnapping business in Mexico as an unintended by-product of effective law enforcement and regulation. Specifically, with the takedown of several drug cartel bosses and their rings, criminals had to diversify their “portfolio” of activities, and kidnapping for ransom readily filled the cash flow void. ³⁷

While kidnapping does not necessarily present the same logistical challenges of hauling money across national borders, it isn’t without its own level of complexity. Physically taking a hostage presents risk in detection. Targeting the right hostage is precarious: choose a victim with self-defense skills and/or a concealed weapon and you may find yourself in harm’s way. Contacting the victim’s loved ones for payment is the next tricky step. If they report the incident to the authorities, you may not be able to evade their investigation. Finally, arranging the ransom drop is arguably the riskiest event in the entire sequence. Giving the family your coordinates allows law enforcement to readily descend on your location. Even if law enforcement isn’t involved, where is the guarantee that the victim’s relatives will actually pay up? You can’t exactly meticulously account for each dollar at the drop with the victim’s family (and potentially law enforcement) in close proximity. You may wind up releasing your victim, after all the effort of taking him in the first place, for little to no reward. Even worse, should your abduction go awry, you may have to take your victim’s life and add murder as an offense to your rap sheet.

Indeed, crime in the physical world is fraught with risk and effort. Cybercrime offers an alternative for accelerating the return on investment for thieves, with less physical peril. Like drug trafficking, stealing personal information for profit entails its own intricate supply chain.

Follow the Money Trail

• Dear Viv,

• We have changed who [sic] we bank with, I forgot to inform you of the changes in the email I sent you yesterday. . .

So began the e-mail to 59-year-old Londoner Vivian Gabb from whom she believed to be her lawyer. Unbeknownst to Gabb, she was corresponding with a 14-member organized crime outfit ³⁸ —hackers who had infiltrated her e-mail account, bent on robbing her blind. In a highly orchestrated attack, the crime syndicate studied Gabb’s e-mail to learn of her pending home purchase and recent contact history. Assuming the virtual identity of her attorney, the thieves asked Gabb to transfer her deposit of nearly £50,000 ($78,000) into a different bank account, to which she dutifully complied. But, that was just the tip of the iceberg for the industrious gang. Once lured by their phishing web site, Gabb unwittingly offered her most sensitive account details, funding what would become a £1 million ($1.6 million), three-day shopping spree ranging from cheeseburgers to computers to gold bars and losing her life’s savings in the process. ³⁹ Before being busted by a police operation of 150 lawmen, each hacker had squandered at least £9,000 ($14,000) and up to £75,000 ($117,000) ⁴⁰ of Gabb’s treasure.

As Gabb’s example so vividly illustrates, cybercrime mitigates the logistical challenges associated with laundering money when it can be siphoned off directly from a victim’s bank account. That said, not all cybercrimes are created equal in terms of risk and reward. In Gabb’s case, the organized crime ring triggered attention when attempting to spend her savings in record time. In a classic case of “beat the clock,” the thieves were under pressure to splurge the cash faster than Gabb could realize its disappearance, all the while being inconspicuous in doing so. While deliberate planning went into hacking Gabb’s e-mail account, learning her most intimate patterns and using such reconnaissance to dupe her out of her savings, the same meticulous care was abandoned in the time following the breach. In The Second Economy, financially motivated criminals use time to their advantage, stealthily creeping in their victim’s most intimate virtual closets, attempting to avoid detection as long as is possible to collect their spoils. However, once said rewards are pocketed, cybercriminals face a time disadvantage: that is, how to balance expeditiously liquidating their take while remaining under the radar.

The cybercriminals who pulled off the Gabb heist suffered no return on their investment, despite the painstaking preparation that went into the breach. Three days of indulgent spending hardly qualifies as a handsome reward when facing the criminal prosecution to follow. What if the criminals had spent the same considerable time contemplating how to remain undetected following their breach rather than throwing caution to the wind in a reckless shopping spree? What if there were even easier ways to gain access to sensitive account information without the highly targeted attack required in Gabb’s case? For the cybercriminal looking to make a quick buck at the lowest possible risk, the opportunity to do so is limited only by his imagination and access to a vibrant black market where individuals are literally up for sale.

Fueling this black market requires scale. While bigger fish the size of Gabb are certainly on the block, cybercriminals benefit from a larger total addressable market in the form of everyday people (not unlike the kidnapping rash plaguing Mexico). Central databases of proprietary customer and employee information, kept by the likes of larger companies, are attractive targets and explain why cybercriminals persist in pursuing the same unenviable companies with relentless phishing schemes. ⁴¹ Once adversaries infiltrate their target and abscond with sensitive contact or account data, the records often find their way into a sophisticated market where the laws of supply and demand are immutable.

