Featured

4th July 2019 | Mansfield Thomas | Head of Security and Fraud Prevention

Cyber Awareness 101: Avoiding the Pitfalls of the Information Age

Cases such as the successful cyber fraud of Austria’s aerospace engineering firm FACC1 in 2016 highlight the impact that just a single, simple, phishing attack can have on an organisation (in this case, the loss of €42 millon and the firing of its CEO and CFO).2 In today’s world, individuals must not only be technologically savvy, but also cyber aware, if they wish to secure their digital holdings, from their personal accounts, to their globe-spanning, multinational corporations.

Attacking the Consumer

As we have previously discussed,3 cybercrime has grown into a modern industry with groups worldwide forming organisations to conduct their illegal, yet highly profitable, activities. These groups engage in a wide variety of cybercrime, including everything from money-laundering, to developing bespoke malware for other cybercriminals, to the data theft of corporate client data or even a nation-state’s secrets. But, for all the attack methods available to cybercriminals, exploiting human fallibility still remains right at the top of their playbook. A 2016 study conducted by PhishMe, concluded that 9 out of 10 successful cyber attacks can be traced back to a phishing attempt4 and according to Verizon’s 2018 Breach Investigations Report, 92 percent of all malware is delivered via email vectors.5 So why are these methods, despite their already long history of usage, still valid and popular in today’s cyberspace? To answer this, we first need to briefly examine methods and vectors of cyber attacks and their different uses.

Cyber Attack Methods

Malicious software, or malware, has specific functions and is used to accomplish different objectives depending on what the cybercriminal is trying to accomplish. Ransomware, such as 2017’s WannaCry attacks that shut down a portion of Britain’s NHS6 for example, is used to infect IT networks and lock users out of their systems, thus holding the data hostage until a ransom is paid, usually in the form of a digital currency or giftcard codes. 

Spyware, on the other hand, is more covert and is used for the purposes of data gathering, whether using simple keylogging to harvest user credentials, or stealing personal client data, financial information, or other information, as part of a larger operation. An excellent example of a successful, long-running spyware operation is the DarkHotel attacks that were carried out over the course of seven years in a string of Asian luxury hotels whereby the malware was delivered to guests’ devices as they logged in to the hotels’ wifi.7

Other types of malware can be used to infect Supervisory Control and Data Acquisition (SCADA) systems used to control automated industrial machinery for the purposes of damaging the equipment or facilities. Several famous examples of these types of attacks include the 2009 Stuxnet worm used to destroy the gas centrifuges being used to enrich uranium at Iran’s Natanz Nuclear Facility8 and the 2014 cyber attack on an unnamed German steel mill in which attackers were able to disable safety settings on a blast furnace causing an improper shutdown sequence resulting in massive damages to the facility.9 Just as the software on our electronic devices allows us to work and interact in a variety of ways with the world around us, so too does its malicious counterpart disrupt this functionality. So with this in mind, how are different malwares vectored onto our personal devices or company networks and into our daily lives?

Vectors of Attack

Cybercriminals, in the vast majority of cases, will choose to target individuals or the employees of a business instead of trying to penetrate the business’s cyber defences due to the level of existing technology in the cybersecurity field. Existing defenses such as anti-virus software (AVS), firewalls, intrusion detection and prevention systems (IDPS), and a variety of emerging technologies such as machine learning and behavioural analytics make attacking protected systems nearly impossible to those without the resources of a nation-state. As such, it is much easier to target individuals whom already possess access to the systems, compromise their accounts, and then spread across the network from the initial point of entry through the use of rootkits and other bits of malware designed to escalate user privileges and circumvent internal security features. To accomplish this initial compromisation of a user, cybercriminals have a variety of vectors with which to deliver their malware to a user’s system. 

One of the longest-running and most popular methods is, of course, via email. Whether it is sending attachments containing malware, or directing users to click on links leading them to fake versions of websites where they would compromise their user credentials, or websites that will that will run cross-site scripting (XSS) or drive-by attacks, email remains the best vector to deliver malware and compromise users and systems. Widely used emailing services theoretically offer a specific, controlled means of communication and data transfer between users, however, in reality they are easily exploitable by those with the means and motivation to do so. Additionally, through automated mass-mailing software or services, it becomes much more efficient and cost-effective for cybercriminals to use email as a cyberattack vector as thousands of emails can be sent with minimal time and effort. Cybercriminals can also use a variety of techniques to ensure their anonymity and make it difficult to track where the email originated from, thus lowering the risk of retaliation or prosecution by law enforcement authorities. Email, however, is not the only means by which cybercriminals can conduct attacks. Thanks to information communications technology and the Internet of Things (IoT) growing daily, attacks can now be launched through multiple vectors such as SMS messaging, freeware messaging services, or even Voice over IP (VoIP) services. So, with all of these different types of malicious softwares and all of these existing vectors, how does the cybercriminal actually get the malware onto the user’s systems?

Social engineering, in its many forms, and particularly phishing, has been used with great success to compromise users’ and corporations’ IT systems since the mid-1990’s. In the case of phishing, the cybercriminal poses as someone trusted by the user, such as a friend or colleague, or they may pose as a figure of authority such as a user’s boss or someone from a bank’s or other organisation’s contact centre. In any case, the cybercriminal will leverage this position of trust to try and obtain sensitive information or, more commonly, to deliver malware to the user’s system. 

In the simplest case, where cybercriminals are only trying to compromise login credentials, a user might be told there is an issue with one of their various accounts and they would need to login to rectify the error. Commonly there is an implied sense of urgency and the cybercriminals might state if the error is not corrected, the account will be suspended or closed, or, in the case of payment cards, the card will be blocked or cancelled. Users are given a web address and then directed to a website that looks exactly like their bank’s or other entity’s login webpage (website forgery) where they attempt to login and thus, compromise their usernames and passwords. From this point, the cybercriminal can access the account, and depending on the type of account, possibly further infiltrate the network if they so choose, or even sell the user credentials to other cybercriminals on the dark web. 

Another very simple tactic often used by cybercriminals involves sending emails with attachments containing various malwares. Instead of using the obtained false confidence gained from posing as an entrusted individual to steal user credentials, the cybercriminal will instead attach files to the email that contain malware. In this case, the cybercriminals might pose as a colleague sending a generic file that the user needs to view such as an office party sign-up sheet or an internal memo or news bulletin. In other cases, the cybercriminal may attempt to make it seem as if the employee was emailed by mistake and attach a malware-containing file labeled as something that would pique the user’s curiosity such as “Senior Management Annual Salaries” or “Q3 Scheduled Layoffs”. While most emailing services have filters to detect and block known malwares, cybercriminals are constantly developing new forms yet unencountered by filters or are disguising malicious scripts in common file formats such as Word documents or Excel spreadsheets. Once a user opens these attachments, the user’s computer or mobile device is infected and the cybercriminals can then steal the data stored on the device and spread across the user’s network or IT infrastructure. 

Finally, cybercriminals may use social engineering to direct users to compromised webpages or webpages designed for the sole purpose of attacking users and networks. These types of attacks are referred to as Cross-Site Scripting (XSS) attacks and Drive-By attacks. With these types of attacks, the user only has to visit the webpage to be affected as the download and installation of the malware is done covertly without the user’s knowledge.

Similar topics

Security

4th July 2019 | Mansfield Thomas

Cyber Awareness 102: Password Hygiene

Security

4th July 2019 | Mansfield Thomas

Cyber Awareness 103: Tools of the Cyber-Savvy Individual

Security

23rd January 2019 | Mansfield Thomas

Steady As A Rock. Banking Security During Turbulent Times