Forget Car Hacking: Phone Calls and Web Bots Are the True Security Threat

Take a stroll through the Black Hat sales floor, where the nation's premier security conference is taking place this week, and you'll inevitably find some marketing types wearing tinfoil hats sucking down the cold, overly-processed air. It's their idea of 'fun' corporate irony. But it does reflect some truth: there's a lot of paranoia zipping around the gaudy halls of the Mandalay Bay hotel in Las Vegas.

Some of it is understandable. But outside some concern for head-height reddish-brown blots on his hotel room curtain, your reporter hasn't been feeling the same level of anxiety. At least, not about the majority of research that's been released this week, most of which concerns detailed theoretical attacks that few criminal black hats would ever bother with (I'm now fully expecting my computer to be owned as a result of this article—Black Hat attendees love to embarrass journalists).

Take BadUSB, a malware bug created by Karsten Nohl and Jakob Lell that would mess with controller chips on USB-connected devices. It's pretty neat: the hacker could make a memory stick look like a keyboard or an ethernet card. This could then be used to take over the victim's computer or redirect their traffic to malicious sites.

But there's a catch: an attacker would need to reverse engineer the firmware of the USB device. This takes a heck of a long time and an understanding of the languages used by the devices. For just one kind of USB firmware, this took Nohl and Lell two months. Though Nohl has valid points about the average user's misguided trust in USB devices, few malicious hackers would ever bother with this technique. It's just not easy enough.

Then there's the other big story of the week: car hacking. Undoubtedly, the idea of having any outside party take control of functions in your car is beyond scary. But Chris Valasek and Charlie Miller didn't show they could do any remote hacking of different vehicles (though they did point to previous research where this was shown to be possible), they only detailed the potential for abuse, looking at the "attack surface" of various cars.

As with the USB hack, it'd be wonderful to see more emphasis on security by design within these automobiles, but few hackers are going to abuse this. Josh Corman, who is heading up the I Am The Cavalry movement to address such "cyber-physical" problems, pointed to one possible attack: infecting a car with ransomware and demanding the driver pay up if they didn't want to be driven into a tree. But again, there are way easier ways for online crooks to make money, or for government-sponsored hackers to cause trouble.

These kinds of attackers are still sticking with tried-and-tested methods, a fact highlighted by two separate events this week. Another Black Hat talk shoed how much cash could be made simply by picking up a telephone and pretending to be someone else.

Pindrop Security co-founder and CEO Vijay Balasubramaniyan told Motherboard that his company's analysis of 105 million calls across a range of call centers identified 228 different gangs using all kinds of techniques to make a disturbing amount of money.

By conning operators, the fraudsters could manipulate personal details in ways that compromised accounts. He said that banks and other organizations often wrongly attribute attacks to malware rather than to social engineering and brute forcing call centers.

In some cases, they used voice manipulation software Screaming Bee to give their vocals a feminine or masculine edge (Balasubramaniyan said that sometimes the software malfunctioned, so the fraudsters sounded like Alvin Chipmunk or Darth Vader). In others, they probed automated voice response systems to determine which accounts to target. The amounts they then stole from separate accounts ranged from $800 to $700,000.

I also caught up with Alex Holden this week, the CTO of Hold Security, who released details on a hacker crew that had acquired 1.2 billion usernames and passwords by automating mass web app attacks over the last few years. He's taken some flak for seemingly trying to profit from the news (which security firm doesn't?), as his company offered a tool for users to check whether their usernames and passwords were stolen, charging a $120 a pop.

It's also apparent much of the information is old. My own mother's email address was included in the database of stolen credentials Holden was carrying around with him (for his password, each key had to be pressed within a certain timeframe for it to work—he fist-pumped the air when it did) but a swift text conversation revealed her crappy password was years old.

Still, Holden's findings were alarming, showing how much data could be acquired by carrying out basic attacks on large numbers of websites. Things like SQL injection, which target website databases, still work. Holden told me the crooks were making as much as $1500 a day just by spamming the email addresses they had acquired, some of which belonged to CEOs of major companies.

It wasn't just the 1 percent impact here, either—I've also learned the website of the San Diego branch of the YMCA was breached by attackers. Holden said almost any company you could think of was affected in some way, whether they were hacked directly or their employee credentials had leaked.

Another worrying conversation with Karl Sigler, director of the SpiderLabs Threat Intelligence Department, revealed a remarkably simple piece of malware had infected point of sale systems at 600 retailers, siphoning off a ton of credit card data.

Those POS systems had close to zero protection on them—no firewall rules to prevent outside access from dodgy domains and weak default passwords. Sigler blames the manufacturers of the machines. "Those vendors are not that security savvy," he told me. Though Sigler wouldn't say how much was pilfered, it's to be assumed the Backoff malware creators are making a decent amount of money.

Here's the takeaway from all this: criminals are way more interested in attacking systems that hold immediately valuable information and are lacking adequate security controls. Though the cutting edge research coming out of Black Hat is valuable in protecting against possible future attack vectors, it's apparent many still aren't dealing with the old ones. That's why we continue to see epic leaks at a worrying rate.