Here, the virtual and physical worlds collide and criminals exchange their wares in a complex underground exchange where stolen account data is monetized. Among the historically more popular schemes is that of credit card theft, such as in the Target holiday breach of 2013. Once the credit card accounts are stolen, they are sold in bulk to underground third-party resellers. In this black market, victims’ information is packaged up in neatly communicated value propositions to the criminally inclined. Need a credit card complete with a card verification value (that three-digit code printed on the back of a credit card or embedded on its magnetic strip)? That could cost you anywhere from $5 to $30, depending on the country. Want the accompanying bank account number along with the card? That price could run anywhere from $15 to $30. Adding date of birth to the mix increases the price up to an additional $5. And, if you want the grand prize of all-things-sensitive about the victim, including his full name, billing address, payment card number, expiration date, PIN (personal identification number), social security number, mother’s maiden name, date of birth, and card verification value, you could pay anywhere from $30 to $45. ⁴² Even better, for an incremental charge, you can acquire the pièce de résistance—the victim’s habitual shopping patterns. Armed with this seemingly innocuous information allows you to avert detection by liquidating accounts at the consumer’s usual stomping grounds. Such behavior will appear normal to monitoring agencies, cloaking the criminal activity in a shroud of predictable patterns. ⁴³

Of course, these rates are subject to, and often do, change. Like any traditional competitive market, prices ebb and flow according to fluctuations in supply or demand. During the rash of cyberattacks on major retailers in 2014, the black market was flooded with stolen data of hapless victims. The influx of supply afforded cybercriminals more attractive deals, reminiscent of holiday discounts during peak shopping periods. ⁴⁴

From third-party resellers, the account data passes hands again to card counterfeiters, who buy the information they need, sometimes procuring it by bank or zip code, and then copying it onto fake cards using their own magnetic stripe encoding machines. They then use the cards directly to buy goods they can resell or hire others to do the work for them, in exchange for a cut of the profits. ⁴⁵

To demonstrate how dynamic this market is, in 2016, a stolen Uber account sold at up to three times a premium over personally identifiable information, including a victim’s social security number or date of birth. Using the Uber account to charge “phantom” rides allowed the cybercriminal to mimic her victim’s behavior, again maximizing the time to and mitigating the risk of exposure. ⁴⁶ Indeed, cybercriminals adeptly react to changes in market opportunity, quickly maneuvering to more lucrative targets as historical paragons fall by the wayside. Some are even boldly predicting the demise of credit card fraud as a result of escalating risks and barriers to entry for thieves. With the advent of new point-of-sale card readers that use cryptography to interactively authenticate the card, criminals who counterfeit static magnetic stripes will find a collapsing market. In the online domain, services like Apple Pay and Visa Token Service will accomplish the same by replacing fixed credit card numbers with dynamic tokens that change with every purchase. ⁴⁷

Even after such time as credit card fraud is greatly diminished, if not obliterated, sensitive information will continue to be traded in the black market as a virtual commodity, with cybercriminals evolving to more sophisticated forms of identity theft. While they advance their tactics, these threat actors still risk exposure when attempting to monetize their payload. They are faced with the challenges of the Gabb ring, under the pressure of the clock to liquidate their spoils. But, what if the time disadvantage could be flipped on the victim, all the while giving cybercriminals an even faster and clearer path to return on investment? The era of ransomware is upon us.

Tick Tock

Imagine clicking on an e-mail or link, only to be greeted by the following ominous message:

• Your personal files are encrypted! Your important files were encrypted on this computer: photos, videos, documents, etc. You can verify this by clicking on the files and trying to open them.

• Encryption was produced using unique public key RSA-4096 generated for this computer. To decrypt the files, you need to obtain the private key.

• The single copy of the private key, which will allow you to decrypt the files, is located on a secret server on the internet. The server will destroy the key within 72 hours after encryption completed. After that, nobody will ever be able to restore files.

• To retrieve the private key, you need to pay .5 bitcoins.

• Click proceed to payment to obtain private key.

• Any attempt to remove or damage this software will lead to immediate private key destruction by server.

Over nine months of operation, the CryptoLocker ransomware program earned its creators an estimated $3 million, while it held its victims’ precious files for ransoms ranging from $100 to $500. ⁴⁸ Ransomware programs like CryptoLocker are highly effective given their approach. First, they rely on the weakest and most pervasive link in any security infrastructure—the human being. Phishing scams are the conveyance through which ransomware programs are deposited and, as Gabb’s case illustrates, the virtual world is awash in trusting individuals mindlessly clicking on seemingly reputable links and e-mails. Second, there is little complexity involved in extracting money from the victim once the malware is deposited. Bitcoin, as the preferred medium of exchange, offers the adversary coveted anonymity. Third, the ransom payments are typically small enough to encourage payment by the victim while remaining inconsequential to investigating authorities. Regarding the benefits of aiming low on the ransom payment, one purveyor of ransomware programs opined, “I prefer to be less expensive, more downloads and more infections.” ⁴⁹ Finally, ransomware shifts time to being a competitive advantage for the adversary upon breach. Rather than finding himself under the wire to quickly and discreetly cash out his reward, the criminal turns the table on the victim, forcing him or her to adhere to his schedule. Under such extreme time pressures, victims are less likely to think rationally and more likely to respond impulsively in paying the relatively insignificant ransom.

