We’d like to tell you about four companies whose services we use on a daily basis. Four stories to illustrate that the safety of confidential data and long-built reputation turned out to be… an illusion. But how did it happen?
Four companies, four cyberattacks, four-nil
Example 1: Security test of an eCommerce webpage
The first target was a company operating in the eCommerce sector. The attackers, posing as potential clients, contacted a sales representative for a demo presentation of a B2B platform. In this way, they were able to obtain an account on the website without raising any suspicions.
Acting as logged-in users who supposedly wanted to test the product before purchasing, they managed to find critical loopholes in the application within a few hours, stealing the customer and order database. In addition, by expanding their attack to other servers in the company’s infrastructure, they obtained access to backup copies, including contracts with other clients, the application source code and the company’s email system. The entire operation was completed in merely 48 hours.
Example 2: Phishing at a consulting company
The attackers performed a detailed analysis of the social media profiles of the consulting company’s employees in order to obtain knowledge about individual positions. The next step involved initiating email correspondence with selected employees in order to learn about the message format used, writing style and the email signature of a given person. Then, the attackers purchased a domain with a name that closely resembled the domain name of the attacked company’s website and created a false website that looked exactly like the company one… with the only difference being that the attackers’ website required visitors to additionally provide their login and password.
In connection with an upcoming corporate party, which was communicated to the employees via the corporate blog, the attackers sent emails from the false domain, posing as an employee of the PR department. The messages included an urgent request to fill out a survey regarding the preferences of party participants. However, the provided link redirected completely unaware employees to the false website, which requires them to enter their access data. Within several minutes, the first dozen or so employees had given their access data to the intruders. Meanwhile, the attackers used the obtained passwords to log into the actual corporate systems and steal all information of interest, such as sent offers, invoices or contracts, within the next 20 minutes.
Example 3: Physical security of a financial institution
For several days, the attackers observed the building of the selected institution, keeping track of the actual working hours of individual employees and learning about their habits. They also paid close attention to the habits of couriers or suppliers of new IT equipment.
At 7:40, an intruder dressed according to the company’s code arrived at a side entrance used for deliveries of larger packages and entered the building by walking right after one of the employees who, as always, bypassed the main entrance by using her access card. The attacker went up to a higher floor, stopping at the next door with a card access reader. At the same time, he was pretending to talk on the phone about issues related to the current IT project, about which he learned from the company’s website at the reconnaissance stage. After a few minutes, the door was opened by one of the institution’s employees, who was pushing a cart full of equipment. The intruder smiles, kindly holding the door for the “co-worker” and went inside after him. He had a printed badge hanging around his neck which looked exactly like the access cards used in the company. He took pictures of the cards two days earlier in a nearby restaurant where most employees spend their lunch break.
Over the next hour, he placed small pendrive-like electronic devices in a few spots. After leaving the building, he connected with the planted devices via GSM. He was connected to the company network – just as if he was sitting at one of the computers in the office. In the next two days, he searched for servers with outdated software and found employee accounts with easy-to-guess passwords as well as sensitive information which the employees had forgotten to remove. Going server by server, he gained the highest Domain Administrator privileges in order to obtain access to all important and confidential company information.
Example 4: Social manipulation techniques of a software house
An IT company is by far the most difficult target. The subjects are risk-aware employees who regularly perform or order security tests and utilize advanced protection mechanisms. In this case, the attackers sought to steal the source code of one of the company’s products. In such a case, they needed an unconventional plan. The attacking team created a website posing as a blog of a cybersecurity hobbyist from India called Ashok Kumar (who doesn’t exist in real life). The site contained a computer-generated picture of a young, dark-skinned man as well as information about a critical error in one of the services managed by the attacked company. Realistic-looking personal data or the use of red color in the appropriate place were designed to immediately evoke emotional reactions in the employees who visited the blog.
The attackers chose four people with presumably the highest IT qualifications in the company and sent them a fake message from the blog’s author. The email referred to the blog entry on the discovered critical error and contained a question whether the company would like to purchase a comprehensive security testing service in order to find out about other major loopholes. As many as three in four of the attacked employees failed to see through the deception and, pushed by strong emotions, they copied the code from the website in order to check whether the indicated error was actually present in the system. The moment they posted the content copied from the website to their computers to test the error, the intruders gained full control over their workstations (in this case: new MacBooks) without them even knowing. Within the next several minutes, the attackers stole the most important API keys and passwords in order to get the desired source code after 12 minutes.
Preventing cyber-attacks with a penetration test
These four stories are not scenarios from action movies or book plots. Neither are they actual attacks carried out by cybercriminals. In reality, they are actual activities of LogicalTrust, a company that has been offering controlled security tests for over 16 years. All of the above scenarios were designed and implemented by the company’s pentest team at the request of their clients.
The purpose of such simulated attacks, aka penetration tests, is to improve security mechanisms and procedures used by a given company. It’s all about making it harder for actual criminals and avoiding – this time absolutely real – financial and reputational damage.
For whom are penetration tests designed?
Who orders this kind of service? Nowadays, due to the scale of such attacks, we work with companies from all sectors. Starting from software development teams consisting of a dozen or so employees and ending with the biggest, widely recognizable corporations. Anyone can be targeted by real attackers, which is why more and more of us must start thinking about testing ourselves in a simulated attack.
After completing penetration tests, which are always carried out according to detailed scenarios, the company is informed how the attackers were able to steal sensitive information and is given detailed instructions on how to increase the level of safety culture within the organization in order to prevent future cyber attacks. This comprehensive approach is far more effective than a single action such as purchasing even the most advanced software, e.g. antivirus programs. Unfortunately, mere improvement in vulnerable aspects in applications or infrastructure is not enough to successfully protect a company against attacks. Effective defense mechanisms must consider the company’s business processes, utilized technology and – above all – daily habits of employees.
The human factor of cyber attacks
The human factor remains the weakest link in all security mechanisms and we should remember that IT security is not a priority for most employees. They are rather focused on their regular duties associated with a given position. The list of tasks must be constantly taken care of… but is it done safely? That’s a whole different matter! Therefore, effective education of non-tech-savvy people must be:
❖ short – today’s employees don’t have time for several-hour-long webinars on subjects they’re not interested in;
❖ unconventional – the form matters, it must be interesting, funny and accessible;
❖ concise – we should focus on only the most important security rules, which are relevant to the types of attacks used today,
In line with the above principles companies, like LogicalTrust, offer two types of training for all company employees:
On-line training in the form of an e-learning course containing several-minute-long clips presenting important aspects of protection against cyberattacks.
On-site training in the form of a condensed lecture on security incidents which resulted in losses running in the millions… all because of small errors and oversights of employees.
Along with that, at-risk companies should also train tech-savvy employees, enabling them to create safer solutions that are resistant to outside attacks. The training usually takes the form of intensive workshops, during which the employees learn how criminals think and operate – this translates to a better understanding of attack mechanisms and more effective protection of the company’s applications and infrastructure.
If you want to check the current state of the security in your company, you can run a free Security Inside test among yourselves and your employees on recognizing dangerous messages: phishinquiz.securityinside.com
Either way, don’t let criminals get their hands on everything your company have worked for for years: databases, know-how, earned reputation or financial resources. Raise the bar and improve the security of your company with the support and experience of security experts.
Published October 22, 2019