Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Attacks Give Criminals 1,425% Return On Investment

Posted by samzenpus on from the bang-for-your-buck dept.

An anonymous reader writes: Trustwave released a new report which reveals the top cybercrime, data breach and security threat trends. According to their findings, attackers receive an estimated 1,425 percent return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment). Retail was the most compromised industry making up 43 percent of investigations followed by food and beverage (13 percent) and hospitality (12 percent).

53 of 124 comments (clear)

  1. Sliced and Diced by Anonymous Coward · · Score: 4, Informative

    I hope this is not true:

    http://www.reddit.com/r/technology/comments/39x7w5/sourceforge_hijacks_firefox_project/

    1. Re:Sliced and Diced by Anonymous Coward · · Score: 2, Informative

      Whoever modded that down: The complaint about Sourceforge is on topic, and not just a rehash of older complaints either.

  2. Don't use thousand separators internationally by Anonymous Coward · · Score: 5, Insightful

    1,425% is ambiguous. It can be read as 1.425% by people who normally use commas as decimal separators. Thousand separators are meant to be used for clarity, but in an international forum they create confusion instead, so don't use them. Digit grouping is an alternative, but doing that in a typographically correct way requires non-breakable narrow spaces. Honestly, if you need help reading a four digit number, maybe reading isn't for you.

    1. Re:Don't use thousand separators internationally by Anonymous Coward · · Score: 1

      Indeed. I don't mind points as a decimal separation, but commas to group thousands are highly confusing.

    2. Re:Don't use thousand separators internationally by meza · · Score: 4, Interesting

      Ah thank you. Coming from a country where we use comma as a decimal separator I actually did misread this and thought it was a pretty crappy return of investment (due to dissonance or something my brain decided not to interpret what was written within the parentheses).

    3. Re:Don't use thousand separators internationally by Anonymous Coward · · Score: 2, Insightful

      1,425% is ambiguous.

      It's not ambiguous, it's very clear and perfectly acceptable anglophone denotation.

      No it isn't.

      You want an example? South Africa uses commas for decimals. And they're not the only ones.

    4. Re:Don't use thousand separators internationally by BlackPignouf · · Score: 1

      Exactly.
      On a related note, could we please kill the developer(s) that wrote the CSV import for Excel?
      Depending on your regional settings, importing a cell containing 3.14 could yield 3.14, 3140 or 14th of March.

    5. Re:Don't use thousand separators internationally by ArcadeMan · · Score: 2

      Here's a set of coordinates. Have fun understanding where commas are meant to separate coordinates and where they're meant to separate thousands.

      574,813,067,805.875,243,554,323,654,371.654,876,484,567,576,549.654,765.763,652,258,436,540.365,347,654.364

      --
      Get free satoshi (Bitcoin) and Dogecoins
    6. Re:Don't use thousand separators internationally by Carewolf · · Score: 1

      1,425% is ambiguous. It can be read as 1.425% by people who normally use commas as decimal separators. Thousand separators are meant to be used for clarity, but in an international forum they create confusion instead, so don't use them. Digit grouping is an alternative, but doing that in a typographically correct way requires non-breakable narrow spaces. Honestly, if you need help reading a four digit number, maybe reading isn't for you.

      If anyone reads the number as 1.425% in relation to this story, then I would agree with you. Maybe reading isn't for you.

      Then again, maybe this forum isn't for you either. Clearly there's a comprehension problem that has fuck-all to do with commas or decimals.

      I read it as 1.425%. No one uses thousand separators for just 4 digits, so 1 point something was much more likely.

    7. Re:Don't use thousand separators internationally by Frederic54 · · Score: 1

      True, as a French guy I read this as 1.425%... at least they could have written 1'425% to remove confusion...

      --
      "Science will win because it works." - Stephen Hawking
    8. Re:Don't use thousand separators internationally by Z00L00K · · Score: 1

      If you use separator - use a space and a fixed-width font.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    9. Re:Don't use thousand separators internationally by Z00L00K · · Score: 1

      Which most of Europe do.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    10. Re:Don't use thousand separators internationally by Z00L00K · · Score: 1

      Not to mention the CSV export. The dynamic of that format is completely FUBAR for everyone working in a multinational company.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    11. Re:Don't use thousand separators internationally by Intrepid+imaginaut · · Score: 1

      The primary language of South Africa is Zulu. English trails in a poor fourth down the list.

