In December 2019, the FBI announced charges against two Russian nationals in a long-running cybercrime spree.
Their malicious code, known as “Bugat” and several other names, as well as the separate “Zeus” malware, invaded tens of thousands of computers, according to law enforcement authorities. By allegedly gaining access to the computers and their contents, the pair and several co-conspirators stole banking credentials and moved money out of victims’ accounts. They also are accused of extorting tens of millions of dollars from victims by holding data or denying computer access for ransom.
The two are believed to have victimized cities, banks, companies and nonprofit organizations in 13 states. Arizona wasn’t one of them, but it doesn’t mean the state is immune to cybercrime.
“They’re being targeted because of the vulnerabilities that exist in their network.” — Michael Foster
According to the FBI, Arizona ranked 13th in the United States in the number of cybercrime victims in 2018. It ranked 16th in total victim financial loss for the same year.
Arizona businesses and individuals lost more than $19 million in 2018 in email scams alone, according to the FBI’s annual report on cybercrime. This is the type of scam that the Russian nationals are alleged to have used for their criminal activities.
Known as business email compromise (BEC) scams, crooks use legitimate-looking emails to get people to send payments or money transfers to fake entities. Other email scams also cause employees to unwittingly send vital data to criminals.
The Better Business Bureau Serving Southern Arizona alerted small-business owners in mid- 2019 about an email scam involving RFPs, or request for proposals. The fake email invites the owner to fill out an online RFP for goods or services. By opening the form, the victim unwittingly downloads a malware-infected file. The victim also might select a link to a seemingly valid website asking for sensitive banking information, which is retrieved by crooks.
Other cyberattacks are costly, too. Corporate data breaches cost Arizona businesses $908,000 in 2018, according to the FBI’s annual report.
Ransomware, when a cyberattack can lock out businesses and individuals from their computer systems unless they pay ransom, has been decreasing since 2016, but still victimized 14 Arizona systems in 2018.
Companies in Tucson aren’t immune to these and many other cybercrimes. “In Arizona and Tucson, we’re seeing the same sort of thing that is playing out nationally,” says Michael Foster, a special agent with the FBI Phoenix division’s Tucson resident agency.
Although hackers will attack any vulnerability, businesses provide an attractive trove of information that can be stolen. “With consumers your personal information is at risk,” explains Denisse Alvarez, director of operations for the Better Business Bureau office in Tucson. “With businesses, they have a database they’re tapping into,” putting businesses and their customers, vendors and other relationships at risk.
University of Arizona Professor Salim Hariri says the problem is huge and getting
“The digital world has two billion websites, 2.5 to 3 billion users and 40 to 50 billion internet of things.” — Salim Hariri
bigger. “There are statistics that nearly half of all cyberattacks in 2019 were targeting small businesses,” says Hariri, who also is director of UArizona’s National Science Foundation Center for Cloud and Autonomic Computing. “That is going to increase.”
That’s particularly troubling because many smaller businesses usually don’t have the money or personnel to robustly fight internet crime. “They’re being targeted because of the vulnerabilities that exist in their network,” comments Foster.
Slow Your Roll
Vulnerabilities include people as well as hardware and software. “The biggest problem in cybersecurity is the human side,” says Hariri. “That’s the weakest link.”
For instance, he says, employees can be easily duped into opening email attachments or selecting website links that cause malware to be installed on company computers.
They respond to fake emails that appear to be from co-workers, and end up inadvertently sending funds or crucial data to crooks. Called social engineering, these scams also can take the form of seemingly legitimate vendors or suppliers requesting payment. In reality, the emailed requests are fake and the receiving accounts illegal.
Even in a fast-paced work environment, one of the best ways for someone to avoid falling victim to an email scam is to slow down, Hariri advises. Often, a cybercrime starts with “you getting distracted by a well-constructed message,” he notes.
Employees may see a phishing email, which is an unsolicited message that asks for sensitive information. Providing that information can give criminals access to company computers. From there, they can take control of the email host and issue seemingly legitimate messages that are really vehicles for theft.
