When in comes to finding the weak link in the security chain, you will find it in people. People are human and make mistakes. Hackers are great at exploiting vulnerabilities in software, but the easiest target area for them is people. People are sometimes too trusting which can lead to hacker easily gaining access to systems and information.
Many times, we think about training employees in how to spot malicious emails and avoid opening them. While it’s good to ensure all employees in an organization are trained, the big target for hackers are the executives themselves. People with titles like “chief executive,” “chief financial officer,” or “vice president” should be extra vigilant, as they are the prime targets. The same is true for lawyers and anyone in finance.
Howard Solomon, in his IT World Canada podcast, talks about a new scam targeting senior executives. Solomon cites a research report by threat intelligence company Group-IB that claims at least 156 senior executives of financial, real estate and legal firms have been victimized by the attacks since the middle of last year. Why this attack works so well is that the hackers do detailed research on the victims and their companies. With this information, the hackers will send an executive an email from what looks like a partner firm and includes a PDF attachment or a Microsoft Office file. Once the executive clicks on the file they are sent to a website that looks like a Microsoft Outlook login page. “Victims who login give up their username and password to the crooks. Then they can log into the executive’s email and copy all messages. Then the attackers send phishing emails from the executive’s account to new victims, after which the sent message from the executive’s outbox is deleted to avoid detection. With the captured emails the criminals can search for and resell sensitive business information.”
The hackers are relying on executives to be too busy to look closely in detail to the message for any signs of malice. They are counting on the executive to trust the sender, then trust the attachment. Solomon states that there were a few clues in these messages that they were malicious. In some, the sender and recipient shared the same name. Other messages had unusual formatting, like using plus signs instead of spaces between words. Good email hygiene means spending the time to ensure that the email is from a trusted source before taking an action, like clicking on an attachment or link.
If your organization is not utilizing a security awareness or phishing awareness training campaign at all levels, then you need to start. At minimum, employing multifactor authentication on email logins can help with the type of attacks detailed above. If you don’t know where to start, contact Uzado today to help you get started.