Working from home – as millions of us have had to since Boris Johnson’s big announcements mid-March – has made many of the businesses we own or work for less secure than ever before.
Here we look at several real-life examples of cyber attacks and what you can do against them.
Life after lockdown
Cyber criminals haven’t called a truce because of coronavirus (Covid-19). If anything, they are looking to exploit the multitude of unprotected home PCs, whose owners never quite got round to installing the latest anti-virus software or system updates.
The following real-life examples of cyber-crime all took place before the lockdown started. These were in the “good old days” when IT departments were well-placed to try and prevent such incidents. Sloppy security right now could make attacks like this even easier to pull off…
Phishing attack against Office 365 user
Cyber criminals have become adept at infiltrating business email systems for all sorts of nefarious means – as many a business has discovered to their horror.
Once in, the criminals can not only send out emails purporting to come from a real person at the business in question, they can sometimes go deeper and may even be able to gain admin access to the whole system.
Damien Gelder, technical consultant at IT and cybersecurity specialists Q2Q IT (www.q2q-it.com), picks up the story of one of their B2B clients: “They were using Microsoft’s Office 365 system, which can be quite robust, but they had a fairly lax approach to security,” he says. “Cybercriminals were able to get into their system – via a phishing attack – and were then able to pose as a member of staff and convince a supplier to pay £50,000 that they owed into a ‘new’ bank account, which was, of course, the scammer’s.”
Not only did the company go through the stress of losing the £50k (though this was eventually recovered), but equally troubling, says Gelder, was the inconvenience and reputational damage they endured. “They had to telephone all of their clients and explain that they should temporarily ignore any emails from the business,” he says.
Gelder and his colleagues were able to get the client back in business by migrating them to a new Office 365 platform and introducing 2-factor authentication whenever anyone signed in to their work email. Other measures included improved email scanning with phishing protection, better management of the 365 admin account, training for staff and the introduction of a new telephone validation system for transactions over a certain size.
- Always be wary of a business contact or colleague suddenly asking you to send money to a new bank account.
- Criminals often buy a similar domain name to that of the business they are mimicking and then send out an email from email@example.com instead of firstname.lastname@example.org, for example.
Website duplicated to harvest client data
It’s every customer’s nightmare – going into a familiar website, entering your login details and then finding out at a later date that the site was actually a replica being managed by cybercriminals… who now have your data.
“This happened with a client we were asked to assist in the financial sector whose website had been copied and replicated,” says Patrick Martin, head of threat intelligence at digital risk protection company Skurio (www.skurio.com).
“First, the attackers registered a domain with a similar spelling, a method known as typo-squatting, which was virtually undetectable from the original,” Martin explains. “Then, using HTML code, the bad actors duplicated the company’s website in real-time.
Visitors to the fake site saw a mirror reflection of the actual site. Customers were fooled into entering the login portal to check their accounts and apply for loans, but unknown to them every keystroke was visible to the hackers.”
Once the account credentials had been gathered, the hacker was free to sell the details or use them for personal gain.
“It was two weeks before the website owners found out,” says Martin, whose team were brought in to fix the issue – a job that encompassed taking down the fake website, and coming up with a list of recommendations for the client to help prevent it happening again.
- Proactively monitor domain registrations similar to your company’s.
- Initiate an active log review of your website and server traffic to reveal any repeated HTML requests from a fake or malicious site to your genuine site.
Criminals like to suck up the details of business credit cards whenever they can (via fraudulent calls, card-skimmers etc.) because credit limits are often higher than on personal accounts.
- Remember to check your statement regularly, and if you spot an irregularity, immediately contact the card company.
Hackers demand thousands in ransomware attack
Ransomware attacks are depressingly common – usually a hacker will break into your network, close it down and demand a sum of money to return access/data.
Global aluminium producer Norsk Hydro lost a reported £45m after one such attack last year – the fee to tidy up the mess as opposed to paying the ransom – but Jamie Durham, founder of Leeds-based IT specialists Systemwork, says that SMEs should never think that only large firms are at risk.
He cites a recent case he was involved in, which saw him help a business in the transport sector that had been subjected to an attack. Having gained access after a previous IT provider left a hole in the company’s security, the cybercriminals proceeded to infect the business network with the notorious Ryuk ransomware. “Once they had destroyed the backup infrastructure, they encrypted all the files,” says Durham.
- The police recommend you don’t pay ransom demands.
- If you pay up, you may get listed as a soft target on the dark web.
- The most likely indication of a ransomware attack is authorised users finding themselves locked out in the weeks before an attack.
- Criminals will try to gain access to one account so that they can escalate their permissions and eventually gain administrator access.
Impersonating company emails
Randal Pinto, co-founder of cybersecurity company Red Sift (ww.redsift.com), says that email is inherently insecure.
Unless companies take proactive steps to protect company email, skilled cybercriminals can easily send out emails from what appears to be your business account.
“We were called in to help an investment banking client whose audit had flagged up the need to make sure they had a secure email system, as reputation and trust were important to them,” says Pinto. “They had no idea there were any issues, but when we went in we could see that literally millions of emails had been sent by scammers impersonating their business email address.”
While some attacks of this nature are targeted, with the criminals perhaps having acquired stolen data about specific customers, many take the scattergun mass-spam approach. Red Sift’s fix involved ring-fencing all of the bank’s approved systems – email, Salesforce and so on – and then blocking out everything else.
- If your email marketing campaigns suddenly take a dive, it’s a possible sign that they aren’t getting through because someone has been sending huge amounts of spam in your name.
Phishing email compromises bank
Just when you start to think you have a handle on the kind of scams that cybercriminals like to inflict upon businesses, along comes a case that serves to remind you just how innovative they can be.
Brian Hussey, VP cyber threat detection and response at Trustwave (www.trustwave.com) picks up the story: “It started in Eastern Europe with a group that were targeting banks, but it had spread to the UK by the time we were asked to get involved,” he says. “And it began with a phishing email, as so often happens.”
Having tricked one person in the business to click on a malicious link, the hackers were able to gain access into the bank’s network and quietly set about improving their access privileges. Once they had top-level access, they used real people to go into banks and open accounts. As the people applying for these accounts gave no credit history, they were deemed high-risk customers and not given any overdraft facility. But they were given a cash withdrawal card.
“Now all the hackers had to do was go into the system and lower the risk rating of these accounts so that they could get £20,000-£30,000 overdrafts,” says Hussey. A rapid succession of cash withdrawals quickly saw the overdrafts maxed out, and the “customers” were gone – having taken around £5m with them.
Trustwave – experts in helping businesses fight cybercrime – were called in to investigate, find evidence for the police and to improve the system to prevent future attacks.
Often, says Hussey, these are very difficult to spot. “Cybercriminals are increasingly sophisticated and the creativity of the attacks is absolutely endless,” he says. “Your business needs the right systems in place – such as threat monitoring – and you need to remember how phishing attacks can so easily let someone in.”
Safety tips for homeworking
- Use strong passwords.
- Use multi-factor authentication.
- Keep software and operating systems up to date.
- Secure wi-fi networks.
- Change default passwords with routers.
- Use firewalls and anti-virus software.
- Don’t allow family members to use work devices.
- Use only company-approved file storage.
These tips are explained in greater detail in this free download.
AAT Comment offers news and opinion on the world of business and finance from the Association of Accounting Technicians.