    12. Re: Don't use thousand separators internationally by Intrepid+imaginaut · · Score: 1

      I wasn't aware the summary was written in code, or contained any lengthy co-ordinates either for that matter.

    13. Re:Don't use thousand separators internationally by stoned_ritual · · Score: 1

      Using percent to describe something in the thousands is rather silly to begin with.

    14. Re:Don't use thousand separators internationally by belthize · · Score: 1

      Here's a map of usage by country, blue is comma, green is dot. https://en.wikipedia.org/wiki/...

      By total population comma wins.
      By total countries dot wins.
      By total military comma wins.
      By square mileage dot wins.
      By website hosting locale comma wins.

      By mindless inability to grok the obvious from the summary where they helpfully give $84,400 return on $5,900 investment which makes it clear that it's not 1% and that commas are being used nobody wins.

    15. Re:Don't use thousand separators internationally by munch117 · · Score: 1

      Even better, they could have written 14x. There is no way that 4 significant digits are meaningful, and factors are more easily understood than large percentages.

    16. Re:Don't use thousand separators internationally by TheCastro1689 · · Score: 1

      Clearly it's 1 foot 425%

  3. SUBJECT by Anonymous Coward · · Score: 2, Funny

    How nice of Slashdot to explain why SourceForge is fucked up as it is.

  4. TCOC by Anonymous Coward · · Score: 2, Funny

    This is the return before legal fees, restitution and incarceration.
    You have to look at the Total Cost Of Crime when you calculate the ROI.

    1. Re: TCOC by MenThal · · Score: 1

      Not to mention whitewashing. What rates do Saul offer nowadays?

    2. Re: TCOC by MenThal · · Score: 1

      Hehe, will try to post as AC/DC next time...

  5. Crime Pays (sometimes) by Etherwalk · · Score: 3, Insightful

    Yeah, a lot of people go into crime for money. Human Traffickers make a great return on investment in slaves, for example, and get much less risk of being caught than if you're trafficking guns. It's seriously messed up, but how fast do you think the police would shut down an AK-47 market on the corner as opposed to your neighborhood's center for prostitution?

    Bank robbery also pays, but tends not to pay very well. (Not nearly as well as a good engineering job, IIRC, and more likelihood of your bugs getting detected).

    1. Re:Crime Pays (sometimes) by JaredOfEuropa · · Score: 1

      You're right: bridges never fall down, electronic devices never catch fire, cars are never recalled, walls never develop cracks, and buildings never leak. Oh wait, they do.

      If you mount a light switch upside down, or you use door knobs from a different source than your design specifies, your building generally won't come crashing down. In the world of software, it very well might.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:Crime Pays (sometimes) by fustakrakich · · Score: 1

      It's much more promising to run a bank than to rob one.

      The best way to rob a bank is to own it, am I right?

      --
      “He’s not deformed, he’s just drunk!”
  6. Credit card track data? by RobinH · · Score: 1

    Data most targeted: In 31 percent of cases Trustwave investigators found attackers targeted payment card track data (up 12 percentage points over 2013). Track data is the information on the back of a payment card that’s needed for an in-person transaction. Twenty percent of the time attackers sought either financial credentials or proprietary information (compared to 45 percent in 2013) meaning attackers shifted their focus back to payment card data.

    I assume this is mostly because the US still doesn't have chipped credit cards, or has that changed since a year or so ago when I was there? I thought the magstripe was going away.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
    1. Re:Credit card track data? by CrimsonAvenger · · Score: 2

      I assume this is mostly because the US still doesn't have chipped credit cards, or has that changed since a year or so ago when I was there?

      The new ones are chipped. But the replacement cycle on credit cards (mine are usually good for five years) is long enough that a lot of unchipped cards are still out there (about half of mine are chipped, the other half won't expire for a couple-three more years).

