You have to hand it to them, criminals are a clever bunch and in some ways we should thank them for entertaining us with their ingenuity. Actually we do thank them - with our hard earned cash when they get the better of us. This cat and mouse game will likely still be going on when Long Player (http://longplayer.org ) has long since stopped playing...
In the interests of learning and staying safe, we'll share some experiences of current attacks used to try to steal your information (and thus maybe your money a little later).
Example 1: Socially Engineered Email Attacks
This is a popular one as we write and, having started off targeting large organisations, it is now trickling down to smaller organisations like yours.
What happens? Criminals have a look at public sources like your own useful website / Companies House etc. to identify who the main boss(es) of the company are and who is in the finance team. They then craft (forge) an email from the head of the company to the head of finance asking for help to make a payment to a supplier, which might be a perfectly normal thing to do and a reasonable request. If the scheme runs to completion then the head of finance replies, thinking that he or she is talking to the boss, and £15,000 (or such amount as the criminal deems appropriate to not raise suspicion) is transferred into the sunset.
If the criminal can be bothered, they may even have sent a fake enquiry to your company prior to the attack, so that they have a copy of your email stationery and footers to make the mail more convincing.
To date (October 2016) it is estimated that just short of a billion pounds have been lost by UK companies falling for this type of fraud. Not many people or large organisations are going to want to stand up and admit that they were caught out though.
The same exploits are used not only in attempted financial fraud but in other walks of life too. A salient example is noted at http://www.bbc.co.uk/news/uk-england-london-32095189 where a prisoner was released and ushered out of jail after his bail / probation had come through - albeit on a fake email which was not noted until his release.
Example 2: Phishing Links
A newer threat that we are seeing in the wild at the moment is the digital equivalent of the chain letter, but with more malice. It starts when criminals trick you (through one of many possible ways) to reveal your login credentials for your email (MS Office 365 / Exchange / Lotus Notes / Google Mail). They then access your mailbox and send out a bulk email to all your contacts using your email account. Since this will be to people you know and who know you and is sent via your real email address and mail system, the chances are that it will get through all the email filters.
As they have access to your mailbox, they know your industry and how you write, along with your stationery etc. They also have a full copy of your email box in case there is anything interesting or useful to them in there. What could a criminal or competitor do if they had a full copy of your email box, sent box, folders, contacts, diaries, public folders and web shared folders? Have you ever emailed payment card details to people or noted passwords in email? Although most of the time this may be disregarded as the prime aim is just to spread and spread malware to do more damage later.
A typical mail sent out from one company to another could include a note such as: 'Please can you review these deal documents?'; or something similar that is appropriate to the industry and company, such that it looks credible, as well as a link to a document sharing website like Google Drive / Docusign Form etc.
When someone receives this message, if they click on the link, they might get a login page such as the below to access the 'documents':
The above looks like a legitimate login page for Google Drive, but please look carefully at the address - it starts out with 'drive.google.com (which looks legitimate to the human eye), but the 'gotcha' is the bit after this of .kwaltaz.com ... so you will not be going to Google Drive at all in this case, but to a sub-domain (sub-site) of kwaltaz.com - easy to miss that small but vital detail. The page looks convincing so if you are in a hurry then you may just enter your details to log in to get to the interesting deal documents.
If you do proceed to enter your details as invited to do, then you'll have just given away access to your files / email / anything else you store on Google in this case to the criminals. Unless you have further login security in place, they can now log into your email, continue the chain and help themselves to any interesting items you have. You may well not know that they've been looking and lurking for a week or more, before your mailbox is used in turn and it is also possible that your login might be sold on the underground 'darkweb' markets - value being higher depending on factors like, organisation and connectedness.
When one of these email abuse attacks are launched to repeat the cycle that started this example, the person or group starting the bulk mail is said to have 'owned' your mailbox. They may also change your password to lock you out and to slow down the process of you getting control back once you realise what is happening (by which time the damage is done in mail sending and to your reputation in turn). We've also seen that criminals like to interact with people when they are in the process of an exercise of abuse. For example: if a bulk mail goes out referring to deal documents etc. and a recipient is slightly suspicious so mails back to confirm validity (e.g. 'Hi Paul - can I check that this link was from you and is legitimate?'); then the crims in turn reply back to say something like - 'Hi Bob - yes, these are from me - please review and let me know your thoughts' etc... so encouraging Bob to become the next victim in the chain. The perpetrator of the fraud also likely deletes all your contacts and the replies / conversations they've had to further frustrate your recovery and communications as you wrestle back control of your mailbox.
