How hackers hack
A quick Google search reveals the target’s alma mater. Scanning LinkedIn connections brings up old classmates. Facebook pictures show hobbies, friends and recent vacations. Social media is fertile ground for hackers looking to personalize phishing emails, but isn’t at all necessary to do serious damage.
It’s easy to find anyone’s email address, home address and employer, even if they have no social media presence, Derrick Webber, penetration testing and forensics team lead at CGI, told Top Broker. And “if you were actually going to go to the step of looking at public archives, you could find out financial information, mortgage information, their bank.”
Personalizing phishing messages increases the likelihood of targets taking the bait, but many still fall for anonymous emails that simply warn a credit card is about to expire or a password needs changing. At a CGI presentation in Toronto, Webber showed attendees how hackers can clone the LinkedIn homepage, register a very similar domain name (for example, wwwlinkedin.com, with one character missing) and install keylogging software. Since people often use the same password for multiple accounts, hackers have a good chance of accessing information more sensitive than old lab partners’ career updates. Plus, after the target submits—and the hacker records—their email and password, the page reloads as the real LinkedIn page. This exploits the trend of login pages reloading if a password is entered incorrectly, says Webber, and most people don’t notice the altered domain name.
And that’s only the start. Hackers “go hopping around inside the organization from that one little desktop, that initial point of compromise,” says Webber. “They start doing reconnaissance on the inside of the network to see what’s there. If they have a specific target they’re after, they’ll go after that target, or if it’s just opportunistic, they’ll look for anything juicy.”
Hackers can access documents on the affected computer and all others in its network, essential for ransom attacks (threatening to destroy data unless money is paid) and doxxing (threatening to expose embarrassing information unless money is paid). And of course, there’s run-of-the-mill espionage to track bank information or transfer money to the hacker’s own account. In 2010, California-based Village View Escrow found $465,000 missing from its bank account. A subsequent investigation revealed the money had been removed through 26 wire transfers done from the owner’s own computer, after a phishing email containing a malicious PDF captured company usernames and passwords. The owner had to take out a personal loan to avoid bankruptcy.
Hackers are good. You’ve got to be better.
STOP! YOU’VE BEEN HACKED.
1. Many organizations focus on preventative controls, but Webber warns they only delay skilled and determined hackers. Develop an action plan should your company be attacked, and make sure employees know the drill.
2. Cyber insurance is especially useful for SMEs. Sixty percent of small businesses that experience a data breach will close shop within six months, the National Cyber Security Alliance reports. In addition to providing financial compensation, insurers may cover a breach coach to help the company handle the legal, technical and PR fallout.
3. If you suspect you’ve been hacked, contact professionals and don’t shut down the computer. Malware often only resides in the computer’s memory, which is erased once the machine is turned off. “All that’s left is going to be this tiny little downloader on the disk, which by itself does nothing but go out and ask for data,” says Webber. And that makes it much harder to figure out what happened and how to recover data.
Copyright 2015 Rogers Publishing Ltd. This article first appeared in the Fall 2015 edition of Corporate Risk Canada magazine