What is a Commodity Attack?
“Commodity attack” is a wide ranging term for the most common form of cyber crime in the world today.
Attacks aren't specifically targeted against a user or organisation, criminal gangs using these tactics are looking for anyone or anything they can exploit to extract maximum profit for minimum investment. The types of criminals employing these methods are typically organised gangs with a low level of technical skill (in some instances none at all) scouring the internet for easy targets and low hanging fruit.
Once a victim is identified, the attackers waste no time stealing any data they can—contact lists, customer databases, confidential plans, and intellectual property to be sold on the dark web. They hijack email accounts to send phishing emails to new victims, take control of cloud services to install crypto-mining software, and encrypt systems to demand ransom.
Each successful attack can serve as a launchpad for thousands of new attacks from the victim’s now-compromised systems. So, even if a ransom isn’t paid, attackers still benefit from every organisation they infiltrate.
How Bad Is It?
There have been hundreds—if not thousands—of these types of cyber attacks across the UK in recent years. It has sadly become a frequent occurrence. Some notable examples include:
-
Knights of Old – https://www.bbc.co.uk/news/uk-england-northamptonshire-66927965
-
Harvey Nichols – https://www.theregister.com/2024/09/20/highstreet_swank_dealer_harvey_nichols/
-
British Library – https://www.bl.uk/cyber-incident/
-
Hackney Council are still recovering from an attack they suffered five years ago – https://www.bbc.co.uk/news/articles/cvg8dn28241o
One of the reasons these attacks are so successful is that many organisations believe it won’t happen to them. This kind of thing only happens to others, or it's just something you read about in the news. But the reality is these attacks happen in the UK every single day in such high volumes that it’s not a case of if it will happen, but when.
Just over four in ten businesses (43%) and three in ten charities (30%) reported experiencing a cyber security breach or attack in the last 12 months. This equates to approximately 612,000 UK businesses and 61,000 UK charities [2]—and that’s just the ones which were disclosed. It’s becoming inevitable that every organisation will experience an attack eventually.
The Office for National Statistics (ONS) reported approximately 1,022,000 computer misuse incidents in England and Wales for the year ending March 2024—a 37% increase on the year before [1].
There are no signs of this type of cyber threat slowing down, so it’s vital we talk about how to spot them, how to defend against them, and what to do if you become a victim of a commodity attack.
Common Techniques
There are many different techniques used by criminals, often combining multiple tools and tactics in a single attack. This list isn’t exhaustive, but the most common techniques include:
Any one of these techniques—combined with an unpatched web browser or email application—can be enough to compromise a user’s device. Once inside, criminals typically follow a methodical process to expand access: moving laterally across networks, escalating privileges, and deploying additional malware to maintain access.
What begins as a single compromised endpoint can escalate into a full-scale data breach, involving exfiltration of sensitive data, ransomware deployment, or even long-term surveillance.
It’s More Than Ones and Zeros
Perpetrators rely on deception and manipulation to bypass defences. There’s often a psychological element to the initial event, and while many believe they won’t get caught out, it only takes a single oversight to start a domino effect.
Attackers exploit human emotions—especially when users are tired, stressed, or distracted. However, these attacks often follow predictable patterns, and once you know what to look for, they become easier to spot.
If something sounds too good to be true—or demands urgent action—be suspicious. Very few legitimate requests are so urgent that they can’t wait for clarification. Attackers often time their campaigns around key events, such as:
- End of the financial year
- Christmas and summer holidays
- Organisational changes such as mergers, acquisitions or leadership changes
How to Protect Your Organisation
There are many simple and effective actions you can take to reduce the risk of attack. These may seem like common sense, but most victims are non-technical users who aren’t aware of the breadth of online threats.
Here are some of the most effective actions you can take:
Conclusion
These kinds of attacks are on the rise, and the number of criminal gangs turning to cyber crime continues to grow. The impacts are far-reaching—not just for businesses, but for employees, service users, families, and entire communities.
By making small, practical changes to prioritise cyber security, you can help protect your organisation and everyone connected to it. It may sound dramatic, but it doesn’t need to be this way. Implementing basic controls—such as those found in Cyber Essentials—dramatically reduces the likelihood and impact of an attack.
Thank you for reading. If you’d like to discuss any of the topics mentioned in this article, please get in touch. We’re always happy to offer support and guidance.
Phone: 01543 765 700
Email: info@westmidsybcer.com
LinkedIn: https://www.linkedin.com/company/wmcyber