A Closer Look at a Common Cybersecurity Scam

By: Pete Rife, CISA, CISSP

We live in a world that is increasingly connected to almost every aspect of our daily lives.  As someone who is professionally interested and focused on cybersecurity I spend a great deal of time studying the methods and motivations of the hackers that are attacking every day.  Most people are only opaquely aware of the threats that are around them continuously.  I see examples frequently that are both fascinating (to me) and terrifying at the same time.

 

Our firm invests in top line firewalls, antivirus, SPAM filters, and of course, training as do many other companies.   These tools are vital and do mitigate some threats, but the truth is it’s the human users that are often the weak link in the defense chain.   For this reason, I continuously stress that the absolute best defense a company can mount is by being vigilant, proactive, and educated.  I’ll share a couple poignant examples recently that drive home why it’s vital to pay attention to protect yourself and your company.

 

Late one evening not long ago I received a call from a team member stating he had started receiving SPAM emails at an alarming rate.  Within a couple hours he had received thousands of messages from around the world, often in foreign languages such as Dutch, Russian, Swedish, and Chinese and it didn’t appear to be letting up.   I asked him please forward a few examples to me for examination and to take a moment and check his online accounts, such as PayPal, Amazon, etc. as I had a strong suspicion of what might be happening to him.

 

I called him again the following morning and we did some investigating.  As he was carefully deleting the SPAM messages, he found an email from a major retailer (Best Buy in this case) that acknowledged his “Online Order”.  It seemed someone had accessed his account, changed the billing and shipping address, and placed a $1000+ order at approx. 7pm the previous night.  Fortunately, he called the retailer and canceled the transaction before it shipped, and changed his account settings and password to prevent further attacks.  In this case, the hacker “SPAM Bombed” him a few hours before they attacked his account.  By sending thousands of SPAM messages to him, they hoped the deluge and clutter of emails would cause him to miss the account changes and order notifications from the retailer, and therefore not catch it in time.  Because he was vigilant, proactive, and educated. – we stopped it.

 

Another recent example I encountered at a client was an email that was received by a team member of the company that appeared at first glance to be from a senior manager.  The message was innocuous enough, and simply asked “Are you in the office today?”.  The team member did notice that the return email address was NOT the senior manager’s actual email address, and reached out to me for direction.  This email is a prime example of Spear Phishing.  In this case, the hacker is deliberately attacking an individual by masquerading as someone the users knows and trusts in the hopes of getting the employee to engage with them.  Had the employee taken the bait and casually assumed he was communicating with the senior manager, the hacker would likely have sent a file attachment such as a spreadsheet or PDF asking him to take a look at it.  The file attachment would have almost certainly carried a payload with a trojan or Ransomware.   Because he was vigilant, proactive, and educated. – we stopped it.

 

Every company faces these threats on a daily basis.  Sadly, I see far too many executives, management teams, and even board members demonstrate a gross lack of understanding of the risks to their organizations via these threats.  They believe (wrongly) that because they have invested in the latest firewall or software security suite, they have adequately protected their information assets.  Properly configured hardware and software are certainly vital components of an effective cybersecurity program, but equally important are guidelines, policies, and procedures that are carefully designed, documented,  implemented, and enforced.  And, of course, security awareness training for all employees is absolutely required to ensure the hackers do not easily compromise the system by tricking the humans into granting them access.  After all, a company can spend millions in security software, hardware, and physical doors and locks but it’s all useless if an employee leaves a door or window unlocked.

Contact Holbrook & Manter today to learn more about how we can help you with your cybersecurity needs.