fbpx Skip to content

Understanding the Business of Cybercrime

5 minute read

Small business owners may think of cyber criminals as freelance or small group threat actors, but plenty of those criminals work within sophisticated organizations that function like legitimate businesses. Someone who has observed these criminals at work is Mark Lance, Senior Director of Cyber Defense at GuidePoint Security. We recently had the chance to speak with Mark on The Cyber Crime Lab Podcast and want to share a few of his insights to help small business owners realize before it’s too late that everyone is at risk.

While Mark has been in information security for 22 years, he’s been in incident response for the last 12 and has seen many different situations. One he recently came across involved a celebrity who suffered a business email compromise.


Business Email Compromise

This type of threat is one of the more common ones that Mark and his team see. In this particular case, someone had managed to get into the celebrity’s email and had, through email chains, successfully impersonated the celebrity and had begun a bank transfer of $2.5M.


Inbox Rules

How can you compromise someone’s email box without them knowing you’re in there? One way, it turns out, is to use a feature that most email services use to help you organize your inbox: rules. The threat actor gained access to the celebrity’s account and looked for any emails that related to transactions, accounting, bank accounts, etc. They then made rules to ensure that any replies to these emails went into the trash, where they could continue to work and draft replies but the celebrity would be blind to the fact that something malicious was happening (people don’t usually check their rules or trash).

Because the threat actor had access to all the previous emails and interactions, they had all the context they needed to sound authentic in new exchanges and to make what seemed to be an innocuous request for more funds. In this case, it was innocuous enough that it wasn’t noticed until the celebrity and the celebrity’s manager started to get notifications of a pending money transfer, and Mark and his team were able to discover the trail and get it stopped in time.

Part of the success of this particular threat actor was simply tapping into cultural and technical norms; people have become used to dealing with financial requests by email, without requiring voice or video confirmation, and that norm was almost successfully exploited in this instance.



Another form of fraud that continues to be successful, despite greater personal and professional awareness of the practice among the public, is phishing. The practice has become more sophisticated, of course. You’re no longer being asked to click on a ridiculous link that bears no resemblance to something the user might be used to. And if you are unfortunate enough to click on it, users won’t be brought to a bad counterfeit of a website they frequently see but to an exact replica, set up to capture a user name and password.

If people are expecting the same old phishing techniques and aren’t prepared for the increased sophistication of the approach, they may get hooked by one of these threat actors.


Who Are the Threat Actors?

While there are nation-state-sponsored threat actors, motivated by access to state secrets and weapons blueprints, and hacktivists looking to bring awareness to their causes, the majority of threat actors are simply criminals, after money or IP addresses that can be sold for money.

These criminals can be further divided into freelancers or small collectives and large organizations that operate just like legitimate corporations. They tend to go after certain verticals or certain-sized companies. They also appreciate the value of niching!


Criminal IT Support

At times, Mark and his team have managed to find a threat actor who has access to an environment and have taken steps to close doors of access. They’ve then watched in real-time as that closed door is attacked again and escalated through various levels of troubleshooting, just as you would expect when dealing with IT support in a legitimate business.

One time a threat actor realized they were caught and started putting in user names they knew would be logged, such as, “We know you are watching us” and “We’re going to get back in.” They won’t give up easily, even when they know they have been caught in the system.


Hire the Best

Criminal IT support doesn’t come from out of the blue. Often it comes from the dark web, where criminal organizations put out job requests, just like you might see on LinkedIn or Indeed, with the same types of interview patterns. At every level, these criminal organizations are operating as if they are legitimate businesses, partly because it means that potential employees don’t have to veer too far off a societal script to be drawn into a criminal scheme.


What To Do?

One of Mark’s strongest messages is that no organization should consider itself immune from attack. From a mom-and-pop-pizza shop to a Fortune 500 organization, there are targets for every type of criminal and every size of criminal organization.

Apart from basic user awareness training, a key best practice is implementing multi-factor authentication (MFA), which is a major hindrance to many threat actors.

With awareness and security practices in place, organizations can be better prepared for the many threat actors looking for open security doors they can exploit.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!