Experts suggest that employees not quickly respond to seemingly urgent email, especially if something feels off. “Take the time to think about what the situation is, what they’re asking for,” advises Foster.
One way to check an email’s legitimacy is to call the email sender with a phone number that exists outside of the suspicious email. Another way is to send an email to the purported sender using an address from a separate source, not by merely hitting “reply,” then following up with a phone call.
Business owners would do well to train their employees to recognize phishing and other illegitimate messages, as well as create and share policies that help flag suspicious emails.
For instance, employees should know what types of company business are not conducted by email, such as requesting or sharing certain sensitive information. They should understand their responsibilities so that they are suspicious of requests for action outside of their job description.
There are other strategies to keep criminals from getting protected data. Experts suggest that information that is shared on a website is encrypted so it cannot be read by hackers. A website address that starts with “https” does this.
Other good practices include immediately installing confirmed legitimate software patches, especially those regarding security, and always logging out of public WiFi connections so crooks can’t highjack a session.
Another strategy to reduce cyberattacks is to insist that employees report cyberscams and hacks to designated company departments, whether or not damage has been done. Sharing these experiences companywide put people on alert.
In Short: Report
The FBI and Better Business Bureau encourage individuals and businesses to report cybercrime and cyberscams to their organizations. For BBB, it helps inform others about potential threats.
“If we see a pattern, then we start alerting the media,” says Alvarez. “Our threshold is very small.” Two or three reports of the same cyberscam will trigger cautions to the public.
The FBI uses reports to hone its crimefighting strategies that can lead to arrests and recovery of lost funds. The bureau runs the Internet Crime Complaint Center (IC3) where victims can make an online report. Complaints may be referred to the appropriate international, federal, state or local law enforcement or regulatory agency for possible investigation.
In a partnership between the FBI and the private sector, information about cyberthreats is shared. Arizona Infragard, which is, according to its website, an “alliance between the Arizona Office of the Federal Bureau of Investigation and individuals committed to protecting the nation’s infrastructure and its people,” also holds public meetings on cybersecurity issues.
Have a Plan, Stan
Reporting cyberattacks to the right organizations and businesses is crucial to protect assets and possibly recover losses. Businesses that know when to call financial institutions, technical support and law enforcement have a better chance of recovering from an attack than those that have no plan at all.
Cybercrime recovery plans need not be fancy or expensive to create, Foster says. “It gives you a starting place where you don’t feel lost or out to sea,” he observes. “The most important thing is you know where to start.”
The Better Business Bureau has a cybercrime initiative to help businesses plan for protection and response. Alvarez outlined a five-step process that can lead to a comprehensive plan to fight against, and recover from, cybercrime.
Take inventory of the business’ technology. Understand how information is collected and where it is stored.
Assess policies and procedures that are used to guard against cybercrime. Train employees on these.
Have systems in place to detect cyberscams and to alert employees of them.
Create an incident response plan, such as how to continue providing service if computers are compromised and to whom the incident should be reported.
Establish systems that will recover and restore data that might have been hacked. Have a plan to maintain your business reputation during the crisis.
Cybersecurity firms exist to help companies harden their systems and assist in responding to an attack. For companies that can’t afford a service, local resources can help train employees.
Foster and other FBI agents can speak to organizations and companies about cybercrime protection.
The Better Business Bureau’s Tucson office is expanding its workshop schedule for 2020, including offering at least one that focuses on cybercrime protection. “Definitely, education is probably the most important thing” a company can do to protect itself in cyberspace, offers Alvarez.
Pima Community College’s East Campus houses one of five cyber warfare ranges around the United States. They help companies and cybersecurity workers hone their skills and their action plans.
Run by volunteers and equipped with extensive hardware and software, the range provides team war games, attack simulations and forensics methods to test the strength of a company’s response to cybercrime. Its learning modules help individuals understand the intricacies of an attack and how to respond.
