Saturday, February 2, 2019

Institutional Safeguards and the Human Element

Phishing emails from a CEO to an Executive Assistant with urgent tasks (scams) are on the rise

Phishing emails from a CEO to an Executive Assistant with urgent tasks (scams) are on the rise

Does your organization welcome questions from employees? Would an employee feel comfortable questioning their supervisor about a task? How often do you push a job down the chain and expect it to “just get done?” The urgency of business demands that employees be able to carry out tasks without question. Unfortunately, that same urgency can lead to the exact conditions that cybercriminals exploit daily to the tune of billions of dollars. These exploits and a lack of focus on institutional safeguards to prevent them mostly go unnoticed within organizations until they become the target of a cyber-attack.

When discussing the method of how cybercriminals operate, it is often easy to take the “that could never happen to me” mentality. We’ve all heard the story of someone’s uncle who was catfished out of his life savings by someone from another country whom he never met, but is the love of his life.  While the need for human connection may not be every individual’s weak point, everyone has at least one.  In the business environment, humans are invariably the weak link in the security chain. Cybercriminals are particularly adept at manipulating the human element to extort money, intellectual property, and resources.

Here we will explore a case study involving a recent incident response that Alpine Security performed. In this incident, the company in question was targeted using email spoofing and phishing attacks resulting in losses of over $20k. This particular scam is noteworthy because it highlights a technique that is on the rise in recent months and illustrates how cybercriminals often use human and institutional weaknesses to fulfill their goals.

Initial Phishing Email to Elicit a Response

Initial Phishing Email to Elicit a Response

In the first phase of this attack, the criminal used a Gmail account designed to look like it was coming from the supervisor of the targeted employee, e.g., first.last@gmail.com. Seeing the name in the email address, the employee did not suspect that the email did not originate from their actual boss. The email explained that the supervisor wanted to give away some eBay gift cards to a vendor but was tied up and would like the employee to go and pick them up quickly. The employee responded and followed instructions to purchase $2,000 in eBay gift cards.  She was then instructed to scratch off the back of the cards and send images of the codes to the email account. As luck would have it, she sent the codes via text rather than email, enabling her company to catch the scam before the codes were leaked, but it was a very close call.

2nd Phishing Email. Attacker sent this email after they received a response to the first email.

2nd Phishing Email. Attacker sent this email after they received a response to the first email.

At first glance, it is easy to assume that we, in the same position, would have noticed one of the several red flags that this story illustrates. However, understanding the physiology of this kind of attack allows us to fully grasp how easy it is to fall victim to this type of scam. In this case, the criminal had two factors to their advantage; the first of which is the appeal to authority. Many employees are not going to question their boss when asked to perform a task as long as the job seems somewhat reasonable. If this is a task the employee has performed before, they may not think twice about doing it at all. If you work in a marketing or sales department picking up some gift cards might not be an out of the ordinary request. The appeal to authority can be just enough to make the employee second guess their suspicion and take an action they otherwise may not have. Furthermore, company cultures often do not promote open communication and freedom to question. Therefore, the employee may not feel empowered to raise concerns if they suspect something is amiss. Couple that with the second advantage the criminal is exploiting - urgency, and you have a recipe for social engineering. The “supervisor” is in a hurry and needs their assistant to perform a task quickly. If the employee has doubts, this may be the nudge they need to forget those doubts, get the job done, and “just be a team player.”

Employers should not underestimate physiological factors that play into these types of scams. It is human nature to want to be helpful and do your job well. It is often an institutional weakness to expect employees to carry out tasks without question or to put too little safeguards in place to prevent the compromise of one employee from costing the company money. It is natural to want to blame the employee for being careless, but the truth is that her actions were precisely what her boss would have expected had he been the one who sent the request.

If the attack had stopped here, it would have been merely a lesson learned for the company to be more careful. Unfortunately, it didn’t.

In phase two of the attack, the criminal sent an executive in the same company an email that appeared to come from another person within the company. The executive clicked a link in the email which prompted them to input their Office 365 username and password. Thinking this was merely a standard password prompt the employee complied and completed their work.

Unbeknownst to them, the login page they had input their credentials to was fake (spoofed), allowing the hacker to capture their credentials. The attacker quietly logged into the account and remotely set up a rule to automatically mark any emails from the finance department as read and send them to a hidden folder. They then sent an email to the finance department asking why an invoice to a company had not been paid. Over the next several days they were able to pose as the company executive and trick the finance department into fraudulently processing over $20K in fake invoices.

Both of these cases have human error as a common element, but stronger institutional safeguards are the only real tool to defeat human error. What would happen if we put a straightforward safeguard in place in either of these cases? What if a phone call and passphrase, or digitally signed email were required to initiate a wire transfer? What if the employees had training on how to detect spoofed emails? 

In a third case, a client of Alpine Security received the same email requesting that they purchase iTunes gift cards. This was particularly interesting because the employee had recently bought gift cards for a similar giveaway. However, in this case, the company had a safeguard in place that a transaction like this needed to be approved verbally by the employee's supervisor. When she contacted them, they quickly detected the email was a hoax and were able to move on with no loss of money and little lost time.

How well would your organization handle an event like this? In the fast-paced world of cybercrime, no company is too small or too big to be a target. Stories like this happen every day. For the unprepared, they can bankrupt an organization or cause severe operational impacts. For a prepared company, they are a blip on the radar and something to talk about after you hit your next team milestone.  

Does your institution have the training and safeguards in place to weather a cyber attack? Alpine Security has the tools to help. We offer a full range of private training for organizations to assist in cybercrime prevention as well as penetration testing, vulnerability assessment, and social engineering campaigns. Want to see how ready your company is for a cyber attack? Do not wait for the bad guys to test you. Let us help!

Author Bio

Isaac (on the left) hiking in Vietnam

Isaac (on the left) hiking in Vietnam

Isaac Wright is a Cybersecurity Analyst and Trainer with Alpine Security. A veteran of the US Air Force, Isaac has more than 15 years’ experience in electronics maintenance and security.  He holds degrees in Electronics Systems and Education and Training Management as well as a master instructor certification.  Isaac has a long history of maintaining, hacking, modding, and using electronics systems from networks and computers to radios and consumer electronics.  Isaac has leveraged his expertise to advise CIOs in large multi-site organizations on vulnerability management and risk mitigation. 

When not teaching or analyzing network traffic, Isaac loves to play board games with family, fish, camp, and experience everything the world has to offer.  An avid traveler, Isaac has been to more than 15 countries and especially enjoys Asia.

No comments:

Post a Comment