Remember that, in this case, the email comes from the trusted mail account and no virus bearing attachments are included, only the link to the website for the 'documents' so the majority of virus scanners / junk mail filters will pass the email as 100% legitimate. There are effective defences but we'll come onto that later. Apart from just stealing your login details, scripts on the site also commonly detect what type of computer you have and which web browser and if these are known to be vulnerable to known attacks then they will often proceed to use these open doors to load malware onto your computer in the background without your knowledge. If you know that 90%+ of infections can be avoided by having your computer up to date so that known vulnerabilities are stopped, then you'll understand why your IT department focuses a fair bit of time and energy on patches and updates that get pushed out to your computer to keep you up to date. The odd reboot to apply these is a very minor inconvenience compared to the alternative of not keeping up to date!
Example 3: The Freebee USB stick.
Who doesn't like a freebie? For example a free promotional USB drive that you're sent in the post, or one that you were 'lucky to find' which someone else had evidently previously dropped. Statistically we're all suckers for the proverbial free lunch and 'don't look a gift horse in the mouth'. So you proceed to plug the drive into your computer to make use of it, or if found to see if there is anything interesting (music/ files / competitor files / the original owner's contact details to return the drive) on the drive. There is a chance this was your lucky day, but equally there is a good chance that the drive might have been 'dropped' where you'd find it.
When you click to open files on the drive, these may not be what they appear and unbeknownst to you could silently install malware or viruses on your computer, especially if you don't disable the 'autorun' features on removable media. By the act of plugging in the USB device to your computer, you bypass all your network firewall and external security and there is a very good chance that if a hacker can be bothered to drop USB devices for you to find, then they'll be bothered to write a custom virus for you that will not be detected by your virus scanner. Thus the last line of defence on your desktop could well be bypassed as well and the attacker has a backdoor to your office network and can likely get to anything you can get to, as well as maybe recording all your visited websites and keystrokes. Combine this with taking the odd screenshot in the background and letters 2 and 6 of your password may not be your secret for long.
Example 4: Bank Phone fraud.
We're all very careful about our computing and personal data, which websites we trust and keep our cards safe, don't we? So if you get a call from your bank's security department that they're worried about a number of transactions that have been put through for authorisation on your account, then you'll be glad that their anti-fraud systems have got your back, right? Not if the caller is not, in fact, your bank, but yet another clever criminal trying to catch you off-guard; to obtain your banking details to later abuse and enrich themselves. The fact that they appear to be trying to help you by flagging attempted transactions on your account is often enough for them to get your confidence before any of these 'transactions' go through. Analogue telephones also have a flaw that is abused at this point; if you have any doubt as to whether the call is genuine, then you can call back the bank on the phone number printed on the back of your bank card and are encouraged to do so 'to satisfy yourself that the call is genuine'. So you hang up the one call and then dial the number on the back of your card for whichever bank you are with. The call is answered - sometimes with a short 'your call is very important to us and we are connecting you as quickly as possible'; then you ask to be transferred to the fraud department where you are connected to the same, or another, agent who then verifies your details and helps you reset your security information to be very secure in future. In actual fact you've not called your bank, as the original call has not been cut off. The flaw in many phones is that calls do not disconnect until the caller (that rang you) has hung up, thus you've been on the same fraudulent call all the time and likely given away your memorable word / date / date and place of birth etc. in the process, while all the time thinking you are helping the bank to protect you. You can imagine how this ends; often within days of the original call.
There are a number of variations on this fraud call which targets businesses as well as individuals. Criminals know that certain professions, like solicitors, accountants and investment advisers may well hold short-term funds for clients in client accounts separate from their own funds. Where this is the case, there is a heavy duty of care on the holder and thus criminals may well target these groups as the modus operandum of the call appeals to and preys upon the instinct of the account holder to 'keep the funds safe'. Variations have included suggestions that the 'bank' will call back (and then do) tomorrow to assist with moving chunks (often quite considerable) of money into 'safe' accounts away from the account which is currently being 'targeted'. So, in a desire to keep client money safe, the unwitting victim actually assists the criminals by transferring large amounts of other people's money to them; which in many cases is never to be seen again.
If you're thinking 'no one would fall for this', then have a read of http://www.bbc.co.uk/news/business-34425717 which is a real example of this fraud occurring. The article notes that in the case of this unfortunate solicitor, the implication of the fraud was personal bankruptcy and being banned from practicing her profession. We understand that the professional indemnity insurers also failed to pay out on the grounds that she 'knowingly assisted criminals' which we think counter to probability and good faith in insurance so also be reminded that not all insurance is the same, though you may only come to understand that when you need to call upon it. Would your insurer cover you for this case if you acted (in your mind) in utmost good faith but were fooled into transferring money to criminals? Now might be a good time to make a call and find out.
What can we do to stay safe?
The above are just some examples of common frauds that we see in the real world that are delivered by technological means. There are many more.
Some advice we'd generally give is:
- Remember nothing is secure.
Sobering as it is, there is no such thing as a completely secure system; only degrees of risk reduction. Security is about reasonable justified degrees and measures which reduce risk of abuse. Admitting that you have a security problem (we all do) is the first step towards mitigating it. Never trust a security professional who isn't paranoid!
