E-mail is a very, very old protocol. The Simple Mail Transfer Protocol (SMTP) was first defined in 1982. Back then, computer experts couldn't imagine the type of cybersecurity risks that would come, so security of the protocol was not front-of-mind. While the protocol has been updated, e-mail is still based on this 35-year-old idea, which allows spammers and spoofers of some flaws to get through to you.
The most basic attack is to simply "spoof" the "From" address. Think of sending a traditional, paper letter: instead of writing my own address in the upper-left corner, I write my friend Judy's address. That's exactly what's happening here.
Was Judy "hacked" here? Of course not. I just wrote his name. There is nothing Judy can do to prevent me from doing that, and that's the same with email. Email is designed to allow this! Of course, there are some things you to help reduce the chance of this attack being successful – more on this later.
The message itself could be anything, but we commonly see the following:
- "CEO Fraud" spoof
- Malware delivery – such as ransomware
- Simple advertisements – "classic" spam
- Less common: a hacker trying to get into your account specifically, targeting you to extract information
The first two are particularly common and nasty. CEO fraud: An email is sent, purporting to be from the CEO, requesting an urgent wire transfer. The unwitting CFO receives the email and, sensing urgency, dutifully transfers the funds. Later, they learn the CEO didn't send that email at all – and them money is gone. This is highly profitable according to the FBI. A ransomware attack, rather than asking to transfer funds, prompts the user to click a link which downloads malicious software (malware). The malware could lock up all files on the computer, and then tell the user: send us the cash, and we may unlock your files!
How did they get my address or my friend's address?
We get this question a lot: "I got an email from my CEO, asking to transfer money to an account. I know this was a fake email, but was my email hacked? Was my CEO's email hacked?"
The answer: probably not! Relatively speaking, it is much more difficult to hack into someone's email than it is to just pretend to be them. Hacking someone's email is "noisy" – by which I mean, it can set off a bunch of alarm bells for the savvy systems administrator, the user will notice unusual behavior, etc. If I simply make my email "Judy Smith <[email protected]>" and then email all of Judy's coworkers, I'm not "touching" Judy's system or the company's system at all.
But how did I get Judy's coworkers' addresses? There are many different ways. Two common techniques are simple guessing addresses (I'm going to go on a limb and guess many of you have an [email protected] address that goes to a real person, for example) or "scraping" the corporate web site – go to the "About Us" page, open the staff directory, and grab all the addresses! Of course, this is automated and done by the computer. This is called email harvesting.
What can I do?
The first thing to do is ensure you have a properly secured email system. This includes robust anti-spam and anti-malware systems, and properly setting SPF, DKIM and DMARC records. These are things any corporate email system should have in place. You also want to ensure all operating systems and other software on your computer is properly patched, and you have properly-managed antivirus/antimalware software installed. Thirdly, make sure you have backups in place – if you get hit with ransomware, the easiest way to recover is to restore from backup.
But we can't just trust the computers to handle this – as always with cybersecurity, humans are the weakest link. To properly protect yourself, make sure you have the following in place:
- User education. Train your staff on how to detect whether an email is spoofed. Spelling errors? Terrible English? Words not commonly used by your staff? Email with a sense of urgency that you weren't expecting? Odd external web addresses? A weirdly-formatted "From" address? These are all hints. I highly recommend formalizing cybersecurity training across the organization but especially among executives who have access to sensitive data or bank accounts.
- Proper SOPs for wire transfers. For example, require verbal approval as well as written approval. Require approval from more than just one person. Make sure all wire transfer requests are associated with a PO in your financial system.
So… How does this all actually happen?
Reading about this is great, but how does a hacker actually identify targets? How is the virus built? What happens when a computer is infected with ransomware? You will see this in real time as we go through all the hacking steps: reconnaissance, virus design, tricking someone to click on the link, and seeing the computer get "compromised" – while learning the dos and don'ts along the way. Join me on February 8 for this session… Word of warning: you might want to stay OFF of wi-fi during the presentation!
Photo by Pixabay