Hacking Workers' Minds for Easy Access to Networks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bna.com/hacking-workers-minds-n57982065038/

Cybercriminals know it's easier to hack people's minds to gain access to
company computer systems than to use brute force so they use social
engineering techniques exploit human tendencies of assistance and annoyance
to their advantage, security professionals told Bloomberg BNA.

Whether by pretending to be someone from the information technology
department, getting people to click on a link or e-mail from somebody they
think they know or getting people to reveal information over the telephone,
once in the computer system, bad actors know how to extract valuable data.

“Why go through all the trouble hacking computer systems when you can just
hack the human?” Keith Swiat, security and privacy director at RSM US LLP,
formerly known as McGladery LLP, said.

Gamelah Palagonia, Willis Americas senior vice president and national
resource for network security, data privacy and technology errors and
omissions said “it's hard to actually break into a network.”

Cybercriminals “have to invest time, have a skill set level. But it's easy
to get in through your employees. If a hacker has your employees’
credentials, they don't have to hack anything. They can just log in and
take what they want or camp out and stay there,” Palagonia said during the
webinar.

Fraudsters crawl into companies’ computers and individuals’ minds,
mimicking the way targeted individuals talk and write to get millions of
dollars wired into accounts. Business e-mail compromise fraud took
$798,897,959 from 8,179 victims October 2013-August 2015, the Federal
Bureau of Investigation Internet Crime Complaint Center reported in August.
U.S. victims lost $747,659,841 during the period.

“These totals, combined with those identified by international law
enforcement agencies during this same time period” bring business e-mail
compromise fraud “loss to over $1.2 billion,” the alert said.

Losses Likely $2 Billion

The losses from all forms of masquerading “are actually closer to $2
billion,” David Pollino, Bank of the West fraud prevention officer, told
Bloomberg BNA. “Given the fact that it was in the $500-700 million range in
January and now it's over a billion, we're likely to see it continue to
escalate.”

Just since January, the Internet Crime Complaint Center recorded a 270
percent increase in identified victims and exposed loss. The scam was
reported in 50 states and 79 countries. Fraudulent transfers were reported
going to 72 countries with the majority going to banks in China and Hong
Kong.

“It's more frequent than it's ever been,” Stroz Friedberg Managing Director
James Aquilina told Bloomberg BNA.

Social Engineering is Gateway

Attackers search Monster Worldwide Inc., LinkedIn Inc. and social media
sites for information to direct phishing e-mails and snag credentials of
targeted workers, Aquilina said.

Social engineering, or influencing or exploiting others, can lead the way
to more advanced attack vectors, such as malware that can harvest valuable
information. Custom malware, “if you know where to look on the dark Web,”
that isn't trackable by commercial antivirus software costs $250 or less,
Swiat said.

“Social engineering is an excellent way to get that malware into an
environment” and move laterally through a system “to find more juicy
targets,” Swiat said during a webinar sponsored by BakerHostetler LLP, RSM
and Willis Group Holdings Plc.

“Social engineering is really the gateway vector. There is a certain level
of complicit trust that exists between two human beings when they
communicate over any form of communication whether e-mail or face to face.
And the attacker has found that it is very, very, very easy to take
advantage of that trust.

“It's a very hard attack vector to defend against because it requires a
social shift,” Swiat said.

Mining Human Vulnerabilities

The consistently weak link in any system is people and the principles of
influence and cognitive errors humans make in decision making, Michele
Fincher, chief influencing agent of Social-Engineer LLC, a consulting and
training company specializing in the art and science of social engineering,
said.

“It becomes a very, very sort of complex problem and we know as humans we
make mistakes in a consistent way and people take advantage of that,”
Fincher told Bloomberg BNA.

Humans under stress or who are distracted “go to that quickest instinct.
Human beings are courteous and helpful. Malicious hackers take advantage of
that way we respond,” Fincher said.

“Despite updated, great technology, we still have a very basic level of
decision making that occurs,” she said.