- Learn from the mistakes of others and don't repeat them.
Take an active interest in security. The more you know, the more you are armed. There is a lot to read on the Internet and in the press and knowing that you are at risk is the first step in reducing risks.
- Respect the need for security.
Security often (nearly always) comes at the expense of some convenience. Be that glass screens or steel bars in a bank branch that physically protect cash, or computer processes that ask for authentication or for you to change your password from time to time. Each time you have to go through the hassle of changing a password, remember that means you have a fresh start where anyone who might have known your password, now does not. Equally if your computer prompts for a reboot to complete install of (security)updates, don't hit 'postpone' but instead save anything you need to save, hit reboot and grab a coffee or glass of water; the updates are there for a good reason - to keep you safe.
- Be part of security.
We all need to be careful and vigilant. Even network administrators should normally only log in with normal user rights - see our other post on this at http://www.onega.net/blog/2015/6/4/are-you-logged-in-with-admin-level-credentials-on-your-computer-right-now . More generally, ensure you consider things and share information on a 'need to know basis'. Recruitment companies and those involved with industrial espionage (the former might arguably be the latter in some cases) might charm information out of you under many guises. We've even had phone calls where people claim to be calling from the Police (not the band or manufacturer of sunglasses, but the law enforcement crew) and naturally we want to help them, don't we? Even beware that, by reading security blogs and web pages, you are often giving away your network IP address and location.
- Make sure appropriate technical measures are in place to minimise your risks.
Where appropriate, pieces of technology can help maintain security. Make use of these and make sure they are configured, deployed, monitored and managed appropriately. There is a big difference between just 'having a firewall' and having a well-configured and well-run security solution in the same.
- There are no stupid questions when it comes to IT security.
As a rule of thumb: If you have a doubt, point it out. If something looks too good to be true, or does not 'feel right', then be sceptical and check. This might be in the language used in an email that might not be quite characteristic of the sender. Remember it took the one little boy to point out the emperor wore no clothes - often we find this recurring on a digital scale. It can also be in person or on the phone. Who is that new guy in the office and does everyone else just assume he has the right to be there?
- Trust your security.
There are many computing tools that aim to minimise risks online while you get on with your work. Quite a few operating systems (including MacOS / Windows 7, Windows 8, Windows 10 etc.) and popular web browsers like Firefox, Chrome and Internet Explorer have pop ups when they are warning you about a potentially dangerous website, or when a piece of software is trying to change things on your system. Unfortunately many studies show that 95%+ of the time people just hit 'Continue' and carry on. Stop and think when you see these, and better to err on the side of caution.
- Maintain good backups (and test them).
If all else fails, you've got your backups, right? There are many risks from threats like 'cryptolocker' which encrypt your files and ask for a ransom to restore them (which likely leads to only an empty wallet and no files back for you) and the value of your information to others which may be electronically leaked. But if you have good backups, at least you are still in business. Onega have developed a Backup Policy Template document which takes you through a number of risks to help make sure you have an appropriate strategy in place. We'd be happy to share a copy of this with you. Do test your backups though; we can't stress that enough. Over time companies implement new systems and people put things in new locations. On the cloud, on their computer, on external drives and network shares. Pick some random files, note their details, move them to somewhere new and challenge yourself or your IT department to get them back. A good example of this is if you move all your Outlook contacts from Office 365 to a PST file - do you have these backed up and can you get them back easily? I digress, but in that example Onega would have you covered with our O365 SkyKick backup system to keep your MS Office 365 cloud data safe.
- Don't be complacent.
This one is hard. Our natural inclination is to concentrate our attention on what is urgent, not neccessarily what is important. Even if your office is connected to the MOD secure network, or if you've got the shiniest new firewall, is everything else as good and is everyone briefed and playing the same way. If: you leave your computer unlocked while you are away from your desk; your Sage 'manager' password is blank (the default so do check if you use this); or 1001 other things, then you are at risk. An external check can sometimes help to remind us of this and wake us all up. Standards like the basic Cyber Essentials standards from the UK Government give a good basic baseline, also to make sure most of the low hanging fruit is covered.
** Please note the above are elements of what we consider salient advice but in no means comprehensive guidelines.
Onega can help with aspects such as Incident Response (although we'd rather help avoid incidents in the first place), Security Review / Audit, ensuring you have good Physical and Cloud Backup Solutions, implementing multi-level UTM Firewall protection, user education and security awareness, external mail filtering etc. The first step is to get in touch and we can discuss any particular concerns, run through any issues and decide what would be appropriate for your needs.
The story header picture here is of a Lego Criminal, but in actual fact we're probably not giving them the credit they're due. Here, more accurately, your foe could be better imagined as:
But in reality would actually probably look more like this:
Be on your guard; keep safe online and in the real world :-)