Interestingly, ransomware also solves for the other inherent problem of its counterpart in the physical world—that of the awkward and tenuous negotiation when kidnapping hostages for ransom. Consider the Getty case, where the youth found himself at the hands of his captors for several months as the ransom payment was arduously negotiated with the family. Even in Carrillo’s case, ransoms were eventually settled to terms acceptable to both parties. Once ransom is decided, there is the matter of the exchange. Who gives up the exchange first—the kidnapper or the victim’s family? There is an inherent level of trust required by both parties for a successful transaction. The criminal must trust the family will deliver the ransom in full, without attempting to apprehend him. The family must trust the criminal will release their loved one at the exchange and not hold out for a subsequent payment. This is an all-in game for both parties, with little opportunity to gradually build trust up to the critical moment of transaction.

Not only does ransomware lower the ante by holding files, not people, hostage, it also obviates the risk for both parties. Ironically, the “success” of such programs as CryptoLocker serves to instill trust among the afflicted that their files will be restored upon payment. If there is any doubt, cybercriminals can gradually decrypt files in batches at lower prices until all assets are restored.

This is not to suggest that ransomware is not a scourge that compromises the safety and security of netizens living in a virtual world. It simply offers a point of view as to why criminals are increasingly diversifying their interests toward a more frictionless, anonymous crime—free from the risks associated with its counterpart in the physical world and the complexities common with other forms of cybercrime, such as monetizing stolen credit card information.

For these reasons, ransomware has found its place as one of the fastest growing cybercrimes in recent history. The first targets were consumers. Next, cybercriminals set their sights on soft industry targets—hospitals, schools, and governments—institutions with a definite time disadvantage and less robust security posture. Cybercriminals will likely target larger companies next, especially as these firms are already the object of significant and repeated phishing attempts. While ransomware adversaries have steadily increased their addressable market through more and bigger targets, there is at least one more looming threat that potentially offers the richest gains and the largest attack surface.

Rise of the Machines

The decades spanning the 1970s and 1980s gave birth to popular culture media fixated on possessed vehicles and machines. The 1977 American thriller film The Cartold the story of an automobile that terrorized residents of a small town through its mysterious murderous rampage. Master of horror Stephen King followed up in 1983 with Christine, a tale of a teenage boy and his beloved classic car with a mind of its own. And, 1986’s Maximum Overdrive, also by King, imagined a world where inanimate objects, from electric signs to lawnmowers, indiscriminately kill helpless victims crossing their paths.

While interesting fodder for science fiction and horror genres, the potential for artificial intelligence giving rise to a breed of supercomputers and machines capable of taking over jobs, and more, has been a real concern for many since the computer era of the same period. The technological singularity is estimated to be the event when the aggregate artificial intelligence in the world exceeds that of human comprehension. Technology critics have long fantasized a reality more akin to that of King’s imagination—one where machines dominate the humans who invented them.

Andy Greenberg found himself transported, quite literally, into such a future. While cruising at 70 miles per hour on the periphery of downtown St. Louis, his Jeep Cherokee took control over its own—and Greenberg’s—destiny. Greenberg first noticed the air conditioning unit blasting frigid temperatures at maximum output, chilling him to the bone. The radio suddenly blared classic hip hop at full volume, which would undoubtedly distract even the calmest of drivers. Dispensed windshield wiper fluid blurred his view, making it increasingly dangerous to continue his commute.

As he entered the on ramp of the interstate, Greenberg lost complete control when the transmission failed. Frantically pressing on the gas pedal as he helplessly watched his speedometer decelerate, Greenberg was paralyzed as his Jeep slowed to a crawl. In his rearview mirror, he caught the image of an 18-wheeler bearing down on him as he sat immobilized on the highway.

The stuff of science fiction? Not exactly. Greenberg’s Jeep did not unexpectedly become possessed by demonic forces or cross over the technological singularity to surpass the cognitive capabilities of its human driver. No, in this case, reality is much scarier than fiction. The Jeep was under complete control of humans, just not its driver.

