Phishers, people who are phishing other people (i.e., victims), have reasons for doing so. They are all criminals…cons…each pretending to be something they are not in order to trick people into revealing sensitive information or into running a Trojan Horse program. They are broken people with poor morals looking to gain something they could not otherwise get with honesty, integrity, or hard work. But they have their reasons and motivations.
It helps to understand why hackers hack. Your defenses will be the same no matter what the motivations are, but understanding what their goals and objectives are, and which ones are likely to target your company, can help make nuisance changes in those defenses. For example, a criminal looking for money is going to target different assets than a criminal who is after intellectual property. Understanding what type of criminal may target your organization can help in the placement of your defenses. This article is an attempt to summarize the various motivations for hacking and phishing in general.
Here are the various motivations for hackers and phishers. I’ve collected the reasons into four similar groups.
For Illegal or Unethical Profit
Without a doubt, the primary motivation of most online criminals is illegal financial gain. It can be done a variety of ways, including direct financial theft (i.e., they use your access to gain entry to where you store things of value and then directly steal them). Those things of value can be stored in your bank account, investment accounts, cryptocurrency accounts, gaming accounts, hotel points, airline miles, and so on. They can steal your password to your sites and the login separately and transfer that value to their accounts. Or they can access your device using a Trojan Horse program of some sort, wait for you to authenticate successfully to your site(s), and then open a second, hidden browser session, and transfer the money. They can use your accounts to buy things that they then send to their drop sites, and either take the ill-gotten goods or sell them for cash.
They can use others’ trust in you and your online accounts to trick those people into sending money to the attacker’s accounts. They can pretend to be you (or a trusted company) and send email requests directing the trusting party to send payments to a new bank account. The fraudulent requests can come from a “look-alike” account that looks similar to your real account name or from your real account (if they have previously compromised it). Phishers often send trusted business partners “new instructions” to send payments to new places. Or it can be a request to pay an unexpected fee to avoid prosecution or a request to a loved one to bail someone they love out of an unfortunate situation.
Oftentimes, the cybercriminal steals your online or financial identity to use your credit cards, open new credit card accounts, or take out mortgages or new loans. In today’s digital world, your online identity is currency.
The phisher could be hoping to install ransomware. The average ransomware payment is now close to a quarter of a million dollars. Ransomware no longer “just” encrypts your servers and data to interrupt your business. Now most ransomware steals your most valuable intellectual property and private communications and asks for a ransom to be paid or else they will release the stolen information to thieves or the public. I don’t care how great and good your organization is, no organization wants their most private secrets revealed to the world.
If you’re lucky, the phishing intrusion was only to place adware or malware that attempts to direct you to sites and services you or your device would not otherwise go. For example, you typed in an Internet browser search for Elvis and for reasons you can’t readily explain, Viagra sites came back as your top search results. Of course, defenders need to be as concerned about “innocent” adware as they are about any malware program or hacker, because the effort it took the adware to compromise a user or device is the same exposed vulnerability that could be leveraged by something far more malicious. Adware is a sign of a security gap and should be treated as such.
The second biggest reason you may be hacked or phished is for unauthorized parties to gain access to your private, valuable information. It could be corporate espionage, a nation-state spying operation, or a conventional lone hacker. The stolen information could be used for financial gain, but this particular motivation has more to do with a competitive advantage and less with direct financial gain.
What this type of attacker steals depends on their ultimate objectives. They could use the information to get insight into a business deal in order to negotiate better terms or outbid a competitor. It could be to steal patent information and introduce a similar or identical product sooner or cheaper. It could be to learn what a competitor is planning to do in the near future or what their internal cost structures are. A nation-state attacker could be stealing intellectual property for the same reasons or learning more about an adversary.
Sometimes the information that is stolen is simply to learn an identity. Different nation-states, law enforcement entities, and individuals have also used phishing attacks to ethically or unethically reveal another person’s or group’s true identity. For example, law enforcement may want to trace an online account name to a law breaker, such as a terrorist or child pornography user.
There are many legitimate and ethical reasons for someone or a group to remain anonymous. Perhaps they don’t feel comfortable sharing personal information with others using their real name or they rightly fear unethical reprisals if their true identities were known. And there are other groups who want to unmask the anonymous identity to the subject’s real identity so they can be targeted in the future. Sometimes the motivations are ethical and supported by the majority of society; and sometimes not.