The University of Arizona offers an online master’s degree program on cybersecurity for working professionals. Students learn to assess, prevent and manage cyber risks to information and physical systems.
Winning By Degrees
More than 3.5 million cybersecurity positions will be needed by 2021. Developing a local cybersecurity workforce is crucial to reducing the effects of cybercrime.
To that end, UArizona runs a Center of Academic Excellence in Cyber Operations designated by the National Security Agency. That makes the university one of only 20 cyber programs in the nation that meet demanding academic and technical standards.
The program operates out of the university’s College of Applied Science and Technology, formerly UA South, headquartered in Sierra Vista. It offers a bachelor of applied science and an undergraduate certificate in cyberoperations, as well as an undergraduate certificate in cybersecurity.
Pima Community College is readying a program to offer an associate’s degree in cybersecurity. Currently under review by the Higher Learning Commission, Pima’s accreditation agency, the degree program will cover the use of cyber tools and event analysis to reduce threats. Graduates will be able to respond to crises and resolve incidents.
The Tucson Metro Chamber plans to focus on cybersecurity workforce development this year. “We want to know how we can try to assist companies,” says Michael Guymon, the chamber’s vice president. “Our focus is more on the workforce development side and we will talk about those issues.”
He reveals that the chamber wants to work closely with the Greater Phoenix Chamber, which has a Cybersecurity Workforce Collaborative to find employees for Phoenixarea companies. A partnership would extend those efforts into Tucson.
“We may go beyond workforce development issues because we know how much of a challenge cybercrime can be on companies,” Guymon adds.
Professor Hariri is heading a UArizona research team that is collaborating with Howard University, the Navajo Technical University and the Argonne National Laboratory on a twoprong approach against cybercrime.
Armed with a $5 million grant from the National Nuclear Security Administration, the partnership is training students from minority groups that are underrepresented in the cybersecurity industry, as well as women.
The grant additionally funds research in ways for machines to automatically detect cybercrime activities and take defensive measures to counteract the threat. Think of it as the cybersecurity plan working in real time without human involvement.
Artificial intelligence and machine learning could create systems software that detects and blocks an attack within the microseconds it takes for a hacker to gain access to a system. Such machine learning also could make systems adapt as cybercrooks tweak their attack methods.
UArizona’s Wireless Network and Cyber Security Research Lab is exploring how to incorporate cybersecurity in the early design of products (everything from refrigerators to baby monitors) that are connected to the internet, known as the internet of things (IoT). This effort would reduce the need to patch security holes that are inherent in new products.
Hariri likens the scope of cybersecurity to protecting a home, which might have a few doors and windows that criminals could try to break through in order to gain access. Today, a variety of networks — clouds and wireless systems among them — connect computers, phones, home appliances, cars, medical devices and business equipment. These represent many doors and windows that criminals can try to breach.
“The digital world has two billion websites, 2.5 to 3 billion users and 40 to 50 billion internet of things,” Hariri says. “Any one of them is vulnerable. That’s why it’s challenging.”
He would like to see a future where cybercrime reaches a manageable level. Just like stores tolerate a certain amount of shoplifting or product damage, businesses could find a point where they can accept a certain level of loss from attacks.
That vision would require continued research and development to build strategies that frustrate more criminals and create systems where recovery is less traumatic.
“We just need to figure out how we can identify the problems and come up with solutions,” remarks Hariri. “Eventually the next paradigm is cybercrime tolerance.”
It may be the best that commerce and consumers can hope for in exchange for the convenience of using the internet.
Hariri observes that a criminal doesn’t need to walk into a bank with a gun to rob it anymore. “All it takes is a guy on a computer somewhere in China or Russia to move millions of dollars from banks or personal accounts.”
To file a complaint with the FBI and for cybersecurity tips and alerts:
To request speaker from the FBI:
www.fbi.gov/phoenix, select “Community Outreach,” then “Speaker Request.”
For information on the Cyber Warfare Range:
www.azcwr.org or 206-7777.