Greenberg was the willing participant in an experiment where he subjected control of his vehicle to that of two hackers, Charlie Miller and Chris Valasek, operating the SUV from the comfort of Miller’s basement some ten miles away. Greenberg knew his Jeep would be subject to any number of exploits, and while he was encouraged to remain calm through the ordeal, he had no prior knowledge of what would come next. According to Greenberg’s own account, he mentally congratulated himself for remaining calm under the barrage of frigid air, punishing radio volume, and obfuscating windshield fluid. However, when the transmission cut at the time he was entering the interstate, “The experiment had ceased to be fun.” ⁵⁰

Greenberg had only partially participated in the full assault of Miller and Valasek’s virtual arsenal. The hackers had also identified how to affect steering when a Jeep is in reverse, track the vehicle’s GPS coordinates, measure its speed, and plot the SUV’s route on a map to determine driving patterns. ⁵¹

Before 2008, drivers were encapsulated in closed systems of intricate computing circuitry, designed to get them from point A to point B in the safest way possible. At the same time, individuals were increasingly adopting smartphones, carrying computing capabilities on their hip many times more powerful than all of NASA had when it first launched astronauts to the moon. ⁵² Chrysler and other auto manufacturers had an idea: why not leverage that robust wireless infrastructure to enable a far better driving experience? In 2008, the company debuted WiFi connectivity in its automobiles with its Uconnect service—an infotainment system transforming any Chrysler, Jeep, or Dodge vehicle into a mobile hotspot. ⁵³ For the bandwidth-obsessed, the 150-foot range provided high-speed connectivity for those last-minute impulses, such as sending an e-mail from the comfort of one’s parked car in its garage.

While WiFi was a step forward in enhancing the vehicle experience, it certainly paled in comparison to the power and ubiquity of truly wireless networks. In 2013, General Motors raised the stakes when it announced it would partner with AT&T to outfit most of its 2014 models with wireless, high-speed Internet access, compliments of the manufacturer’s OnStar 4G LTE technology. ⁵⁴ The driving experience would forever be transformed—vehicles became roving entertainment systems, complete with the latest streaming movies, music, directions-on-demand, and myriad wireless applications for just about any infotainment need. Of course, the newly established network connection would mean that drivers could also enjoy a safer driving experience. Crash avoidance systems that detect proximity of objects rely on such connectivity to avert accidents. And, at the extreme, driver-assisted capabilities allow the vehicle to detect abnormalities in driving patterns—such as lane drifting—and automatically correct to protect both driver and others on the road. When considering that 90 percent of crashes are caused by human error, the opportunity to automate and correct the driving experience can literally mean the difference between life and death. ⁵⁵

Not surprisingly, auto manufacturers jumped on the wireless bandwagon. The competitive risks of providing a 1.0 driving experience when new car buyers eagerly anticipated a 2.0 reality were simply too great to ignore. In 2013, connected cars represented approximately 10 percent of all cars shipped globally; by 2020, that number is expected to increase to 75 percent. ⁵⁶ Initial buyers of connected cars tended to be more sophisticated, allowing manufacturers to embed the technology in higher-end luxury vehicles for premium prices. Over the next few years, the category will eventually reach the mass market, making the technology available to a greater number of drivers. And, beyond helping manufacturers compete for the next-generation auto purchaser, such wirelessly embedded technology also provides intelligence and maintenance benefits—allowing auto companies to collect data regarding their product’s performance and providing conveyance for remotely installing software patches and updates. ⁵⁷

But, there’s another side to this otherwise rosy story. That same wireless connectivity offers virtual doorways through which hackers like Miller and Valasek can enter. When the duo first discovered the Uconnect flaw, they assumed it would be limited only to the vehicle’s WiFi connection, containing potential damage to just a few dozen yards. Upon discovering that the vulnerability also applied to the system’s wireless capabilities, they again presumed it would work only for vehicles connected to the same cell tower as their scanning phone, limiting potential attacks to a few dozen miles. Upon determining that not even that was the limit, the hackers themselves were frightened upon realizing the scope of their newly acquired power. In the words of Valasek, “When I saw we could do it anywhere, over the Internet, I freaked out. I was frightened. It was like, holy [expletive], that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.” ⁵⁸

Through scanning the wireless network for vulnerable automobiles and recording their vehicle identification numbers, Miller estimated there were as many as 471,000 cars with susceptible Uconnect systems on the road. ⁵⁹ While pinpointing the exact location of one vehicle out of thousands is not easy, particularly when using a single phone to scan the wireless network for the intended target, harnessing the collective horsepower of multiple phones working together simultaneously makes the outcome possible. Even scarier, a skilled hacker could hijack an entire group of Uconnect systems, using the connected mesh to perform more scans—worming from one vehicle to the next over the network. In a case of life imitating art, welcome to King’s Maximum Overdrive reality, where a wirelessly controlled automotive botnet could enslave hundreds of thousands of vehicles and the humans at their mercy. ⁶⁰

