Beware of emails from your CEO
Symantec's Security Practice Director Justin Doo tells Kipp how cyber attacks have transformed from generalized SPAM and phishing attacks into very sneaky targeted deceptions and why SMEs need to take special precautions.
October 10, 2012 3:53 by Eva Fernandes
Here in the Middle East, it has been an eventful few months with regards to high profile cyber crimes. This August, reports emerged of a malicious code called Shamoon, planted in roughly 30,000 computers in two of the major players in the oil industry in the Gulf: Saudi Aramco and Qatari RasGas. Shortly after, a Middle Eastern group claimed responsibility of cyber attacks on US financial institutions including JPMorgan Chase, US Bancorp and Bank of America. In May, Kaspersky Lab discovered the Flame virus to be compromising systems in the Middle East and Iran. The virus was described as the “most complex piece of malicious software yet found.” A Flame-related virus called Gauss, which was discovered late August, was designed to get financial information from a series of financial banks in Lebanon.
Of course, this list is just a tip of the iceberg, not considering all the organizations which prefer not to disclose news about security breaches. Cyber attacks are on the rise and it isn’t just the big organizations which need to take note, in fact experts say it is the small and medium sized enterprises (SMEs) who need to be especially cautious because of the pivotal role they play in connecting hackers with larger enterprises. Symantec’s Security Practice Director Justin Doo says in the last 12 months, more than 17 percent of all SMEs have been targets of cyber attacks and studies show some 71 percent of these companies never recover. We spoke to Doo to find out more about security threats and how businesses need to protect themselves from potential threats.
How has the cyber crime scene changed over the past couple of years?
What we are seeing in threats for the past two years or so, is a very focused change from previous threats. When we look at how threats were perpetrated back in the 2000s malware writers would use SPAM—they would use a very broad approach to attack; so you may have heard of something called phishing where they would send out an email pretending to be one of the big financial organizations. That still goes on, but more and more organizations and people have set up basic filters and protection which detect SPAM, malware or phishing attempts.
What methods are cyber criminals using to compromise systems?
What we are seeing now is more and more of a targeted attack where individual emails are sent to maybe two or three people in organization. If the organization has been profiled, they will know where the CEO is speaking; they will know where the CFO is speaking, for example. They will know the topic that they will be talking on. They can send a follow up email to that; they can send an attachment with that follow email. The attachment will have the malware or link to a malicious site. The CEO or the CFO may not even respond to that email, but he may pass it on to somebody else in the organization. Who may equally not respond to that email but pass it on to somebody else and internally you are looking at a thread where the CEO is the one that started it off which is going around. When it gets to an analyst or a financial administrator, they are going to look at the thread and go: Oh My God, the CEO has sent this, so they aren’t going to think about the security aspects. They click on the link or the malware or open the attachment and that then starts the next wave which is either reporting back to a malware writer or leaving an application on the envoy that then starts talking back and the next piece of malware can be downloaded which lets them to sniff the network, get user names passwords look for critical information. They can use the network as a private network so that they can then launch their own private applications to look out for more victims. So it has moved from being a very very generic wide ranging threat to a very targeted and individualized threat.
How does this affect SMEs and why do cyber criminals want to attack SMEs?
SMBs are part of the value chain for enterprises. So an SMB in travel would typically have a link into the bigger enterprises that uses them for their travel. So then, if I break into or compromise the travel organisation I will have a trusted link into the enterprise. So the enterprise may be too hard to target but by using that trusted link, if I can compromise the SMB. Say for example I can then use their mail server, I can then send an email to the main organization that is a legitimate email that comes from that supplier it will have a trusted value over an above receiving an email from somebody outside who we don’t know.