“There's certain reasons people respond to the things the ways they do and
the bad guys are very well versed in how to exploit those certain
vulnerabilities,” Fincher said.

People put in a position of making a choice of being helpful or feeling
rude will choose not to be rude, she said.

Fraudsters put people on the spot and make them uncomfortable on the phone
as employees arrive at work, “and if they're very busy and they don't want
to deal with you, they're more apt to give you information about their
system. Attackers know this as well,” Stephen Leggett, senior vice
president and national fidelity practice leader with Willis of New York,
said at the webinar.

Impersonation

Impersonation can be taking on the role of a telecommunications provider or
service person, “and you'd be amazed at how easy it is with a convincing
costume, a work order and a sunny disposition to ask someone to see their
server room and they'll walk you right to it. We have about a 9 out of 10
success rate doing that,” Leggett said.

“These criminals that execute masquerading are highly sophisticated social
engineers,” said Pollino. “They're very believable.”

Aquilina told of a small, venture-backed startup that was notified “by an
extortionate attacker that as a result of a tiny little vulnerability in a
tiny little application for which a patch had only recently been discovered
the attacker had gotten in the environment and gotten its hands on
personally identifiable information about its customers and its customers’
customers.” said.

The “little company” simultaneously handled inquiries from merchant brands,
employees, customers, customers of customers, federal regulators and nine
states’ attorneys general, insurers, class-action attorneys and law
enforcement investigating the cyber extortion, Aquilina said. “It cost them
millions,” he said.

Large-Scale Losses

Impersonation cost San Jose, Calif.-based Ubiquiti Networks Inc. $46.7
million. Ubiquiti in an August securities filing said funds were
transferred in June from a company subsidiary incorporated in Hong Kong to
other overseas accounts held by third parties based on spoofed e-mails.

Ubiquiti recovered $8.1 million and another $6.8 million was held to an
injunction as the company works with federal authorities in the criminal
investigation to recover the remaining $31.8 million.

Ryanair Holdings Plc in September said it successfully recovered nearly $5
million that was fraudulently electronically transferred to a Chinese bank
in April.

Xoom Corp., a San Francisco-based provider of Internet money-transfer
services, in January announced $30.8 million in fourth-quarter costs were
tied to a suspected criminal fraud involving employee impersonation and a
fraudulent requests targeting the company’s finance department.

Scoular Co. was defrauded out of at least $17.2 million wired to a bank in
Shanghai in three June 2014 transactions prompted by e-mails purported to
be from the CEO and the outside auditor to the controller, according to
court documents.

Learning the Inside Lingo

Once into a system, the attackers may spend 30-60 days “parked in your
computer, understanding everything going on in it,” Leggett said. That
spying includes looking at who's authorized to move money, learning their
writing style and “even catch something going on in your organization that
might require an upcoming wire transfer,” he said.

Aquilina said that fraudsters start “bouncing around the environment and
have access to the e-mail of the CEO, then they have another avenue of
exploit which is now I'm going to give direction to others in the company
and I'm going to make it look like him and I'm going to sound like him.”

Attackers load a phishing e-mail with information, send it around 4:30 to 5
in the afternoon “and tell you how urgently it has to get out,” Leggett
said. “And some of these are very, very sophisticated. I can tell you, I
understand how folks get tripped up.”

Awareness Only One Step

Consistent training for users includes verifying the sender's e-mail
address before responding, particularly for those that send money via wire
transfers, Aquilina said. “I can't tell you how many calls I've gotten from
companies after the wire's gone out,” he said.

“There are some sloppy practices that facilitate and enable the depth of
these kinds of attack, like employees having local permissions on their
computers which they don't need” that may allow further exploits, Aquilina
said.

Herb Lin, senior research scholar at Stanford University's Hoover
Institution Center for International Security and Cooperation, said
requiring two individuals to engage in an independent action can offer
another important anti-fraud step in the verification process. But it still
comes down to the one person, he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!