Hacking Workers' Minds for Easy Access to Networks

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Joyce E. Cutler

Dec. 11 — Cybercriminals know it's easier to hack people's minds to gain access to company computer systems than to use brute force so they use social engineering techniques exploit human tendencies of assistance and annoyance to their advantage, security professionals told Bloomberg BNA.

Whether by pretending to be someone from the information technology department, getting people to click on a link or e-mail from somebody they think they know or getting people to reveal information over the telephone, once in the computer system, bad actors know how to extract valuable data.

(Click image to enlarge.)

PVLR image 12-14-2015

“Why go through all the trouble hacking computer systems when you can just hack the human?” Keith Swiat, security and privacy director at RSM US LLP, formerly known as McGladery LLP, said.

Gamelah Palagonia, Willis Americas senior vice president and national resource for network security, data privacy and technology errors and omissions said “it's hard to actually break into a network.”

Cybercriminals “have to invest time, have a skill set level. But it's easy to get in through your employees. If a hacker has your employees’ credentials, they don't have to hack anything. They can just log in and take what they want or camp out and stay there,” Palagonia said during the webinar.

Fraudsters crawl into companies’ computers and individuals’ minds, mimicking the way targeted individuals talk and write to get millions of dollars wired into accounts. Business e-mail compromise fraud took $798,897,959 from 8,179 victims October 2013-August 2015, the Federal Bureau of Investigation Internet Crime Complaint Center reported in August. U.S. victims lost $747,659,841 during the period.

“These totals, combined with those identified by international law enforcement agencies during this same time period” bring business e-mail compromise fraud “loss to over $1.2 billion,” the alert said.

Losses Likely $2 Billion

The losses from all forms of masquerading “are actually closer to $2 billion,” David Pollino, Bank of the West fraud prevention officer, told Bloomberg BNA. “Given the fact that it was in the $500-700 million range in January and now it's over a billion, we're likely to see it continue to escalate.”

Just since January, the Internet Crime Complaint Center recorded a 270 percent increase in identified victims and exposed loss. The scam was reported in 50 states and 79 countries. Fraudulent transfers were reported going to 72 countries with the majority going to banks in China and Hong Kong.

“It's more frequent than it's ever been,” Stroz Friedberg Managing Director James Aquilina told Bloomberg BNA.

Social Engineering is Gateway

Attackers search Monster Worldwide Inc., LinkedIn Inc. and social media sites for information to direct phishing e-mails and snag credentials of targeted workers, Aquilina said.

Social engineering, or influencing or exploiting others, can lead the way to more advanced attack vectors, such as malware that can harvest valuable information. Custom malware, “if you know where to look on the dark Web,” that isn't trackable by commercial antivirus software costs $250 or less, Swiat said.

“Social engineering is an excellent way to get that malware into an environment” and move laterally through a system “to find more juicy targets,” Swiat said during a webinar sponsored by BakerHostetler LLP, RSM and Willis Group Holdings Plc.

“Social engineering is really the gateway vector. There is a certain level of complicit trust that exists between two human beings when they communicate over any form of communication whether e-mail or face to face. And the attacker has found that it is very, very, very easy to take advantage of that trust.

“It's a very hard attack vector to defend against because it requires a social shift,” Swiat said.

Mining Human Vulnerabilities

The consistently weak link in any system is people and the principles of influence and cognitive errors humans make in decision making, Michele Fincher, chief influencing agent of Social-Engineer LLC, a consulting and training company specializing in the art and science of social engineering, said.

“It becomes a very, very sort of complex problem and we know as humans we make mistakes in a consistent way and people take advantage of that,” Fincher told Bloomberg BNA.

Humans under stress or who are distracted “go to that quickest instinct. Human beings are courteous and helpful. Malicious hackers take advantage of that way we respond,” Fincher said.

“Despite updated, great technology, we still have a very basic level of decision making that occurs,” she said.

“There's certain reasons people respond to the things the ways they do and the bad guys are very well versed in how to exploit those certain vulnerabilities,” Fincher said.

People put in a position of making a choice of being helpful or feeling rude will choose not to be rude, she said.

Fraudsters put people on the spot and make them uncomfortable on the phone as employees arrive at work, “and if they're very busy and they don't want to deal with you, they're more apt to give you information about their system. Attackers know this as well,” Stephen Leggett, senior vice president and national fidelity practice leader with Willis of New York, said at the webinar.

Impersonation

Impersonation can be taking on the role of a telecommunications provider or service person, “and you'd be amazed at how easy it is with a convincing costume, a work order and a sunny disposition to ask someone to see their server room and they'll walk you right to it. We have about a 9 out of 10 success rate doing that,” Leggett said.

“These criminals that execute masquerading are highly sophisticated social engineers,” said Pollino. “They're very believable.”

Aquilina told of a small, venture-backed startup that was notified “by an extortionate attacker that as a result of a tiny little vulnerability in a tiny little application for which a patch had only recently been discovered the attacker had gotten in the environment and gotten its hands on personally identifiable information about its customers and its customers’ customers.” said.

The “little company” simultaneously handled inquiries from merchant brands, employees, customers, customers of customers, federal regulators and nine states’ attorneys general, insurers, class-action attorneys and law enforcement investigating the cyber extortion, Aquilina said. “It cost them millions,” he said.

Large-Scale Losses

Impersonation cost San Jose, Calif.-based Ubiquiti Networks Inc. $46.7 million. Ubiquiti in an August securities filing said funds were transferred in June from a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties based on spoofed e-mails.

Ubiquiti recovered $8.1 million and another $6.8 million was held to an injunction as the company works with federal authorities in the criminal investigation to recover the remaining $31.8 million.

Ryanair Holdings Plc in September said it successfully recovered nearly $5 million that was fraudulently electronically transferred to a Chinese bank in April.

Xoom Corp., a San Francisco-based provider of Internet money-transfer services, in January announced $30.8 million in fourth-quarter costs were tied to a suspected criminal fraud involving employee impersonation and a fraudulent requests targeting the company’s finance department.

Scoular Co. was defrauded out of at least $17.2 million wired to a bank in Shanghai in three June 2014 transactions prompted by e-mails purported to be from the CEO and the outside auditor to the controller, according to court documents.

Learning the Inside Lingo

Once into a system, the attackers may spend 30-60 days “parked in your computer, understanding everything going on in it,” Leggett said. That spying includes looking at who's authorized to move money, learning their writing style and “even catch something going on in your organization that might require an upcoming wire transfer,” he said.

Aquilina said that fraudsters start “bouncing around the environment and have access to the e-mail of the CEO, then they have another avenue of exploit which is now I'm going to give direction to others in the company and I'm going to make it look like him and I'm going to sound like him.”

Attackers load a phishing e-mail with information, send it around 4:30 to 5 in the afternoon “and tell you how urgently it has to get out,” Leggett said. “And some of these are very, very sophisticated. I can tell you, I understand how folks get tripped up.”

Awareness Only One Step

Consistent training for users includes verifying the sender's e-mail address before responding, particularly for those that send money via wire transfers, Aquilina said. “I can't tell you how many calls I've gotten from companies after the wire's gone out,” he said.

“There are some sloppy practices that facilitate and enable the depth of these kinds of attack, like employees having local permissions on their computers which they don't need” that may allow further exploits, Aquilina said.

Herb Lin, senior research scholar at Stanford University's Hoover Institution Center for International Security and Cooperation, said requiring two individuals to engage in an independent action can offer another important anti-fraud step in the verification process. But it still comes down to the one person, he said.

To contact the reporter on this story: Joyce Cutler in San Francisco at jcutler@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com