While humanity suffers under a microbial pandemic, it’s easy to forget there’s a digital plague raging on that requires equal vigilance.  Welcome to part two of this four-part series to help you protect yourself from malicious online threats during the lockdown.

Part 2: Phishing, Ransomware, Extortion and More

Welcome to Part Two of this four-part series on online safety. In the last post I discussed important tips to avoid scammers and verify trust as you go about your business. Today I’m talking “bad actors” and what they do – I’m not talking Sylvester Stallone in bad action movies, but rather hackers, crackers, and just plain bad dudes who act with criminal and malicious intent.  I don’t want to be all doom and gloom, but it definitely pays to know thy enemy in this constant battle.  Individuals and businesses lose millions of dollars every year in this country to them.

What Hackers Want

It’s probably a good idea to start out discussing what attackers are after, and why. Scammers just want your money, and they’ll use any means of deception to get it. Hackers (less commonly known as crackers or bad actors) may also ultimately be after money, but they’re more likely to break laws, gain unauthorised access to computer systems and data and potentially cause greater and more lasting harm.  While there’s really a whole spectrum, there are 3 main types of hacker, and they are generally after different things:

    1. Opportunists or “script kiddies” are generally more of a nuisance than anything, but they definitely can cause significant annoyance, financial loss and damage to reputation.  They’re looking for notoriety more than money: to get their name out there, get in the news, deface web sites, take over social media accounts. They are generally poorly funded, poorly organised and usually easily avoided with some good security habits (read on!)
    2. Career hackers are in it for the money, but also for the power trip.  They may spend considerable money and effort on their attacks. They steal/hijack/curate contact lists, credentials, credit card numbers, social media profiles, identities and more to sell on the black market, they build and control botnets made up of hundreds of thousands or millions of hijacked PCs (unbeknown to their owners), they might hold your data ransom, mine cryptocurrency on your hardware, exfiltrate data, and much more. They’re often well organised, and more advanced attackers refine, package up and sell their malware, botnets and lists to newcomers (like the opportunists above). They are becoming harder to defend against than opportunists, but the stakes are also much higher. Good habits will get you part of the way, but adopting a security mindset and being aware of the changing landscape are just as important in keeping you and your data safe.
    3. State hackers have almost unlimited budgets and are advanced and very hard to defend against.  The likes of North Korea, China and Russia come to mind, but there are many countries around the world that have some form of cyberwarfare up their sleeve. You probably don’t have too much to be concerned about (nor is there much you could do if one were to target you directly), but tangentially it’s worth being aware that in recent years social media is being used by some states to sow uncertainty and division during elections and yes, COVID-19, to influence opinions and behaviour. If you’re interested in learning more, check out Smarter Every Day’s series on social media manipulation.

Phishing

Phishing is a term that is used to describe any threat which tries to lure recipients into performing some unsafe action that seems on the face to be legitimate. This may include giving up passwords or bank details, sending money, granting or elevating access, or opening a malicious file. They’re usually broad attacks that start with a spam-like email, often telling you that you’ve been locked out or suspended and directing you to a fake login page, or that there’s some (unexpected) invoice attached that you need to pay.

Spear-phishing is just targeted phishing: attackers send a crafted email to a specific user or group of users, often in a specific target company. It may look very legitimate: Well executed attacks use carefully curated knowledge about their targets to build the illusion of authenticity and legitimacy.  The email asks the recipient to do something: click a link, open an attachment, reply with credentials or other sensitive information. If they succeed, even with a junior staff member, this gets the “foot in the door” and allows them to ramp up the attack.

Tips:

  • Rule #1: Don’t click any links or perform any business critical action based on any email or other message unless you are absolutely certain of its authenticity. Verify via a different channel, eg. phone call.
  • Never send passwords, keys, credit card numbers or anything else sensitive by email. Ever.
  • Don’t use links from an email to log into accounts. Always open the site from a bookmark or type it manually into your browser.
  • Think critically about every request you receive – what is the worst that could happen if you acted on it and it turned out to be illegitimate?
  • Check out the government’s CERT websites for individuals, businesses and IT specialists for updates on common threats.

A Personal Example

Some time ago (not at Adept Group!!) I received an email from another member of staff. It was a fairly ordinary-looking email, basically saying “Hey, here’s the document you need”, with a link to a Sharepoint document. The page asked for the staff member’s Active Directory account to access the document.  It all looked legit: the email definitely came from his account (and it passed anti-spam filters), it was from a known co-worker with his usual signature, and staff often linked to large files in Sharepoint instead of attaching them to an email.

The problem was that the staff member didn’t send the email, and the Sharepoint site was actually an attacker’s website, designed to look identical to the real thing.  The co-worker’s account had been hacked, and by trying to “log in” the credentials were sent straight to the hacker! Worse still, everyone in that co-worker’s address book received the same email.

Within minutes around two-thirds of staff members had clicked the link and many entered their company login to the site. It was only the rapid work of an attentive administrator who immediately reset everyone’s passwords that almost certainly saved the company from major losses.

Whaling

Whaling takes the phishing analogy further: it’s spear phishing, but going specifically for the “big phish”: targeting key personnel such as executives, PA’s, IT admins, accounts staff and so on. Untold millions of dollars are lost annually due to phishing and whaling attacks each year, with some companies losing tens of millions of dollars in a single attack.

