Recent computer security news coverage has focused on nation-states and advanced persistent threats (APTs) conducting cyber-espionage around the globe. What if you are a lone wolf looking to make a name for yourself by breaching a prominent company, but you are not bankrolled by a country with less-than-stringent laws about computer hacking?
This article will examine the costs and budgetary considerations for a new bad actor, lacking global resources, to set up a single privileged identity theft campaign to be able to launch insider attacks. The costs shown will assume corporate targets in the greater Seattle metropolitan area. This article will also briefly examine countermeasures.
The good news is that it is still possible to become an evil villain for an initial investment of under $1,500 USD, despite rising labor costs. You do not need to learn a second language or travel abroad, and understanding BitCoin is still optional.
Operational expenditures (OpEx) budget
For each operation, you will need two independent contractors. One will have a background in cleaning services, and the other will need to be able to mail packages and preferably have a car. Both will need to earn a week’s pay for minimal time and risk.
Some areas in Seattle have the highest minimum wage in the country, at $15 an hour. This means that a custodial professional—also known as a janitor—will bring in up to $600 a week before taxes and deductions. Considering the cost of living in the greater Seattle area, this means that most janitors do not live in the city limits. However, they do work in the city limits and have a high degree of access to corporate headquarters with long unsupervised periods in the middle of the night.
Other minimum-wage workers in the Seattle area earn about the same—$600 a week, assuming no overtime and that they are not working one or two additional jobs. Critics of this article may point out that this assumes using the lowest-cost labor available; the ethics of an evil mastermind with regards to appropriate pay scales for contract labor are regrettably outside the scope of this article. Similarly, this article assumes an independent contractor relationship, and evil geniuses are encouraged to consider setting up a full employment relationship in the future with 401k, medical, dental, and profit-sharing benefits.
You should also consider a VPN a necessity to handle network communications. These are around $12 – $15 a month. A VPN hosted overseas with no access logs is preferable.
Finally, you will need a PO box to send and receive postal mail. Although you could use a courier service, that would imply having to sign for a package of a rather dubious origin. A PO box costs $18 – $23 a month.
Capital expenditures (CapEx) budget
As a villain on a shoestring budget, you will not have the capital to splash out for the latest zero-day exploit and then the associated botnet to send a spear-phishing campaign to steal user credentials. However, you still have important choices to make and some shopping to do, and you won’t need access to the dark web.
A hardware keylogger looks like a female-to-female USB-A adapter, and it operates by sitting between the target’s keyboard and the target’s computer and intercept all keystrokes. Hardware keyloggers work on the assumption that users rarely look behind their computer or their docking station. They are also undetectable by virus and malware scanners, as they are effectively a passive device that logs all keyboard activity to an internal MicroSD disk. The better ones offer encryption. Some choices are the KeyGrabber USB, available for $45.99 (for the value-oriented nefarious mastermind) plus shipping, or the Keyllama 4MB USB Value Keylogger for $59.99, sold at Amazon with free Prime shipping. This latter option is ideal as your Prime membership also includes episodes of Mr. Robot for additional hacking ideas.
As an alternative to a hardware keylogger, you can opt for a pinhole camera. These can be installed quite easily in the acoustical tiling in office buildings, and they surreptitiously record video. They are a bit more trouble than a hardware keylogger, as the camera needs to be focused on the user’s keyboard, and you will need to transcribe the user’s keystrokes. However, these will work if the target either uses a laptop with no docking station, a wireless keyboard, or an encrypted keyboard. Some choices are the Pinhole camera full HD with fisheye lens, available for $124.95 plus shipping, or the PHYLINK PLC-128 PW, available for $169 on Amazon with free shipping.
You will initially need to recruit two people for each operation. This could be done via Craigslist, posters on telephone poles, or another medium, and it does not need to be particularly fancy. You will need to recruit a janitor with access to the target’s building, and then someone else who preferably has their own car and can wrap and ship packages. This second role will be called the remailer. Once you have recruited your first two contractors, you can begin.
First, mail the hardware keylogger or pinhole camera to the remailer. You can opt to make a cash advance to the remailer, with the remainder of payment sent on return of the hardware. The remailer can then meet with the janitor and hand off your written instructions on where to place the keylogger or pinhole camera. If you have decided to provide a cash advance to the janitor, the remailer can also deliver that.
