These are not theoretical possibilities, but real-life attacks which can cost an enterprise tens of thousands of pounds – or more
[Cue Mission Impossible theme]
“So here’s the plan. We put on these rubber masks which make us look like the system operators to fool the CCTV, we use these jelly casts of the fingerprints to get us into the security system, then we steal the encrypted password file onto these USB sticks, which we then crack on the Russian supercomputer in Omsk that we’ve hacked for our own use. And then we’re home and dry. Just like they do in the movies.”
“Too complicated, boss.”
“Got anything better, then?”
[Fade to black]
In fact, most cybercrime is a lot better-organised and simpler than the fantastically complex Hollywood-inspired plots of most people’s imagination.
Here’s what John Douglas, Technical Director of First Response has to say about the majority of the cases handled by him and his cybersecurity team: “The attacks we see in the UK on a daily basis are not sophisticated technical hacks – attackers simply leverage leaked usernames and passwords and log in to poorly protected corporate environments.”
First, discover a target organisation. This should ideally be one which makes large payments on a regular basis, paying suppliers or subcontractors, etc. Given the current pandemic, this will probably be an organisation where most workers will be working from home, in semi-isolation, communicating by email, and where non-official devices are being used to make the connections. Statistically, the odds are that this organisation will be based around Microsoft’s Office 365, where information is easily shared within the organisation.
The next step is to send a phishing email message to a C-level (CEO, CFO or CTO) executive. Their email addresses may well be available through the corporate Web site, or may be guessable. Firstname.Lastname@ Initial.Lastname@, InitialLastname@, or Jobtitle@, etc. The mail will appear to come from another high-level source within the company and may read something like:
Sender: Sir Andrew Aguecheek ceo@BigCompany.co.uk
Subject: Important report on Q1 profit estimates
Toby, I believe you should look at this report from the auditors and tell me what you think about what they’re saying.
Click on this link to view the document.
Toby obediently clicks and is presented with the Microsoft O365 login screen (except, of course that it isn’t the real thing, but a lookalike on the intruders’ site). He obediently fills in his Office 365 identifier, and his password, which is rejected. But the fake site has stored Andy’s username and password away and alerted the attackers it’s there.
“Fat fingers,” he says to himself, and clicks the link on the ‘error’ page to retry. This time he is taken to the real Office 365 login site, and he logs in with his username and password. Of course, the document that Andy refers to isn’t there. Oh well, Andy mistyped, and it probably wasn’t that important anyway.
But by this time the bad guys have got his login credentials. Now they can read the contents of Andy’s Sent Items folder, copy the styles of the emails which have been going out, and send emails, supposedly from Toby, to the accounts payable department.
From: Toby Belch <cfo@BigCompany.co.uk>
Rubble & Flintstone need paying for the structural work they’ve been doing on the Cavemouth project. Can you transfer £157,000 to their MidWest account 12345678 with sort code 12-34-56?
And because it comes from Toby, and because everyone in Big Company knows about the Cavemouth project, even if Rubble & Flintstone isn’t a familiar name to them, the money goes over to the UK MidWest account, where it stays for a matter of minutes before going overseas to a nonextraditable destination.
Rinse and repeat.
How to stop this becoming a reality in your organisation
You think this is perhaps a little far-fetched? No-one would ever fall for this? Sadly, you’d be wrong. This anonymous report from a BBC story describes how home-working is proving to be a gift to cybercriminals: “We see everything,” [the source] says. “Staff get emails sent to them pretending to be from the service desk, asking them to reset their log-in passwords. We see workers being tricked into downloading viruses from hackers demanding ransoms, and we have even had employees sent WhatsApp messages pretending to be from the CEO, asking for money transfers. And having staff working from home during the lockdowns has just made it worse, as it is much harder to keep an eye on everyone.”
There are three steps that enterprises can take to defeat the kind of attack mentioned above:
- Education Train staff, including senior management, to think before they click. Usually, hovering over a link will produce a popup showing the true destination of the link. From First Response’s Douglas, “We see a lot of attacks against cloud-based infrastructure, especially Office 365 – these attacks often contain an element of social engineering. Users need training to understand what these phishing emails look like and how to differentiate the good from the bad.”
- MFA or TFA (Multi-Factor Authentication, or Two-Factor Authentication) For Office 365, this involves the installation of the Microsoft authentication app on users’ smartphones. More importantly, MFA must be implemented as part of the enterprise’s Office 365 deployment.
In practical terms related to the example above, this means that Toby will be alerted by a message appearing on his smartphone when the bad guys try to log into his account from a device and location that has not previously attempted to access the account. He can then reject the illegal attempt to log in using the authentication app, and if necessary, change his password.
- Set up border controls Any remote access to computers, either servers or desktops, inside the enterprise’s perimeter should be made only through a VPN (Virtual Private Network). If remote access is made through the standard HTTP port (80), the corporation is wide open to attacks from outside, which can be even more serious in terms of damage caused than the theft described above.
Do you need help?
Douglas comments, “Companies can protect themselves from 95% of the currently popular low-level attacks by simply employing Multi-Factor Authentication and by using a VPN for employees accessing the company network remotely.” If you are unsure how to implement these measures, or if you require help with setting up a more secure environment, including the development and implementation of safe working practices, then contact us at First Response, and we’ll help you get everything squared away.
If you are unlucky enough to have suffered an attack, we can help with mitigation, and preventative countermeasures, including 24/7 monitoring of endpoint devices, helping to stop any future attacks before they can cause major harm.