Disruption of Operations
There are people and groups who simply want to disrupt your organization’s operations. The simplest and most common variety of this type of attacker is someone who is threatening a denial-of-service attack in order to extort a ransom. Far more worrying are nation-state attackers who learn how to and plan to disrupt critical infrastructure for cyberwar reasons. Today, most nations see cyber warfare as a legitimate and necessary method of attack and defense. National adversaries have successfully attacked other nations’ critical infrastructures, even not during times of war, and have released malware that successfully destroyed billions of dollars’ worth of equipment (e.g., Stuxnet). Cyber warfare will always be used with kinetic, traditional war, but it is also increasingly being used on its own. Right now, there doesn’t seem to be a lot of rules for nation-states beyond they do whatever they think they can get away with. Perhaps a cyber-Geneva Convention is needed?
Nation-states even attack organizations if they don’t like that organization’s activities, even if it doesn’t involve real war. For example, North Korea successful attacked Sony Pictures in an attempt to stop Sony from publishing a film, The Interview, that showed their leader in a bad light. North Korea told Sony not to promote or publish the film or they would attack Sony and disrupt their operations. Sony didn’t buckle to the extortion and paid the price.
Each nation or big company has its own hacktivist adversaries to worry about. Many groups, if they don’t agree with your operations or politics, think nothing of trying to physically and logically disrupt operations. They will try to hack into targeted organizations to steal and reveal embarrassing, private information or conduct denial-of-service attacks. Anything they can do to cost the targeted organization time, money, resources, or embarrassment is considered a legitimate target. Many hacktivists have stolen and released information simply because they personally believed it should be free and no cost to anyone – intellectual property and legal rights be damned.
Using Computer Resources Without Permission
Many phishers and hackers compromise devices and computers simply to use the computational resources (a thing of value) without permission. Most of the time, the stolen resources are used for financial gain. Denial of service extorters want to collect as many nodes in their distributed denial of service networks as they can to give them more resources to combine during attacks. Cryptocurrency miners want to steal other people’s resources to generate new cryptocurrency because the cost of using their own legal resources decreases their profit.
But I’ve also seen resources stolen simply to “borrow” the “unused” resources to help someone else accomplish their own larger objective. For example, I’ve heard of bots that took over thousands of computers for obsessed SETI fans. For decades, SETI had a screensaver program that used the computational power of all involved members to sort through and analyze captured signals looking for signs of intelligent life. Some overzealous members were not content with the resources they owned and controlled and resorted to stealing the computational power of other computers using SETI-based bots.
No matter what the motivation is, using resources of others without their permission is unethical and against the law. Of course, I’m also intentionally ignoring all of those well-meaning, ethical penetration testers and security awareness trainers who use simulated phishing attacks legitimately. But it’s only because of all the illegal and unethical varieties that we have to have the latter.
Why Was Your Organization Targeted?
It’s also very important to understand that most of the time, your organization was not specifically targeted by anyone. Your organization or employees were just amongst millions of other randomly targeted potential victims who were sent a phishing email in hopes that they might mistake it for a legitimate request. Most phishing attacks are untargeted; and were not specifically directed at a particular person or entity. These types of phishes are almost always financially motivated and are, all things considered, easier to detect and mitigate than a targeted attack.
Specific, targeted phishing attacks are less popular, but are harder to stop. They often arrive as spear phishing attacks, containing relevant, recognizable content that makes them more likely to fool more potential victims. Targeted phishing attacks take more advanced security awareness training to defeat. They are often, again, usually looking for financial theft, but can also be for nation-state, hacktivist, or information theft reasons.
If you’re not sure why your company was phished or attacked and you have no other clues that help you determine the primary objective, odds are it was to steal money. Greed has always been the primary motivation for criminals and online criminals are no different. But other reasons are increasingly being used to target organizations and individuals. All organizations should implement the best combination of policies, technical mitigations, and security awareness training, to prevent hacking and phishing attacks, no matter what their intended goals are; but by better understanding our adversaries, the more targeted and successful our defenses can be.