The following is adapted from Fire Doesn’t Innovate.
For all the ways it’s made our lives better, the Internet has a dark side inhabited by people like the Russian cybercriminal Bogachev. Known for his malicious digital hacking techniques, Bogachev is on the FBI’s most wanted list with a $3 million reward offered for his capture. He represents a completely new class of criminal: I call him the millennial mobster. Since 2011, he’s stolen more than $100 million from Western banks.
He’s like an Internet-savvy Tony Soprano.
You might think Russian cybercriminals are only interested in large, multinational banks worth hundreds of millions. You’d be wrong. Cybercriminals like Bogachev exploit weakness for profit no matter who the target is or what the score will be.
Which brings us to East Sunshine Street in Springfield, Missouri.
On this street sits a pediatric dentist’s office called Smile Zone. Smile Zone’s philosophy is to ease children’s fears about going to the dentist. They believe that children should be given all the time they need to become comfortable before a dental procedure.
Unfortunately, like many businesses—big and small—they didn’t have a clear set of cybersecurity policies and procedures, which left them vulnerable to a cyberattack.
They were a dentist’s office, after all, not a bank. Cybersecurity was one of the last business threats on their minds. But that’s what Bogachev was counting on.
Their biggest mistake was falling for a silent phishing attack on the computer they used to conduct their bank transactions.
In 2010, Bogachev created a piece of malicious code that one of his minions got onto the computer Smile Zone used for its bank transactions. Bogachev’s gang member remotely monitored Smile Zone’s transactions for several weeks in order to learn their banking habits. Then, when the time was right, Bogachev used the dentist’s valid credentials to steal $205,000 from Smile Zone’s checking account at Great Southern Bank.
Smile Zone, a dentistry office for children, never recovered that money.
Money is Hard to Recover Once It’s Gone
Once a cybercriminal takes money, it’s incredibly difficult to get back. In the case of Smile Zone, a combination of factors prevented them from getting their money back. One factor was that the money was stolen from a commercial checking account, which operates under a different set of rules and regulations than consumer accounts.
For example, consumer accounts enjoy extremely limited liabilities. Most major credit card companies and issuing banks offer zero liability protection to consumers.
In other words, if a thief uses your account to make purchases, you’re not liable for a penny of the charges. Commercial accounts have no such protection.
The other factor that kept Smile Zone from recovering their money was that from the bank’s point of view, the transaction was a perfectly valid one. It had all the authenticity markers of other transactions performed on that computer over the years prior.
Therefore, the bank assumed no liability for the loss.
Small Businesses are Prime Targets
You might look at a pediatric dentist’s office as a strange target for a cyberattack, but that’s a major misconception. Small businesses are prime targets. Because they don’t have as much cash flow as a large corporation, they don’t defend themselves against cyberattacks with the same level of sophistication as a big business.
As a result, criminals cast a wide net very cheaply, just to see how many small businesses they can hack. In fact, the cost of committing a crime like the one pulled on Smile Zone is much lower than you would think. A cybercriminal in Eastern Europe could pay a hacker just a few dollars a day to attack small businesses in the West.
With that overhead, a $205,000 theft after several weeks of reconnaissance and study is a highly profitable activity, even if it took dozens of failed hacks to get one success.
The Bully Wants You to Come Back Tomorrow
The fact that the fraudulent transactions were fully formed and legitimate is incredibly important. They didn’t want to put Smile Zone out of business with one big hack.
They wanted to take enough money, without detection, to justify their effort but without putting the dentist out of business. So they could come back for more some other time. Just like the bully who stole your milk money every day in grade school, the hacker doesn’t want to beat you up so bad you drop out of school.
They need your milk money. So even if they threaten you and scream at you, they’re counting on you coming back the next day with more money for them to take.
Bogachev’s malware could have let them steal more than that $205,000 from Smile Zone, but they didn’t because their end goal was not to put them out of business.
It was to take money over time.
Nobody Will Be There to Protect You
Even after Smile Zone realized they were being pilfered, nobody could help them—not the bank, law enforcement, the military, or the judicial system. Some day in the future, small businesses in America will be able to count on banks and government agencies to do a better job preventing these kinds of cyberattacks.
But that day is still fifteen to twenty years away, or more.
In the Western world, especially here in the United States, we are accustomed to being protected from criminals. And when a crime is successful, we are accustomed to receiving justice for the transgressions that were committed against us.
Unfortunately, the same institutions that protect us from physical theft are incapable of protecting us from digital theft, except in the most extraordinary, heroic circumstances. For now, at least, you’re on your own, and that can be a scary change to accept.
For more advice on protecting your business from cybercriminals like Bogachev, you can find Fire Doesn’t Innovate on Amazon.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).