Attackers are developing bigger, scarier, and more complex viruses every day. Increasingly however, the biggest part of cyber security that businesses should be wary of is the human aspect. Companies may be able to build secure infrastructure protected from external threats with firewalls and private networks, but that doesn’t mitigate the risk of threats, malicious or unintentional, from inside the organisation.
Advances in social engineering
Social engineering is the act of manipulating confidential data from an individual. Hackers could infect a network with malware and go in through the back door, or they could trick an employee into giving out a password and stroll right in through the front.
As the average user becomes savvier to traditional methods of social engineering, hackers are having to be smarter in the ways that they try to obtain data. In a business sense, something as simple as tricking a user into clicking a malicious link can give the attacker access to the entire network. People know to ignore emails from pleading strangers who are in desperate need of bank details, but when that email comes from someone you know, you might think twice before clicking ‘Mark as spam’.
Hackers can easily scroll through a potential target’s Facebook account to find the name of a friend of the victim. Then they can send the victim an email pretending to be that friend, and the victim will be more likely to fall for it if they think it’s come from someone they know.
TIP: On the topic of social media, be careful with the personal details that you give out. What may seem like a harmless game where “Your rap name is the name of your first pet plus your mother’s maiden name” could actually be a phishing scam used to find out the answers to common account recovery questions.
Spear phishing is a type of social engineering scam where an act of communication, such as an email or telephone call, is sent to a specially targeted individual, organisation or business. By using clever or personalised tactics, the victim is exploited so that data is stolen, malware is installed or the hacker gains access to somehow obtain money.
The recent spear phishing Twitter hack
A recent high-profile example of spear phishing occurred on 15th July when hackers gained access to an employee account control tool on Twitter. This breach of security led to the accounts of such famous people like Elon Musk, Kanye West and Bill Gates, tweeting a fake message to millions of their followers.
The text was a typical, basic Bitcoin scam that promised to "give back" to the community by doubling any Bitcoin sent to an address. Though this tactic may seem glaringly obvious to you and I, the hackers apparently received over £80,000 from the celebrities’ followers because of the huge volume of people the message reached.
The hackers targeted a small group of Twitter employees via phone and aimed to obtain access to both the internal network, as well as the employee credentials that gave access to internal support tools. With the information gained from this operation, the hackers could then target additional employees who had access to Twitter’s account support tools. This resulted in them being able to target 130 Twitter accounts and sending tweets from 45 of them. The attackers also gained access to the Direct Message inbox of 36 celebrities and downloaded the Twitter data of seven.
Internal threats to cyber security
Often cyber security threats can come internally from current or ex-employees. These employees can gain unauthorised access to confidential data, or infect the network with something malicious.
‘Shoulder surfing’ is the simple act of one person observing someone typing their password, and it happens much more than you might think. A disgruntled or soon-to-be-leaving employee could stand behind a desk and watch other employees typing their passwords. This unauthorised access could be disastrous to a business.
Even easier than memorising a password observed over a shoulder, internal threats can come from employees writing down passwords and sticking them to their computer monitors – yes, that happens. Obviously, this makes it very easy to obtain login details that could then be used to defraud or infect a company.
USB drives inserted into computers
Employee machines can be affected with keylogging software loaded onto a simple USB drive. An attacker would just have to sneak the USB drive into the back of a computer, and they’d have access to the personal details and passwords of the user.
TIP: To avoid these internal threats, businesses should educate their employees with security courses and communications on the importance of being vigilant with their passwords. Password manager software like KeePass or Dashlane can securely store passwords, so you don’t have to remember all of them.
Similar to social engineering, baiting methods trick users using information obtained about the person. For example, a hacker could check social media sites and learn that the target has an interest in the TV show Game of Thrones. This knowledge gives the attacker some bait which can be used to their advantage. Instead of a generic email, the attacker could send the target an email that says ‘Click here to watch the latest Game of Thrones episode’. The user is more likely to click the button which, of course, is actually a malware link, and not the most recent episode of Game of Thrones.
Another way attackers are tricking users into downloading malware from emails is through unsubscribe buttons. By law, every marketing email must contain an unsubscribe link so that consumers can opt out of receiving communications.
An attacker could send repeated emails to a user that look like special marketing offers from a clothing company or something similar. The email might look harmless enough, but if the user is not interested in the company or thinks the emails are too frequent, they can press the unsubscribe button to stop receiving emails. However, in this hacker’s phishing email, clicking the unsubscribe button actually downloads the malware instead.
TIP: A properly configured anti-spam filter on your email inbox should stop these emails from getting through, but again, it’s best to stay vigilant.
We at Fasthosts take your cybersecurity seriously with a specialist team dedicated to guarding your interests. If you’d like to read more about how you can maintain your own cybersecurity read our blog on the subject.