Although C-level executives are of primary interest—getting the login details for the CFO, for example, would be fruitful—it is more practical to target a systems administrator. The accounts of C-level executives are subject to a higher degree of scrutiny and are consequently less than ideal. Systems administrators tend to feel that security policy applies to everyone except them, and happily, their accounts are typically not subject to a similar level of scrutiny.
The janitor needs to install the hardware keylogger or the pinhole camera during their regular working shift. A keylogger is easier, as it is quite likely that a janitor would be bending down behind the target’s desk if captured on surveillance camera. It is not going to be as easy to explain to building security if they are seen on camera removing acoustic tiling, drilling a hole in the tile, placing a pinhole camera, and then replacing the tile.
The target administrator can then use their system as normal, and their username and password will be captured in the first few minutes of a working day as they log in. After a day or two, the janitor then needs to collect the hardware. They then can meet with the remailer, who mails the hardware back to your PO box. Don’t make a bad name for cybercriminals by failing to send them timely payment for the return of your hardware and a thank-you note.
Turning Stolen Credentials Into Profits
Once you have picked up your hardware and fled back to your underground lair/one-bedroom basement sublet, you can turn a profit on compromised administrative credentials relatively quickly. The first option would be to install ransomware on the target’s network. However, this requires shopping for ransomware and then customizing it so that payment is sent to you via BitCoin, which is outside the scope of this article. A second option would be to log in via a VPN with the compromised credentials and steal intellectual property. This process takes longer if you are unfamiliar with the target’s network, and it assumes that you can find a buyer for the IP. Finally, you could choose to find sales projections for an upcoming quarter, as well as historical data. You could then short the stock and anonymously release damaging information that the target will miss their upcoming quarterly earnings. Talk to a CPA, as there are tax implications to this third strategy, particularly if you have held the target’s stock for less than one year.
This article examined hardware and people-based attacks. No amount of data exfiltration filters, malware and virus scanners, or installation of security patches will protect against this attack. Similarly, investing in better background checks applies only to new employees, and extending those background checks to include janitorial firms becomes contractually difficult and costly. If you are a security professional, you should assume this attack has already happened in your building and that someone’s account has already been breached.
The most effective countermeasure against this attack is to deploy multifactor authentication (MFA) as part of an Identity and Access Management program. Ideally, the MFA solution is context-aware so that if a user is at their desk, then they are not prompted for MFA unless doing something unusual. However, if their IP address is unfamiliar and resolves back to a VPN provider terminating in Tacoma, WA, the MFA solution should prompt the user for additional credentials. However, the MFA solution is meaningful only if it applies to all users, because all company employees have some level of privileged access to corporate resources, whether it is financial data, personally-identifying information, marketing data, or administrative access to systems.
An alternate countermeasure would be to retroactively audit for suspicious activity associated with users and then to lock their accounts. Unfortunately, this is damage control and not damage reduction—if a bad actor has stolen IP from the target company, locking the user’s account after the fact does nothing to mitigate the damage.
An even less effective countermeasure would be to deploy separate ‘administrative’ accounts to administrators. Under this model, administrators have a ‘regular’ account for their normal computer usage, and then a second, ‘administrative’ account for privileged operations. This model assumes that a piece of malware only captures one of the user’s logins; however, a physical-based keylogger or camera attack will defeat this if the administrator types their second password only after the keylogger has run out of disk space. If coupled with MFA and behavior analysis, this can protect the administrative accounts but does nothing for C-level executives, Vice Presidents, market traders, and other personnel with access to sensitive or privileged data.
The last option is to assume that administrators and other privileged personnel can only access resources while on the corporate network and that they would not reuse their login credentials across external resources. This is ’90s data center thinking. The proliferation of compelling SaaS solutions no longer means that users access resources that are solely on the company premises, and as external SaaS solutions provide their own authentication stores, there’s also no policy that prevents the administrator from re-using their corporate network password. If this is your corporate strategy, invest in a good cyber-security insurance policy and budget for a stiff renewal charge after your first breach is made public.