It’s Cybersecurity Awareness Month!
This year it arrives in the middle of an extended series of ransomware attacks on municipalities, educational institutions and hospitals. In Georgia, the city of Cornelia survived its third ransomware attack of 2019 finally decided to upgrade its ten-year-old firewall solution.
Meanwhile, in Alabama, ransomware struck DCH Health System. It shut down down three hospitals by denying healthcare to patients and forcing staff to turn away ambulances. Even though DCH started to rebuild its systems from backups, ultimately the organization paid for the decryption key to expedite recovery.
The rise in attacks begs the question: How do most ransomware attacks start? The answer: Through phishing attacks.
Although many users are getting better at recognizing phishing attacks, they remain a critical weakness that can bypass otherwise robust security measures.
Sally Adam of Sophos recently wrote about numerous technical details specifically regarding the Ryuk Ransomware attacks – the same malware at the heart of the DCH Health System attack.
Ryuk attackers use a sophisticated multi-stage process that begins with malicious attachments sent via phishing. After the initial phish gains access to the corporate network, the attackers steal credentials, create new admin users, delete backups, and disable cybersecurity products in preparation to unleash the ransomware.
Common Phishing Attacks
As sophisticated as the attack may be, the phishing attack remains the first domino that must fall.
David Bisson of TripWire.com outlines 6 Common Phishing Attacks and How to Protect Against Them:
- Deceptive Phishing – PayPal scams, Amazon impersonators, etc. trying to trick users into giving up credentials or click an attachment. These tend to be generic mass-emailed messages.
- Spear Phishing – Specifically targeted at an organization or user; these attacks attempt to trick users using by information or connections personalized for the organization or person.
- CEO Fraud/Whaling – A specific subset of Spear Phishing that involves impersonating or compromising the business email of a high-ranking executive (CEO, etc.).
- Vishing – A phishing attack via a phone call used to perpetrate scams without malware.
- Smishing – A phishing attack via SMS used to perpetrate attacks.
- Pharming – Corrupting DNS server information to redirect requests for popular websites to hacker-controlled sites to steal credentials or load the computer with malware.
Did you notice that not all attacks involve computers or malware?
These are all traditional con-artist techniques that have been updated to take advantage of today’s digital culture.
How to Counter the Attacks
Avoid Leaking Data
To counter phishing there are three broad solutions.
First, employees need to be trained to avoid leaking data. Kelly Sheridan of DarkReading lists 8 Ways Businesses Unknowingly Help Hackers.
The eight methods can be summarized in two parts:
- Oversharing – Employees take selfies with their employee badges, accidentally post IT information in the background of a social media post; or HR posts details about security software in the job description for a new hire.
- Too much trust – Employees assume caller ID is correct, the email address or link are legitimate, and don’t double-check before processing the CEO’s strange request for W-2 forms.
For phishing, specifically, two key issues stand out: Sharing too much information through signature portions of emails, and the overly broad set up out-of-office emails.
Signature files often provide information that a hacker can use to perform spear phishing attacks: Actual employee names, correct addresses, department names, phone numbers, etc.
While this might not normally be sent to a hacker, some employees have the bad habit of replying to obvious phishing attacks with a taunting reply – which includes their email signature info.
Out-of-office emails need to be set up with limitations.
Hacker’s love it when their spam email triggers a generic out-of-office reply from an executive, which often lists critical information, such as: Where they are travelling, why they are out of town, and who to contact in an emergency.
Now, hackers have information for a spear phishing or whaling attack.
Recognize a Phishing Attack
A second critical counter for phishing is for employees to recognize a phishing attack.
Fortunately, learning the basics for phishing attacks is not difficult. In fact, PBS created a great introductory game to teach basic phishing awareness, which is open to the public.
Unfortunately, as phishing awareness grows, the attacks also grow in complexity.
Sheridan notes that some hackers impersonate IT departments by spoofing corporate phone numbers and calling employees. Hackers know that employees have been trained to recognize the old attack methods, and will no longer give up their usernames and passwords over the phone.
Instead, the hacker’s script includes a very reasonable reminder to make it seem more legitimate, such as: “We both know you are not supposed to give IT your user name and password, so I’m going to send you a link…”
The hacker then spoofs the email address for the company and sends the link to their malicious site.
Remember those aforementioned out-of-office emails? Guess where the hackers learned which phone numbers and emails to use for spoofing, who to call, and who to target?
Improved Internal Controls
With increased sophistication, breaches are more likely to succeed than not.
This brings us to our third solution to countering phishing – improved internal controls. Essentially, organizations need to implement a policy of “don’t trust, verify.”
Technology can provide part of the zero-trust solution. One example is the network micro-segmentation, which can reduce the impact of a mis-click through isolation.
Two-factor authentication can also be critical.
SecureLink compiled Three Breaches Two-Factor Authentication May Have Blocked regarding breaches at Tesla, JP Morgan, and Slack.
In each case, attackers compromised systems by logging in by using stolen credentials. Without 2-factor authentication to slow the hackers down, the companies had no idea that the wrong people were accessing their systems.
However, technology is not the only solution.
Policies, procedures, and systems should be in place within the workplace to provide checks and balances. Inevitably, someone will slip up, so preparation is key.
A Costly Phishing Attack
In March 2018, the CEO and CFO of the Dutch division of Les cinémas Gaumont Pathé fell victim to a CEO fraud phishing attack.
Company officials were told to wire money as part of a confidential takeover in Dubai, and that communication was to only be done via email. A simple call or text message to the CEO of the French parent company could have saved Pathé over €19,000,000 (over $20 million).
Although the executives thought the request was strange, and emailed repeatedly with the scammer via email, they never once made a person-to-person phone call to verify the source. The DutchNews.nl revealed that two executives were later fired for not doing their due diligence.
The Right Networking and Cyber Security Support
To avoid falling prey to similar situations, companies must stop exempting executives from procedures, and enforce multi-channel communications.
Don’t reply to an urgent funds transfer request received via email. Instead, pick up the phone and call or text the executive. Just remember to use the company directory – don’t rely on the potentially fraudulent email for a phone number.
At Ideal Integrations, we’re here to help you create a more secure network. With our highly trained and experienced team, you’ll have peace of mind knowing that your network is being managed, 24/7/365.
And, our cyber security team, Blue Bastion, will keep your applications and data safe with the most up-to-date, high-powered security management platforms. Even if you’re already an Ideal Integrations customer, be sure to ask our team members how Blue Bastion can help you!
Request a consultation today by completing the form below, or by calling (412) 349-6680.