In response to Miller and Valasek’s work, Chrysler recalled 1.4 million vehicles. ⁶¹ In its July 24, 2015 statement, Fiat Chrysler Automobiles stated the pair’s hack of the Jeep “required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.” ⁶² To this point, the Jeep hack of 2015 was a journey three years in the making. In 2012, Miller and Valasek applied for a car hacking research grant from Darpa. ⁶³ With the $80,000 that followed, the pair bought a Toyota Prius and a Ford Escape. Over the course of a year, the team painstakingly mapped each digital and physical route of the cars’ electronic control units (ECUs ), the computers that run practically every function of a vehicle, and learned to speak the language that controls them. ⁶⁴

At the DefCon conference the following year, one of the world’s largest annual hacker conventions, the team proudly displayed the fruits of their labor, demonstrating a wired-in attack of both vehicles, after using Greenberg as their guinea pig the first time around. From the back seat of the car with Greenberg behind the wheel, the pair disabled the brakes, honked the horn, yanked the seat belt, and hijacked the steering wheel.

However, much to their chagrin, both Toyota and Ford downplayed the outcome of their research, with the former asserting its systems were “robust and secure” against wireless attacks. ⁶⁵ If wireless was the new frontier, Miller and Valasek would need to aim higher for the street cred they deserved—only a remote attack of a car would suffice.

They got back to work the following year, registering for mechanics’ accounts on the web sites of every major automobile manufacturer and downloading dozens of technical manuals and diagrams. From the analysis that followed, the duo meticulously ranked the vulnerability of 24 vehicles based on three factors: (1) how many and what types of radios connected the automobile to the Internet; (2) whether the Internet-capable components were isolated from critical driving systems; and (3) whether said systems had “cyberphysical ” elements (which would allow digital commands to trigger physical outcomes, like activating the brakes). ⁶⁶ When the Jeep Cherokee fit the bill as the most hackable model on the list, the team had their target.

It took one more year of experimentation and reverse engineering before Valasek issued a command from his laptop in Pittsburgh that engaged the windshield wipers of the Jeep in Miller’s St. Louis driveway. ⁶⁷ The rest will be documented in the annals of hacker history as one of the greatest demonstrations ever to be showcased at a convention (Black Hat 2015).

Fortunately for all involved, Miller and Valasek were not nefarious in their intentions. The team had been sharing the findings of their research with Chrysler for nearly nine months before its revelation, allowing the company to quietly make ready the fix that would ultimately lead to the recall of 1.4 million vehicles. ⁶⁸ While the attack certainly required skill, time, and effort, the duo undoubtedly shook the auto industry with a scary wake-up call.

This looming threat puts automobile manufacturers in an especially unenviable position. The closed automobile systems of yesteryear were not designed for open communications networks and the risks they bring with them. At the same time, the need for constant innovation is outpacing the speed at which these manufacturers can shore up security vulnerabilities. According to Josh Corman, cofounder of I Am the Cavalry, a security industry organization dedicated to protecting the Internet of Things, “If it takes a year to introduce a new hackable feature, then it takes them [automobile manufacturers] four to five years to protect it.” ⁶⁹

Modern-day cars get most of the attention when discussing the potential hack of any number of Internet of Things given we can all relate to being drivers or passengers. While many are vocalizing consumer concern for this unprecedented threat, auto manufacturers are hardly standing still, nor do they face a nontrivial task as they race to bolster potential vulnerabilities. To put the challenge in perspective, consider that the space ship that put humans on the moon had 145,000 lines of computer code . Today’s Android operating system has 12 million. In the typical connected car, there are easily 100 million lines of code. ⁷⁰

And, threat actors have more motivation than simply harassing, if not distracting, drivers with their efforts. If cash is the ultimate pursuit for some, one can easily envision a case where any connected device, and that includes a car, is up for ransom. As Miller and Valasek noted through their experiment, “It’s much easier to hack all the Jeeps than a certain one.” ⁷¹ Upping the stakes, resourceful cybercriminals with the time, talent, and incentive could hack all vehicles with a particular software vulnerability, embedding a ransomware program that demands payment in bitcoin before the ignition will start. Taking a page from what has successfully worked when the same playbook is used for encrypting computer files, the adversaries will likely ask for “nominal” payment, say anywhere from $100 to $200, to encourage the victim to readily pay up. Again, the time advantage shifts to the attacker. How badly does the victim need her car for work, an emergency, or daily errands? Is it worth the hassle of calling a dealership in the hopes of resolution or better to simply give in to the ransom? Adversaries will bet on the latter and, by attacking thousands of vehicles simultaneously in a given radius, will prevent other viable solutions. Such a coordinated attack would not only paralyze thousands of victims but also make it nearly impossible for a limited number of local dealers to resolve the problem without being brought to their own labor capacity constraints. With thousands impacted, cybercriminals could cripple the underlying economic infrastructure of a geographic area.

