Cyberthieves’ evolution makes curtailing attacks more difficult for businesses unable to keep pace. Ransomware, and network and infrastructure disruptions were among previous incidents against which companies defended, but those are fading for a more lucrative prize: Gaining control of operations.
Learning how a company works has become a priority among hackers. Holding organizations hostage for a few Bitcoins pales in comparison to financial gains made from stealing the blueprint for how businesses perform daily affairs.
The goal has changed, but the method of attack hasn’t. Email remains hackers’ most valuable weapon. The rise in cloud-based email has benefitted cybercriminals. The migration to Office 365 has proved to be detrimental to companies that aren’t securing email. More than 60 percent of businesses were victims of malware attacks that were spread from user to user via email last year.
Cloud security service company Avanan found vulnerabilities that allow malware to go undetected by Microsoft’s security and desktop email filters and leak user credentials, but instead of gaining control of a business’ infrastructure, it focuses on gaining control of the user. These targets, also known as “Very Attacked Persons (VAPs),” are vetted and infiltrated based on importance within organizations. Those with more privileges are more likely to be attacked.
Hackers use social media to plot their attacks.
LinkedIn and Google are the most used sites. Company executives expose their credentials, particularly email addresses, and leave themselves vulnerable. Web-based social engineering schemes surged 200 percent from the second to third quarter last year.
Cyberthieves send phishing emails embedded with remote access trojans (RATs) that are downloaded from email attachments. Hackers gain administrator control of computers that give them access to confidential information, turn on webcams, format drives, and delete or alter files. Cybercriminals can redirect invoice payments into secret accounts, upload viruses and monitor users’ behaviors through keylogging, which could lead to hijacking personally identifiable information.
Enormous windfalls, with which ransomware or infrastructure disruptions couldn’t compete, are accomplished in a similar fashion. Why should hackers settle for Bitcoin, when they could have every bit of the companies they are attacking?
This approach should have business leaders concerned. More is at stake, and employees unaware of these grim outcomes are easy targets. User-awareness training could help make companies safe from intruders. Apogee IT Services focuses on educating its clients’ employees, and it could reduce the odds your company will be attacked.
Too many VAPs aren’t A-OK and organizations ignoring this threat could become DOA with no one to blame but themselves.
To discuss security strategy, contact Security Analyst Frank Verdecchia at firstname.lastname@example.org.