EJ Hilbert of Kroll writes that cyber-attacks follow the same principles as physical world attacks. All the locks on the doors are ineffective when someone leaves the front door open.
Who would dare call me at 6am on a Saturday? This was the thought going through Joe Bigginton’s mind as he answered his mobile phone one Saturday two months ago.
The caller was a fraud specialist at his bank calling to confirm that Joe had authorised another transfer of £20,000 to a bank account in Ireland. “What? NO!!! I did not authorise a transfer. And what do you mean “another” transfer?” was Joe’s emphatic response.
Joe was then informed that this was the fourth such transfer authorised via email from Joe’s wealth manager – and given the timing since the last transfer it seemed a bit odd to the bank. The bank tried emailing the wealth manager and got no response so the bank decided to phone Joe directly on his mobile.
Joe was both amazed and perplexed. He instructed the bank to cancel all transfers and to lock down his account. He also reported the previous three transfers as fraudulent and demanded the bank get his money back.
How could this happen? Why would his personal assistant, the person the bank knew as his wealth manager, make such transfers? Joe trusted her explicitly and though they had not communicated in the last few days while he had been travelling, the whole situation just did not make sense.
In the last 12 months, Kroll has dealt with 12 such cases with the amounts being stolen ranging from £1,000 up to £3m with each transfer. In each case, the PA or wealth manager was not to blame. They were acting on instructions they had received from their bosses. In each case, the banks were in part liable because they made transfers based on emails received with no verbal (by phone or in person) verification. In each case, the fraudster made off with at least one full transfer before the banks could seize the funds and return them to the victim.
And in each case, the victims, Mr Bigginton and others, had been the target of an email account compromise and been defrauded via a computer. You can debate whether these were cyber-crimes or just plain fraud, but what’s more important is how they happened.
Upon investigation, Kroll determined that the victim’s email accounts had been compromised. The fraudsters then did a couple of specific things: they set up email filters so that any response to the emails they were to send while impersonating Joe would either be deleted immediately or routed to a special folder within Joe’s account and removed from the inbox. Next, they attempted to gain access to the personal assistant‘s or wealth manager’s email account using the compromised account’s password. If they gained access, they repeated the filtering process. Finally, they sent an email to the wealth manager instructing them to do the transfer.
The result was that the hackers used Joe’s email account to instruct the wealth manager to transfer funds. When the wealth manager emailed back for clarification, Joe never saw the email, because of the filters. Instead, when the fraudster logged in to the webmail account, he/she would go to the relevant folder, read the email and respond as Joe. These filters are the reason why Joe had not heard from his personal assistant and why he was suddenly £60,000 worse off.
But how did they get Joe’s email account and password? The answer is – relatively easily. User names for systems are regularly your email address which can be found with a Google search, so the attackers did not need to focus on that, rather they just needed the passwords. Sometimes based on online personal information in social media, passwords can be guessed. Sometime they can be cracked using various cracking methods. But most of the time, victims of these attacks make the mistake of using the same password on all of their online sites. If you can trick a user into providing a password for one site, say by downloading a new app or signing up for a new site or even enticing them to check out a cool new video online by clicking the link in an email, you have the password for all their sites.
Of the 12 similar cases recently worked on by Kroll, most of the accounts were taken over by the user clicking on a “phishing” email, a mail message designed to trick you into a download or to provide information. In two cases however, it appears the username/email address and password were stolen when the user logged on to a free Wi-Fi network that was set up to look like an airport Wi-Fi or hotel Wi-Fi. The free Wi-Fi was set up using free online tools to “sniff” or record all traffic sent over the line including email account passwords.
The point is that the victims were simply deceived. The attackers did not use high-end tech to hack the victims’ computers. They simply stole their keys and went for a joy ride in their online ‘car’. If you use the same password on your accounts, this makes them more susceptible to fraudsters; they can not only send you email but they can enter your social media account and send spam, they can tweet or post as you, they can read all your files and see what is important and they can attack others from your computer.
Once they have access the attackers are looking for anything and everything because information is a commodity to be bought, sold, stolen and/or traded. If it is stored on your system it has value to someone, it is just a matter of finding who.
Now the smarter criminals don’t just hijack your account, they buy software from the online underground economy and install it on your system. This software, like BlackShade which sells for as little as $20/£13, will record all your keystrokes, steal all your credentials that are stored on the system (like banking and medical records), do various other activities and then send all the information out to a command and control center the attackers set up. This software will also clean your system to make it operate better, block other malware infections from other bad guys and shutdown your anti-viral software so you don’t know your system is infected.
The impact on individuals and companies of such attacks is widespread and often extremely damaging to boards, employees, companies’ stock values and to consumer confidence. Now, it’s easy to feel helpless in the face of cyber-attacks, but that is the wrong way of looking at it. Cyber-attacks follow the same principles as physical world attacks. All the locks on the doors are ineffective when someone leaves the front door wide open.
How do we keep ourselves safe in the physical world?
The Con Job – if it sounds too good to be true, IT IS. We need to approach the online world with the same scepticism. We also need to verify who we are talking to. If a woman called you claiming to be your best mate Tom, you wouldn’t fall for it – so why trust an email from Tom saying ‘check out this video’ when he has never sent you a video in the past?
Walking Down a Dark Alley – there are very few places in the world where people feel safe walking down a dark alley. Yet online we click on every website link and say “yes” to every question. Why? Online life is married to our physical life and we need to take the same basic precautions.
Being spiked – When somebody hands you a “mystery” drink, maybe something green and frothy, don’t we first ask “What is it?” Even if they hand you a pint of beer, you still ask what kind it is. But if someone tells you you have to download this tool in order to watch a video, or go to this website to see this picture we do it without asking “What is it?” Your antiviral software and most operating systems warn you when something is happening on your computer and most people simply ignore it. It is a warning, so either heed the warning or suffer the consequences.
Stolen Keys – Your keys are sacred. They offer access to your house, your car, your office, etc. Losing keys is a big deal, so we protect them. We use different keys for different things so that if one key is stolen the impact is smaller. But not online. Eighty-five per cent of people use the same password on all sites. You don’t need 100 passwords, five passphrases of varying difficulty will work. “Ilovethe 2014summerweather!” is an effective passphrase that fits all the rules, is easy to remember and nearly impossible to crack. Create a similar style phrase for work and for social media and you have just tripled your security posture.
How these attacks work is relatively straight forward. Fraudsters con you, steal your keys, pretend to be you and take something of value. The way to protect yourself from these attacks is equally straightforward; question the con, protect your keys, monitor for others impersonating you and thus protect your valuables. For companies, the process is much more complex, but the principles are the same. If you have questions, cyber security specialists like Kroll can guide you through the proactive steps to mitigate cyber risk and if an incident occurs, ensure you have a robust crisis response plan in place to deal with it quickly and effectively.
