How to defraud a company? Just ask.
- 15 October, 2018 08:58
Spend enough time on a news site or reading the papers and you’ll see them soon enough: shadowy figures in hooded sweatshirts hunched over laptops with Matrix-esque characters cluttering the screen. Some of them even have binary digits where their eyes should be.
They are hackers, or more accurately, stock photo models posing as hackers. Every article dealing with information security seems destined to be accompanied by one of these photos, as pre-ordained as the way everyone seems to start any phone call on a train with the words “I’m on the train”.
In Australia, organisations often fall victims to low-tech, social engineering-based attacks involving the theft of five and six-figure sums rather than the headline-grabbing mega digital heists involving sophisticated zero-day exploits (more on this later). Unfortunately, such attacks are under-reported because the victims are usually too embarrassed to discuss them.
One successful method of defrauding a business of its money is to simply ask for it.
If you haven’t already heard of it, pretexting shares some features with phishing in that it attempts to obtain sensitive information by deception or fraud. However, while phishing emails are a “fire and forget” attack, pretexting requires a level of continuous dialogue to extract information or an outcome from a victim.
For example, an attacker might fraudulently spoof an email address to pose as the CEO of a large company or as a vendor. This scenario – known as ‘The Spiked Punch’ – was experienced by one of our customers and is included in Verizon’s 2018 Data Breach Digest.
In a typical attack of this nature, an attacker might fake an email from a vendor requesting a change to their bank account payment details – often using information researched on social media to abet the impersonation. The aim of the game is pretty clear and alarmingly effective, we’ve found.
The extent of the problem is evident in the findings of Verizon’s 2018 Digital Breach Investigation Report (DBIR) – of the 2,216 confirmed data breaches uncovered, 381 originated from social attacks.
Phishing and pretexting both sat in the top ten of all breach types; the latter taking second place in the rankings. The number of pretexting attacks rose from 61 incidents in the 2017 DBIR to 170 this year.
This is not to say that security professionals should ignore the potential sophisticated attacks altogether – but it’s important they remember that major attacks often have humble beginnings in poor basic security policies or lack of cyber security awareness.
Consider the scenario we refer to as ‘Twended attack – the Bedevilled Egg’, involving a disgruntled former employee of one of our customers who, even though he had lost his network access privileges, still had access to his former employer’s physical office and used it to infect the organisation’s network with malware using a USB stick.
Sure, this kind of event obliges organisations to think about technical issues such as USB access policies – but we’d also argue that steps should be taken to ensure employees are better educated about suspicious activity and feel empowered to respond.
If this was more common practice, then our USB attacker might never have succeeded; someone in the organisation would have known he was no longer employed and raised the alarm when he was walking around the office floor visiting computers.
And it’s not just for ‘The Bedevilled Egg’ scenario. Employees should also be able to question unusual emails sent by senior staff members or others that are in some way unexpected.
Perhaps part of the problem is that it’s easy for information security professionals to suffer from ‘decision paralysis’ in the face of the latest exotic threats to their networks. Consider this wisdom once offered by one of the UK Police’s leading computer forensics experts: ‘there are no new crimes, just new ways of committing them’. If you spend time upfront getting the basics completed very well, then you will be in a better position to consider the exotic threats.
We would be remiss to end the article without giving some context about ‘zero-day’ vulnerabilities.
Although they receive much fanfare, the reality is that zero-day exploits are likely to be hoarded by nation states or sold onto criminals rather than used against a business, for the simple reason that there are easier ways to compromise the average organisation. Having said that, once an exploit becomes known and a patch is created to plug the security hole, the race is on for users of the system to install the patch before it is reverse engineered by attackers looking for an easy way to gain access. Now, while the issue of patch management may be slightly less exciting than the threat of a zero-day exploit, it remains much more relevant.
Chris Tappin and Simon Ezard are consultants with the Verizon Threat Research Advisory Centre (VTRAC).