Security is causing a lot of problems and it is going to get worse – Here is what organisations need to do about it.
We received another call from a distributor last week and they have also been scammed and lost about $500k. We will be having a look at cleaning this up. We can only do forensics on this one and pass it onto the Police. There are many different approaches cyber-criminals take to get into your system with the aim of making money, sometimes quite a lot.
Every one of us and our teams uses the Internet for our work and for after-hours leisure or news gathering.
The problem we have is that the world of fraud and outright theft has moved into the cyber realm. Why bother holding up a bank when a bit of code and some emails do the trick? Plus, you are much harder to trace than walking into any place to hold it up or fraudulently signing some cheques (what are they again?). The average bank heist apparently only nets about $32,500.
According to a report earlier this year from US business insurer Hiscox, cyber-crime cost the global economy more than US$450 billion in 2016 (which is about A$560 billion). The WannaCry ransomware attack alone, which crippled computers in more than 150 countries in May, could cost as much as US$4 billion according to some estimates.
However, the bad guys aren’t all freelancers. Cyber-crime is also the domain of nation states. It is a tool of an aggressor. In fact, some of the most sinister hacking outfits operating today are “state-sponsored” groups supported, or at least loosely supervised, by governments. That includes the Russians who are believed to have hacked into the Democratic National Committee last year and the North Korean team credited with unleashing the WannaCry malware as a moneymaking scheme. These are not the only nation states by any stretch.
What is slowly dawning on corporate hacking victims is how vulnerable and defenceless they really are, even when their opponents may be 3 guys in a room halfway around the world. Expensive data-security systems and high-priced information security consultants don’t faze today’s hackers, who have the resources to relentlessly mount assaults until they succeed. In the New York law-firm case (see below), for example, prosecutors said the attackers attempted to penetrate targeted servers more than 100,000 times over seven months.
Cyber-crime is metastasising for the same reason online services have become so popular with consumers and businesses alike: Ever-more-accessible technology. Hacking is easier than ever thanks to the ever-growing number of online targets and the proliferation of off-the-shelf attack software. The very Internet networks that were built for convenience and profit are exposing their users to a steady stream of new threats.
Cyber-criminals have proved adept at adopting successful corporate strategies of their own. A recent development has seen the cleverest crooks selling hacking tools to criminal small-fry. It’s analogous to semiconductor companies licensing their technology to device manufacturers. According to a report from a security software giant, gangs now offer so-called RaaS (ransomware as a service), a trick that involves licensing software that freezes computer files until a company pays up. The gangs then take their cut for providing the license to their criminal customers.
Here are a couple of diverse examples with legal firms from both the USA and here in Sydney. This will give you an indication as to what is going on:
- Prestige NY law firm – A trio of hackers in China had suck into the firms’ computer networks by tricking partners into revealing their email passwords. Once inside the partners’ accounts, the thieves snooped on highly sensitive documents about upcoming mergers. Then, from computers halfway around the world, the cyber-crooks allegedly traded on the purloined information, netting $4 million in stock market gains.
- Law Firm in Sydney in August 2017 – An email comes in purporting to be from one of their customers that they do regular business with. A supposed link to Dropbox to share a file. To them it looks harmless enough. So, they click on the link and it appears to take them to Dropbox and then they are asked for their user name and password.
Do I need a Dropbox account to join a shared folder?
Yes. If you’ve received an invitation to a shared folder, you need to have a Dropbox account to join it. This is because files in a shared folder are synced between members.
This is different than read-only shared links to a file or folder. This is what they got. With read-only shared links (which aren’t synced between members), recipients can view and download folders and files as local versions on their computer.
They were asked to put in their Microsoft Office365 Username and Password – which they did. Except it asked them to do it again. So, they thought they had made a mistake so they put it in again. Now the Cyber-criminals knew that they had an Office365 account with an easy username and password and off they went to have a good look.
The interesting thing here is that he legal firm’s own web site had been hacked as well to continue the spoof. Their site was hacked to create fake Google Docs and Dropbox Pages. Their site was not a transactional site in that it took credit card payments. However, the cyber-criminals got in as the passwords were found in their deep look into all the emails. They obviously found one from their web developer telling them the user name and password.
The cyber-criminals are in no hurry. Once in they have all the time in world to have a good look to see what they can do to get the possible return for their efforts.
- Not much happened for a while after the staff member clicked on the link to get a supposedly shared Dropbox file from a known client (who obviously was hacked themselves earlier). The spoofs just keep on rolling on from one company to next via the same means. Someone in the business clicks on a link and exposes their user name and password.
- Because they had a fairly straightforward user name and password the criminals gained entry into all the business email accounts. Once in they had a good look around and they found some very interesting information.
- They also got to know who was who in the organisation.
- They had a list of everyone who had ever sent this legal firm an email, plus to whom the legal firm had sent an email out to. 1,000’s of names.
- They also found out how the firm instructed funds transfers from their bank. A specific approach to then getting the bank to transfer funds out of a Trust Account was copied.
- The criminals then instructed the bank to send $400,000.
- Which the bank did, $400,000 went somewhere.
- However, they got to be extremely lucky and got their money back by a sheer fluke. I will let you know how they did get lucky if you are interested.
- The bank seems to have lost its money.
- The criminals then sent 1,000’s of emails out stating this company wanted to share a file with their customers and contacts. This went out as a Dropbox and Google Docs spoof. Snowballing spoof.
- The targets were sent to fake pages on the legal firm’s website. This is how the spoof keeps moving around.
- We know someone else went to send $100,000 but their bank got suspicious.
- We also know of at least 10 of their customers who fell for it as well.
- Who else got hit?
It is batten down the hatches time. We are seeing more and more sophisticated attacks and they will continue.
This is what we recommend to our clients. 4 layers each one with a different vendor.
It is 4-layer tech process with a different security firm for each layer. This does not include what you do with your web site.
- Firewall – you must have a Next Generation Firewall with security bundle.
- Email – move it to Microsoft Office365 Cloud. This has built in anti-spam and virus detection. We now recommend adding the additional threat bundle for per mailbox to take this to a higher level.
- Endpoint Security – this is your desktop, laptop, any server etc.
- Fake and Malicious Websites and Malicious Spoof Sites –
Go Systems Pty Ltd also is now partnering with a global SOC (Security Operations Centre) specialist to monitor those client’s sites who want it on a 24/7 basis.
The 5th layer is your staff – they are critical in this.
The 2 examples I highlighted above were both as a result of staff not being alert plus easy passwords.
We have also provided a document that you need to have a good read of and pass this to all your staff. Every staff member needs to understand their responsibility working with you and they need to be very aware, both for own benefit and the safety of your business.
This is. ‘Business Security starts with employees who need to be prepared to assist in keeping the business computers and network safe.’
Thanks for reading and stay safe.
- Here is a link to the 10 Biggest Corporate Hacks in History: http://fortune.com/2017/06/22/cybersecurity-hacks-history/
- How do I secure my WordPress website? https://www.codeinwp.com/blog/secure-your-wordpress-website/