Think like an attacker: Whaling can be simple and devastating if the attacker knows their target well.

You could send accounts payable a fake invoice for a large sum of money, and make it look like it comes from the CEO. Add a note, perhaps with a sense of urgency to “please pay this invoice that I forgot to send through”.  

Or perhaps send the IT admin an email saying you lost your VPN password, can he please text it to your phone?  It’s insidiously simple, and takes advantage of the (often misplaced) trust we have in digital communication. How do you protect against this?

Tips:

  • If you’re an executive, assistant, accounts or IT staff, be extra vigilant. Sooner or later the crosshairs will be on you.
  • Ensure that key processes in your business (such as initiating transfers of large sums of money) require review and approval by two or more people.
  • Hover over links before clicking: is the address that appears what you expect?
  • Carefully check the entire server address of a link, everything between the “https://” and the next slash. For example, you shouldn’t trust your Apple credentials to: https://www.apple.com.openid-enhanced-login-security.com/login – it might look legitimate, but it’s not apple.com
  • If something doesn’t quite feel right, STOP. Get a second opinion.
  • Never trust, always verify!

Ransomware

The bad guys are not just out to steal passwords and credit card numbers. In recent years ransomware has become a real issue. A successful attack installs software on your machine, encrypting the contents of important files with the attackers threatening to delete the files if you don’t pay up.

In an office environment with poor backups, it would take just one staff member to click a link in an email, and business could come to a grinding halt.  Antivirus software can help, but it’s not failsafe.

Tips:

  • Keep all computer systems updated with the latest patches and updates
  • Backup, backup, backup – both locally and online if possible. Ensure the backup system allows you to do “file history” or “point-in-time” restore – there’s no benefit in overwriting good files with corrupted or ransomware-locked versions. Services such as OneDrive, iCloud or Google Drive are a good starting point for small businesses, but dedicated online backup services can offer far more flexibility and will reduce the time it takes to get back to a known good state. Ensure backups extend to accounting software, databases, documentation and email.
  • Test your restore functionality and review what’s being backed up from time to time. A backup is no good if it can’t be restored, or if you’re missing critical files. Time how long it would take you to rebuild everything from scratch and add details to your business continuity plan.
  • Compartmentalise and restrict access to business files on a need-to-know basis. If ransomware infects someone in sales, it shouldn’t be able to lock all files in the accounts department, for example.
  • If you do get hit, don’t just pay up: get a qualified security consultant in as soon as possible, it may be possible to decrypt the files without paying the hacker. The consultant won’t be cheap, but they’ll be cheaper than dealing with the fallout of an attack gone wrong, and paying up is no guarantee of getting your files back.

Extortion

There’s been a proliferation of various forms of extortion in recent years.  The most common one in recent years is an email message that essentially reads: “I know your password is xxx, I’ve hacked your computer and recorded you on your webcam when you were watching porn. Pay up or I’ll send the video to all your contacts!”

The key to note is that they actually send you an email with your password in it!  The password could be from one of hundreds of known data breaches. It’s included to instill fear and add legitimacy to their claim, but rest assured: They don’t have creepy footage of you, and they won’t send it to all your contacts.

It’s plain, unfounded extortion, and you should definitely ignore it.

You should not, however, ignore the fact that your password is well and truly in the hands of bad guys, and especially so if that password is still used.  In case you haven’t worked out, this is bad.  Consider all accounts that use or have previously used that password to be compromised – change passwords immediately, check your login history, enable 2-factor authentication. If you’ve used the same password on multiple sites, this should illustrate why it’s important to have a different password for every account: someone will be trying that password on email providers, social sites, banks, and more.  More on this in Part 4 of the series!

But Wait, There’s More!

I know there’s a lot to take in.  Security is a complex and evolving topic.  I’m going to finish with some general advice to consider as you go about your business security checkup:

  • Check your email address and/or domain against the HaveIBeenPwned.com website, and change passwords for any accounts in any known leaks.
  • Make sure that every page of your company website uses https, and that non-https requests redirect to the secure page. Being a secure site now doesn’t have to cost a thing.
  • Likewise, every page you browse should really now be https (and show a padlock) – but remember that a padlock just means “encrypted” (which is a very good thing), it doesn’t mean “trustworthy”.
  • Set up (and require, where possible) 2-factor authentication such as SMS, Yubikey or Authenticator tokens across all business and personal accounts. Use it for remote access, email, social, banking, and anywhere else it’s an option.
  • Get your security reviewed by a reputable security firm who can identify gaps in your defenses.
  • Check your business, public liability and indemnity insurance policies cover network intrusion, data theft, and adequate cover to indemnify you against claims. Consider the recent theft of customer data from Kiwisaver provider Generate, and the costs involved in trying to make it right.
  • Finally, if you suffer from a fraudulent attack or data leak, report it immediately to the Police and your insurance company.  If the attack has any potential for loss of private/personal information of staff or customers (including email lists & CRM data, communication history, background checks), get immediate legal advice on your public disclosure obligations. These laws are changing in 2020, and there will be heavy penalties for companies who do not comply.

I hope that I’ve been able to shine a light on some things you can do to make your business more resilient. In the next post in the series I’ll discuss mobile device security and social engineering, and the final post I’m going to dedicate to good password management – probably the best thing you can do to up your game. Till next time, stay safe!

Paul Hutchison