Social engineering and relationship management

Active sales processes are supported by thought-out processes, continuous improvement, A/B-testing, communication in multiple channels – and logging results in databases to analyze performance. The field is typically referred to as customer relationship management, and the cloud king of the field is Salesforce.com.

Some criminals aren’t very sophisticated and they still manage to earn money through cyber-scams. There are many ways they can do this, such as identity theft, document fraud, credit card fraud – or direct extortion schemes. The latter tends to have a faster path to the reward, although credit card fraud is still a big money-making machine for the criminals. But what happens when criminals get organized, and introduce customer relationship management? Most likely the same as happens when an unstructured sales team invests in methodologies, measurements and an improvement culture; they get much more efficient and they increase their revenue streams.

This is where organized crime comes in. Organized crime groups are running efficient business operations, including in cyberspace. They map out their infection processes, and start to optimize. They keep tabs on who they are trying to scam. They use content management to build trust. And they are cashing in big time. Let’s look at the touchpoints for potential revenue optimization for a typical extortion scheme using ransomeware.

ransomeware_process

A common ransomware process: each point in this process is an opportunity for optimization for the adversary. Each transition between two phases is an opportunity for the target to stop the adversary’s process. 

The first part, obtaining contact points, or rather, harvesting email addresses is a first point. If you collect these from generic lists, or buy them from large spam networks on the deep web, they will most likely be of low quality, and with little context. What if the criminal sets up an engaging platform for collecting email lists, curated with “useful content” and collecting information about use patterns, typical interests and the like? The e-mails will be real, they will be active, and the adversary will have intelligence on interests and “click triggers” for each address. Using this information would give a solid boost in the number of successful email transmissions.

The second box has another great opportunity for optimization. Armed with the context information, targeted e-mails can be generated to increase the click-rate. Links that seem to be leading to interesting content, similar to your favorite reads, will get much higher click-through-rates – even better than Google AdWords. And, of course, the click rates can be measured and used to further improve targeting. Using automation techniques – just the same as you would when using marketing automation solutions for legitimate business.

The ransomware download can also be optimized to increase infection rates. It can be disguised as a tool, it can be a JS-file that the user is told to execute, it can be an MS Office macro downloader, and so on. The key is to make the user bypass all sanity checks and allow installation – and armed with the context information from earlier, it is much easier to shape the message, and the piggyback on established trust.

We could go on with this analysis – but the main point is that this is occurring, and the criminals using these techniques are the same organized crime groups that deal in illegal weapons, drugs and human trafficking. They are sophisticated operators abusing our natural instinct to trust things we feel are useful to us.

To counter this, we need to be just as systematic and smart about things on our side too. Baseline security will take you a long way but you also need to keep the people processes up to date in order to reduce the exposure to optimized malware supply chains.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s