There is a disturbing new trend in computer security, fraudulent computer attacks and small business security threats. Attacks are getting more personal, where the criminals are using big data to pinpoint attacks at small to mid-sized business owners.
Pinpointing Business Owners
Telnexus now has some clients who have financial fraud perpetrated upon them in a similar way via email. These weren’t technological attacks, but more like criminal deception playing on human fallibilities, also known as Social Engineering. Everyone involved in a business needs to be savvy about Social Engineering attacks, especially those of you involved in handling financial transactions.
In both of the cases we examined the fraudster was aware the names and email address of the owners and the treasurer of the mid-sized business they attacked. They faked an email that came into my customer’s office requesting a wire transfer of over $10,000. In one case it was a bank in Hong Kong, the other incident had the transfer going to a bank in the United States.
The fake email was convincing enough to make the employee believe the request was real and it was coming from their boss. Fortunately, in both cases the fraud was stopped because the employee checked with the owner before issuing the wire.
To help you from being tricked, here is the Telnexus advice for when you get an email with a financial request:
NEVER ACT ON A EMAIL REQUESTING A FINANCIAL TRANSACTION WITHOUT VERIFICATION.
Email is not secure. In fact, by default when you send an email it goes into the Internet with no encryption or protection, making it visible to anyone in government, law enforcement or a hacker with ISP access.
The email technology in use on the Internet today was invented in the 1990’s, when we didn’t worry about spoofing, spear phishing, malware and social engineering. The “spoofing” technique used in these financial social engineering attacks can be done by anybody by just changing the settings in a program like Apple Mail.
Social engineering is really just a polite term for lying bast**ds. Unfortunately, we don’t have a technology solution to this problem at this time. So, please keep an eye out for those lying bast**ds and think twice when you get an email from the boss asking to send a wire transfer.
Most of us are familiar with the crude “phishing” emails that barely looks like a Bank of America or some other trusted web site. If you haven’t seen any of these lately, then check your Spam folder. It’s probably loaded with the crude phishing attacks sent out by the billions.
Spear phishing, on the other hand, is a more targeted attack not unlike the fake wire fraud email. This is where the big data comes in. We imagine that these attackers collate information from the web or other data sources to craft their attacks. Spear phishing attacks come in the form of fake email and documents that purport to come from someone you know, especially your boss.
Spear phishing is a technological attack where clicking on a lure will activate code that infects your desktop computer with a keylogger. Then, the attacker will sit back and wait for you to log onto a bank account, or for a system administrator to enter a root password to a server system. That’s when the real trouble starts. Financial fraud is the #1 consequence of a successful spear phishing attack.
Spear phishing that infiltrates corporations is a real problem, and we know about several famous incidents, including Sony Pictures in 2014. It started with The New York Times reporting in 2013 on media and financial companies infiltrated by Chinese hackers, chiefly aided by spear phishing attacks. And, who can forget the 2015 Ashley Madison data dump? And, just this month the biggest document dump ever was uncovered — The Panama Papers. After the attackers get the root passwords, they cut through weak internal security like a knife, exposing the most intimate corporate secrets for the world to see.
The third big threat to be concerned about is ransomware, or attack software that will encrypt your servers with an unbreakable key and demand a bitcoin ransom for the key.
There is plenty of real-world evidence ransomware is real. Take the February 2016 case of a hacker holding the Hollywood Presbyterian Medical Center hostage, and they paid the $17,000 ransom. At Telnexus we’ve had two customers who have been bit by the most common ransomware culprit, Cryptolocker. Fortunately, we saved both of them from paying a ransom and data loss by using our antivirus and backup measures.
How does the ransomware get into a network in the first place? It’s usually spear phishing, again. In this case the attacker isn’t interested in infiltration, but to simply drop a bomb with a well-crafted email designed to fool just the person to whom it was sent.
The last of our four computer security threats to be concerned about is the most insidious — botnets. Using techniques such as spear phishing and files in other distribution networks, a lightweight malware silently infects a computer, phones home to let home base know it has landed, and then waits for further orders.
Why would someone do that? Once millions of computers are infected, the attacker wields a mighty power on the Internet — the ability to shut a part of it down. Upon command, all the computers in the botnet will start sending continuous packet streams to an attack target. It’s called a Denial of Service attack. There are stories about how you can hire a botnet to attack someone you hate and hold their business hostage. A botet is kind of like a 21st century hit man.
Botnets are supposedly commanded by the hacker collation Anonymous, which threatened ISIS after the Paris attacks in 2015. The Pentagon recently went public with its own cyberoffensive capabilities by announcing a unit at Fort Meade was tasked with attacking ISIS with cyberweapons including botnets.
With all those botnets floating around, you’ve got to wonder the impact on everyday business users. The impact is real, and it’s worth checking the next time you can’t explain why your Internet connection is pegged and you can’t send an email or your VoIP phones don’t work.
Guard Your Attack Surfaces
If you’re running a business with over $3M in revenue, you are now a target and you have to deal with these security threats. What is a business owner to do? You have to take a more professional and proactive approach to computer security. You efforts have to start with a combination of education, awareness, training, strong IT management and good security protocols.
Beyond those common-sense IT management goals, at Telnexus we use an engineering-oriented approach to computer security that focuses on minimizing attack surfaces and protecting the edge.
An attack surface refers to any part of your IT that is exposed to the network. The generic term “attack surface” is used because we need to think about everything on your network as a device that could be exploited by a hacker. The most obvious devices that have attack surfaces are PCs and servers, but routers, gateways, WiFi access points, switches, cameras, printers and phones can also have flaws in their computer code that can be exploited by a hacker.
Hackers use something called a Zero-Day Exploit to burrow into an attack surface to gain command of the CPU of any individual device. There are dozens of common zero-days that can get into neglected, old computers. That is what happened to the hospital that had to pay the ransom. Health IT is rampant with terribly-maintained, ancient systems running on Windows XP.
One of the reasons why Microsoft had to finally give up on Windows XP last year was that they couldn’t keep up with the zero-days. The hackers have basically won the war on Windows XP. That means if you are still running a Windows XP system in your network it can easily be converted into a hacker’s portal into your network. Keeping a Windows XP system on your network is like welcoming a marauder into a vacant, unlocked office in your building that he can then use as a safe house from which to terrorize your business.
You Need PC and File Server Protection
The biggest attack surface in every enterprise network is the sum of all the individual PCs and servers. Unless you have a pure Windows 10 environment with tight Active Directory security policies, you need endpoint protection in the form of a product like BitDefender Advanced Security. This program lives in the background of all your PCs and servers, silently looking for aberrant behavior that indicates an infection or attack. When it does detect an attack, it tries to stop and undo the attack, and alert is set to a central console that is monitored by Telnexus technicians.
To guard against the possibility of a ransomware attack getting through one of your attack surfaces, you need safe offsite backup. One of the simplest and easiest to use is Carbonite; it can continuously back up your key data to a safe offsite location. And, they keep multiple versions of a file so that you can still get your data back in case an encrypted version of your file was saved to backups.
Call Telnexus To Meet Your Security Threats
You can’t afford to fool around with computer and IT security in 2016. Today the threats are more sophisticated than ever, and the crooks are using some of the most advanced IT tools available to sharpen their attacks. If you own a small business, you could be in some offshore hacker’s crosshairs, and you wouldn’t even know it until it’s too late.
Give Telnexus a call today at +1-510-859-7000 or email us at firstname.lastname@example.org to request a free assessment of the security risks in your network. We will let you know what vulnerabilities we uncover, and then offer affordable and unobtrusive solutions to get you more secure fast.