Every day high-functioning and intelligent individuals are duped by crafty criminals. While there are still hold-up’s and theft within organizations, much of the criminal activity that targets Small and Medium Businesses (SMB’s) is cybercrime. This term used to be uttered only in the halls of security firms and large enterprise. Today, it’s in the mainstream news. There are dozens of news stories every week pertaining to large and small scale cybercrime. The criminals don’t look or sound menacing any more. They can look like the cable guy or sound like an employee of a trusted service provider. As a consulting firm with a substantive practice in Information Security (InfoSec) we see and hear it all. Rather than perpetrating property crimes they hold our business’ life blood – our data – for ransom. They try to trick us into giving them some minimal information and then using that to gain more and more access into our businesses. Sometimes they even physically show up in disguise to try to gain access and information. Cybercrime isn’t what it is portrayed to be on TV. There are very few scary looking guys sitting in darkened basements with dozens of computer monitors quickly typing cryptic commands into a computer. That’s not reality. Today’s cybercriminals – or hackers if you will – are smart. They’re patient. They use human emotion and natural curiosity to get what they want. Few hacks or exploits are carried out in seconds or minutes. There isn’t some magical USB drive that they have to sneak in and download “the database” onto (at a transfer speed that leaves most technologists astounded).
Most hacks today are carried out slowly over days or months. They are largely not disruptive nor do they make alarm bells sound in data centers. Their target is information. Some take a shotgun approach and pick off opportunistic targets. These hacks use social techniques to convince victims to click on something in an email or visit a legitimate looking website. They typically execute some malicious code on victims computer and then carry out their nefarious intentions. An example of this is the now infamous CryptoLocker and it’s dozens of variants. This exploit gains a user’s trust by sending an infected email – or link to an invected webpage by email – to it’s victims. Often times these emails appear to come from trusted sources. Once a user opens the email or visits the webpage a small piece of software is executed on their computer. Nothing immediately breaks. Nothing immediately happens. The software quietly scours the local machine and all connected network shares for information. It then begins encrypting all of this data. Everything both locally and on shared network drives is encrypted over a period of hours to days. Once this is completed the initially compromised machine displays a message demanding a ransom be paid. Cash or credit cards would be too easy (and traceable). This malware uses CryptoCurrency – like BitCoin – to extract its ransom. If you fail to pay the ransom, your data is unusable and effectively lost forever.
Others use highly targeted attacks to exploit an organization. Often times in the SMB market the target isn’t the SMB. It is one of their customers. It is easier for cybercriminals to target and pray upon smaller organizations with fewer staff than it is to go up against a large Enterprise business.
Starting in mid-2013, a group of savvy cybercriminals began exploiting information from publicly traded companies — two-thirds of them, in the health care and pharmaceutical sector — as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services to these companies
The attackers, named “Fin4” because they are one of several groups that hack for financial gain, appear to be native English speakers, based in North America or Western Europe, who are well versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ. The Fin4 attackers maintained a light footprint. Unlike other well-documented attacks originating in China or Russia, the attackers do not use malware to crawl further and further into an organization’s computer servers and infrastructure.
They simply read a person’s emails and set rules for the infiltrated inboxes to automatically delete any email that contains words such as “hacked,” “phished” or “malware,” to increase the time before their victims learn their accounts have been compromised.
Given the types of people they are targeting, they don’t need to go into the environment; the senior roles they target have enough juicy information in their inbox. The group was able to collect information protected by attorney-client privilege, safety reports, internal documents about investigations and audits. So much so that they were able to influence global financial markets by way of sensitive insider information. Because the attackers do not deploy malware and communicate in native English, they can be tricky to track.
The commonality in these attacks are that the cybercriminals use people – not technology – to gain entry into an organization. This process, known as Social Engineering, is as old as the concept of Hackers or CyberCriminals. Deploying a robust technology-driven cyberdefense system is critical – and expected – to protect your Business’ life blood. Training and testing your people on their ability to detect Social Engineering is becoming just as critical. Knowing what to do when –not if- your organization is targeted by Cybercriminals can mean the difference between experiencing a hugely disruptive (and possibly damaging) security breach and side stepping a potentially catastrophic event completely.