The outlook is bleaker still when considering just about anything and everything is or will be equipped with a convenient connection to the Internet. Want to open your connected refrigerator for some food? You may need to pay a threat actor for access. Find yourself on an especially cold night and need to turn up your connected thermostat? That may cost you as well. One can even envisage something as innocuous as a connected coffee machine suddenly being used as a weapon against its owner with a scrolling message that almost writes itself:

• I have been hacked. If you ever want coffee from me again, you will need a private key. To retrieve the private key, you need to pay .025 bitcoins. Click proceed to payment to obtain the private key.

As they have done in the lucrative black market where victims’ account information is shamelessly traded, cybercriminals will find the optimal market price based on the item in question. Known to share openly among themselves, they will readily exchange this market intelligence (sometimes for a price, of course) to optimize their collective return on investment for any conceivable ransomware attack. In this new world order, everyday machines will serve as drone armies to the criminal masterminds orchestrating their every move—an outcome few of the most imaginative science fiction or horror writers would have conjured up in their popular stories just some decades ago.

A Second Thought

As financially motivated criminals have taught us through the ages, their probability (P) for attempting a crime comes down to a formula that can best be expressed as follows:

Incentive is the financial reward, net of efforts, available to the adversary. The more effort involved in coordinating an attack, the bigger the incentive required to make the investment of time and resources worth the potential reward. Opportunity refers to the criminal’s addressable market potential. The greater the potential attack surface, the higher the motivation for attempting an attack, particularly for campaigns requiring significant effort. Finally, the risk of apprehension mixed with the potential degree of prosecutorial punishment acts as a deterrent when evaluating motivation. Riskier ventures require more incentive or opportunity to increase the probability of attack.

The stories in this chapter elucidate the case. Kidnapping for ransom is an extremely risky crime, leaving criminals targeting the uber-wealthy (like Getty) or dramatically increasing their addressable market with less affluent, though still cash-rich, targets (like Carrillo). Highly targeted phishing schemes require more orchestration, and therefore require a bigger payout (like Gabb) while more pervasive ransomware schemes significantly increase the addressable market of victims. But, of all these, ransomware of everyday connected devices—including cars, thermostats, refrigerators, and more—offers cybercriminals perhaps the most attractive probability, providing an attack surface exponentially larger in size, with comparable risks to today’s increasingly popular ransomware programs. In The Second Economy, financially driven criminals follow the playbook of their predecessors, methodically balancing risk and reward like black market entrepreneurs. The path to the next big cybercrime trend clearly follows the money.

Notes

1. www.brainyquote.com/quotes/keywords/economics.html , accessed April 29, 2016.

2. Bruce Weber, “J. Paul Getty III, 54, Dies; Had Ear Cut Off by Captors,” The New York Times, February 7, 2011, www.nytimes.com/2011/02/08/world/europe/08gettyobit.html?_r=1 , accessed April 21, 2016.

3. “Girlfriend Says Getty May Have Arranged His Kidnap,” San Rafael Daily Independent-Journal, July 14, 1973, p. 3, http://newspaperarchive.com/us/california/san-rafael/san-rafael-daily-independent-journal/1973/07-14/page-3 , accessed April 24, 2016.

4. “Paul Getty’s Mother Awaits Ransom Note,” Naples Daily News, July 18, 1973, p. 48, http://newspaperarchive.com/us/florida/naples/naples-daily-news/1973/06-18/page-44 , accessed April 24, 2016.

5. John Wood, Women’s News Service, “Richest Man in the World Curses His Vast Wealth,” Burlington (N.C) TIMES-NEWS, November 30, 1973, p. 5A, http://newspaperarchive.com/us/north-carolina/burlington/burlington-daily-times-news/1973/11-30/page-17 , site accessed April 24, 2016.

6. “Getty Case: Strange Kidnapping or Hoax?,” Fort Walton Beach Playground Daily News, December 9, 1973, p. 6B, http://newspaperarchive.com/us/florida/fort-walton-beach/fort-walton-beach-playground-daily-news/1973/12-09/page-18?tag=ear+kidnapping+getty&rtserp=tags/ear-kidnapping-getty?ndt=by&py=1973&pey=1973 , accessed April 24, 2016.

7. Ibid.

8. John Wood, “Tragedy Laces Family: Gettys Await Kidnapping News,” The Lima News, December 9, 1973, p. B1, http://newspaperarchive.com/us/ohio/lima/lima-news/1973/12-09/page-19 , accessed April 24, 2016.