      Note that chipped doesn't protect you from credit card fraud - just yesterday I got called by my CC company to verify that I'd really bought something in Arizona that morning (haven't been in AZ in the last five years) - the card in question was chipped....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    2. Re:Credit card track data? by RobinH · · Score: 1

      Presumably your card # and other information were stolen manually or via an online transaction. The article is specifically mentioning going after the data from the mag stripe. I have presumed, but don't know enough about it, that the chipped cards encrypt the verification between the card and the bank, so the vendor doesn't ever have that info, and thus any malware running on their POS terminal can't access it either. That doesn't stop your waiter from writing down your card details of course... it's just a matter of degree.

      --
      "I have never let my schooling interfere with my education." - Mark Twain
    3. Re:Credit card track data? by CrimsonAvenger · · Score: 1

      Presumably your card # and other information were stolen manually or via an online transaction

      Manually, I am guessing. I have a different credit card for online transactions. Or possibly directly from the CC company....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    4. Re:Credit card track data? by BVis · · Score: 1

      Chip and PIN != RFID.

      --
      Never underestimate the power of stupid people in large groups.
    5. Re:Credit card track data? by Steve+Newall · · Score: 3, Informative

      The liability shift for chip and PIN cards is scheduled for October this year in the US. Although the guestimates vary, probably around 20% of merchants will have an EMV (chip) reader by this time. When chip and PIN was introduced into Europe, there was a sharp increase in credit card fraud in non-chip regions (Canada for example), and when Canada introduced chip and PIN we noticed a sharp decrease in fraud, which we assume was moved into the US.

    6. Re:Credit card track data? by tsqr · · Score: 1

      The new ones are chipped. But the replacement cycle on credit cards (mine are usually good for five years) is long enough that a lot of unchipped cards are still out there (about half of mine are chipped, the other half won't expire for a couple-three more years).

      I received chipped replacements for my credit card and ATM card (different banks) roughly 3 years before the old cards were due to expire. Apparently some institutions aren't waiting so long.

    7. Re:Credit card track data? by mlts · · Score: 1

      I'm actually surprised. The chip/PIN readers are gaining steam here in the US. Even Square has an EMV reader. The fact that vendors have to pay the cost is getting them to actually get off their buts and deploy these. Even ATMs are starting to have a mechanism for chips.

      I just wonder how they are going to handle fraud via mail order or where the card isn't present. This will still be an issue.

    8. Re:Credit card track data? by tlhIngan · · Score: 1

      I just wonder how they are going to handle fraud via mail order or where the card isn't present. This will still be an issue.

      Same way they always have - CNP transactions cost more and are riskier.

      It'll be a cost an internet merchant will have to pay, and there's no way around it. Either the merchant adds friction to the process (some merchants ask you to fax/email a copy of the card which if you look at the cardholder agreement is something you should never, ever, do), or they end up using something like Paypal, or disallow separate billing/shipping addresses or other things.

      Just FYI - if a merchant asks you to email/fax them an image of your card, be aware that shifts the liability back onto you if the person at the other end decides to go wild with your card.

      Then again, it may just simply be the cost of doing business. It's not like the threat is new or anything - I mean, I don't expect fraudulent e-commerce rates to rise because well, it's always been that way.

  7. Physical card theft by Anonymous Coward · · Score: 1

    I have to wonder if the best return isn't on physically stealing cards. My wife's debit card was stolen at work this weekend. Since its a secure environment they know it was one of thirty people. She realized itcwhen b she got an alert when it was used on the other side of town about an hour after they got off work. After canceling the card she called the gas station manager who said he had the person on camera so to file a police report and he'd gladly supply the video. The police refused to take a report. They said they we ouldnt followup so there was no point. First they should always take a report but second you know you ggg Ave the person on video, my wife could probably I'd the guy, and you know where he works and my wife probably knows his schedule and you won't do anything?

    Then they wonder why the teens here gave no respect for the law. Why would they when the police flat out tell them they can break the law and they won't do anything .

    1. Re: Physical card theft by dj245 · · Score: 1

      Don't call the police, call the bank and let the bank call the police.

      It's not worth their time. They either wrote off the loss or their insurance company paid or they backcharged the merchants. Spending any additional time on nailing the criminal wouldn't benefit them in any way. It would be purely for vengeance.