9. Weber, note 2 supra.

10. “Young Getty Released After 5-Month Captivity,” Madison Capital Times, December 15, 1973, p. 2, http://newspaperarchive.com/us/wisconsin/madison/madison-capital-times/1973/12-15/page-2?tag=getty+kidnapping+ransom+found&rtserp=tags/getty-kidnapping-ransom-found?ndt=by&py=1970&pey=1979&ndt=ex&py=1973 , accessed April 24, 2016.

11. “Three charged in Getty kidnapping,” Mason City Globe Gazette, January 16, 1974, p. 13, http://newspaperarchive.com/us/iowa/mason-city/mason-city-globe-gazette/1974/01-16/page-14 , accessed April 24, 2016.

12. Weber, note 2 supra.

13. Charles Fox, “Oh, what a crazy kidnap: Police thought Paul Getty had staged his abduction to steal his family's billions. Then a severed ear turned up. New book reveals how case has become even more bizarre. . .,” DailyMail.com, April 12, 2013, www.dailymail.co.uk/news/article-2308367/Oh-crazy-kidnap-Police-thought-Paul-Getty-staged-abduction-steal-familys-billions-Then-severed-ear-turned-New-book-reveals-case-bizarre-.html , accessed April 25, 2016.

14. Mario Deaglio “Virtual Anarchy Driving Italy Toward Chaos,” Florence Morning News, July 10, 1977, p. 5-A, http://newspaperarchive.com/us/south-carolina/florence/florence-morning-news/1977/07-10/page-5 , accessed April 24, 2016.

15. “Wealthy Europeans living in kidnapping fear,” Jacksonville Courier, Jacksonville, Ill, November 9, 1977, http://newspaperarchive.com/us/illinois/jacksonville/jacksonville-courier/1977/11-09/page-25 , accessed April 24, 2016.

16. Ibid.

17. Ibid.

18. Lisa Berger, “The Insurance Policy No One Will Talk About,” Cedar Rapids Gazette, January 8, 1978, http://newspaperarchive.com/us/iowa/cedar-rapids/cedar-rapids-gazette/1978/01-08/page-130 , accessed April 24, 2016.

19. Ibid.

20. Joshua Partlow, “Kidnappings in Mexico surge to the highest number on record,” The Washington Post, August 15, 2014, www.washingtonpost.com/world/the_americas/kidnappings-in-mexico-surge-to-the-highest-number-on-record/2014/08/15/3f8ee2d2-1e6e-11e4-82f9-2cd6fa8da5c4_story.html , accessed April 25, 2016.

21. Ibid.

22. Ibid.

23. Ibid.

24. Ibid.

25. “Kidnapping in Mexico Increased by 30% in June,” Telesur, July 16, 2015, www.telesurtv.net/english/news/Kidnapping-in-Mexico-Increased-by-30-in-June-20150716-0003.html , accessed April 25, 2016.

26. Partlow note 20 supra.

27. Ibid.

28. Ibid.

29. Ibid.

30. Stephen Mihm, “Are Bitcoins the Criminal's Best Friend?,” Bloomberg View, November 18, 2013, www.bloombergview.com/articles/2013-11-18/are-bitcoins-the-criminal-s-best-friend -, accessed April 26, 2016.

31. Ibid.

32. David A. Andelman, “The Drug Money Maze.” 73(4) Foreign Affairs 94–108.

33. Mihm, note 30 supra.

34. Ibid.

35. Ibid.

36. Ibid.

37. Partlow, note 20.

38. Matt Liebowitz “Phishing gang steals victim’s life savings of $1.6M,” nbcnews.com, March 19, 2012, www.nbcnews.com/id/46789454/ns/technology_and_science-security/t/phishing-gang-steals-victims-life-savings-m/#.VyIlwVYrLX7 , accessed April 28, 2016.

39. Tom Espiner, “Dawn raids net 14 suspects in £1m phishing theft,” ZDNet, March 15, 2012, www.zdnet.com/article/dawn-raids-net-14-suspects-in-1m-phishing-theft/ , accessed April 28, 2016.

40. Ibid.

41. Greg Aaron and Rad Rasmussen, “Global Phishing Survey: Trends and Domain Name Use in 2H2014,” APWG (Anti-Phishing Working Group), May 27, 2015, http://internetidentity.com/wp-content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdf , accessed April 15, 2016.

42. Charles McFarland, Francois Paget, and Raj Samani, “The Hidden Data Economy: The Marketplace for Stolen Digital Information,” Intel Security, www.mcafee.com/us/about/news/2015/q4/20151015-01.aspx , accessed April 28, 2016.

43. Theresa Payton and credit.com, “What Really Happens After Your Credit Card Is Stolen,” ABC News, September 20, 2014, http://abcnews.go.com/Business/credit-card-stolen/story?id=25633648 , accessed April 28, 2016.

44. Raj Samani, “New Year’s Sales; Big Discounts on Stolen Data,” McAfee Labs Blog, January 29, 2014, https://blogs.mcafee.com/mcafee-labs/new-years-sales-big-discounts-stolen-data/ , accessed April 28, 2016.

45. Kevin Poulsen, “Why the Heyday of Credit Card Fraud Is Almost Over,” Wired, September 25, 2014, www.wired.com/2014/09/emv/ , accessed May 2, 2016.

46. Harriet Taylor, “Stolen Uber accounts worth more than stolen credit cards,” CNBC, January 19, 2016, www.cnbc.com/2016/01/19/stolen-uber-accounts-worth-more-than-stolen-credit-cards.html , accessed April 28, 2016.

47. Poulsen, note 46 supra.

48. Lucian Constantin, IDG News Service, “CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files,” PCWorld.com, August 29, 2014, www.pcworld.com/article/2600543/cryptowall-held-over-halfamillion-computers-hostage-encrypted-5-billion-files.html , site accessed April 28, 2016.

49. Steve Ragan, “New Ransomware business cashing in on CryptoLocker's name,” CSO, November 12, 2015, www.csoonline.com/article/3004594/cyber-attacks-espionage/new-ransomware-business-cashing-in-on-cryptolockers-name.html , accessed April 28, 2016.

50. Andy Greenberg, “Hackers Remotely Kill a Jeep on the Highway—with Me in It,” Wired, July 21, 2015, www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ , accessed April 29, 2016.

51. Ibid.

52. Matt Rosoff, “Your Phone Is More Powerful Than The Computer In The Spaceship NASA Launched This Week,” Business Insider, December 6, 2014, www.businessinsider.com/your-phone-is-more-powerful-than-the-orion-computer-2014-12 , accessed April 29, 2016.

53. Lindsay Martell “Got WiFi? Cars with WiFi Hot Spots Keep Drivers Connected,” Autotrader, June 2014, www.autotrader.com/car-tech/got-wifi-cars-with-wifi-hot-spots-keep-drivers-connected-226747 , accessed April 29, 2016.

54. Ibid.

55. “Avoiding crashes with self-driving cars,” Consumer Reports, February 2014, www.consumerreports.org/cro/magazine/2014/04/the-road-to-self-driving-cars/index.htm , accessed May 2, 2016.

56. John Greenough, “THE CONNECTED CAR REPORT: Forecasts, competing technologies, and leading manufacturers,” Business Insider, January 7, 2016, www.businessinsider.com/connected-car-forecasts-top-manufacturers-leading-car-makers-2015-3 , accessed April 29, 2016.

57. Ibid.

58. Greenberg, note 51 supra.

59. Ibid.

60. Ibid.

61. Ibid.

62. John Villasenor, “Five Lessons On The 'Security Of Things' From The Jeep Cherokee Hack,” Forbes.com, July 27, 2015, www.forbes.com/sites/johnvillasenor/2015/07/27/five-lessons-on-the-security-of-things-from-the-jeep-cherokee-hack/#b6b9047204a6 , accessed April 29, 2016.

63. Greenberg, note 51 supra.

64. Ibid.

65. Ibid.

66. Ibid.

67. Ibid.

68. Ibid.

69. Ibid.

70. Jose Pagliery, “Your car is a giant computer—and it can be hacked,” CNN Money, June 2, 2014, http://money.cnn.com/2014/06/01/technology/security/car-hack/ , accessed May 2, 2016.

71. Alex Drozhzhin “Black Hat USA 2015: The full story of how that Jeep was hacked,” Kaspersky Lab Daily, August 6, 2015, https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493/ , accessed April 29, 2016.

72. David Fitzpatrick and Drew Griffin, “’Ransomware’ crime wave growing,” CNN Money, April 4, 2016, http://money.cnn.com/2016/04/04/technology/ransomware-cybercrime/ , accessed May 2, 2016.

73. Ibid.

74. Ibid.

75. Ibid.

76. Ibid.

77. McAfee Labs Threat Report, March 2016, http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2016.pdf , site accessed September 29, 2016.

78. Cyber Threat Alliance, “Lucrative Ransomware Attacks: Analysis of the CryptoWall Version 3 Threat,” October 2015, http://cyberthreatalliance.org/cryptowall-report.pdf , accessed May 2, 2016.

79. Michael Hiltzik, Michael, “2016 is shaping up as the year of ransomware—and the FBI isn't helping,” Los Angeles Times, March 8, 2016, www.latimes.com/business/hiltzik/la-fi-mh-2016-is-the-year-of-ransomware-20160308-column.html , accessed May 2, 2016.