      --
      Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  8. anti-virus industry enticing more virus-makers? by mix_left_and_right · · Score: 1

    is this just the anti-virus industry trying to entice more virus-makers into making more viruses?

  9. Philosophical musing by Anonymous Coward · · Score: 1

    We have crafted a culture that not only rewards, but idolises excessive accumulation of wealth. We have taught each other to seek profits, and that a large return on investment is a good thing. We have also crafted a technological world where poor quality software (designed sufficiently to get paid, but with effort and attention to detail spared so as to increase the profitability and return on investment) runs peoples lives, and where few understand this software. Is it any surprise that waves of such cybercrime are happening? Unfortunately too many humans are too greedy to make properly fixing this situation a serious possibility in the near future.

  10. New Investment Opportunity by Virtucon · · Score: 4, Funny

    So what the TFA is saying is that it's better for me to invest in Malware hackers than the S&P 500. Interesting. Now I'm wondering if there'll be an ETF or Mutual Fund available soon. Symbol: HX0R

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  11. Risk? by jbmartin6 · · Score: 1

    Sure the returns are high, just like they are on cocaine smuggling. But what is the risk?

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Risk? by fustakrakich · · Score: 1

      About 10% chance you'll get caught, but the people you are likely dealing with are no better than the cops, so, caveat emptor, as the saying goes...

      --
      “He’s not deformed, he’s just drunk!”
  12. Re:Simple! by Z00L00K · · Score: 1

    Like making murder legal then?

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  13. Re:Superior protection vs. malware = hosts by dave420 · · Score: 1

    * Can't be selectively disabled
    * Defeated by being out of date
    * Can disable some websites whose code relies on being able to read content on a blocked host
    * Creator is famous for spamming the ever-loving shit out people in some strange belief people like his bizarre, rambling adverts, but not other, less-insane adverts

  14. This article reminds me of something. by stoned_ritual · · Score: 1

    That I'm in the right line of work, but I'm on the wrong side.

  15. Re:Simple! by fustakrakich · · Score: 1

    "Murder" is fungible.

    --
    “He’s not deformed, he’s just drunk!”
  16. Re:Actually 1325% ROI by belthize · · Score: 1

    You might want to ponder the meaning of 'net revenue'.

  17. Re:Local DNS = more parts & power + resource h by dave420 · · Score: 1

    I don't have to do better - better solutions than your's exist already. Give it up. I've already pointed out flaws in your solution which render it useless in many cases, and your anti-boner for DNS and competitors is clouding your already "unique" perspective. It's sad.

  18. Re:Local DNS = more parts & power + resource h by belthize · · Score: 1

    You're in the abyss now.

    Not sure how many people remember James "Kibo" Parry but at this point I suspect APK doesn't really exist. It's just an interesting bit of amped up Eliza code that looks for references to APK, posts, and then responds to follow ups with canned text and inline name replacements.

  19. Of course financial crimes pay by davidwr · · Score: 1

    If it didn't, people wouldn't do it.

    Even a typical burglary of an upper-middle-class home with $5000 in jewelry pays several thousand percent if you don't factor in the thief's time* and if the thief is never caught**:

    * Gross from sale of stolen jewelry on the black market: $500 (or more)
    * Cost attributable to getaway car, fuel, and driving to/from the meetup with your fence: Under $30.

    That's well over a 1650% return right there.

    * Assume the thief doesn't value his time, which is likely a valid assumption on our part
    ** Assume the thief naively believes the risk of getting caught is negligible, which is likely a valid assumption on our part

    A major difference between malware and burglary is the risk of serving jail time or paying heavy fines for malware really is close to zero, at least for now. Sigh.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Of course financial crimes pay by david_thornley · · Score: 1

      Another major difference: to burgle my house, the burglar has to physically be here. To, say, encrypt my files and demand ransom, the criminal has to be connected to the Internet, and physically be somewhere on the planet.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  20. Re:Not even 2% by hercludes · · Score: 1

    1425%. Not 1[,.]425%

  21. 1,425% ROI, but 87.3% of statistics are made up by EzFlier · · Score: 1

    Of course, the relevant XKCD: https://xkcd.com/1295/