I recently attended a webinar on new cybersecurity threats, and watched a “live hack” as part of the learning session.
The hacker was a Certified Ethical Hacker (CEH) and Computer Hacking Forensic Investigator (CHFI); two certifications that we also hold in our office. The featured hacker works for a security firm that performs intrusion and penetration tests on networks and runs a phishing/social engineering training service.
The live hack took seven minutes from start to finish; we watched the hacker visit a company website to grab email addresses for specific roles within the company. The hacker sent an email to a random person on staff in order to receive a reply with a company signature line. He then created a spoofed email address, appearing to send a message from the CEO to various members of the sales team – included in that email was a copy of the signature line he had just received, to keep the email consistent with the company “look”. The email attachment contained an Excel file with macros and appeared to contain company data regarding sales for the end-of-the-quarter. After the hacker clicked send, it was only a matter of time before the sales staff received and opened the infected email.
As soon as the recipients clicked to enable macros, the hacker received backdoor entrance to their computers. While logged in, the hacker had several different options. He could remain hidden and use a key logger to collect usernames and passwords, he could install an encryption file and hold the recipients’ files ransom, he could begin using the computer to mine bitcoin or host bots and viruses, or he could try to reach across the domain to infect other computers on the network.
One click and seven minutes were all it took to seriously compromise the data, network, and users of this specific business. As we followed the hacker back to the beginning, he illustrated the clues the users should have seen to indicate that this was a phishing email and not real sales data. We could hover over the sender name and see that the address did not match the expected domain. We could have hovered over the links in the signature line and noticed that they were not live – that the signature line was a screenshot.
Many of the webinar attendees questioned why the virus-scan on the recipients’ machines did not block the infected file. The hacker showed us that the recipients were indeed using a virus scan, but a free version that was only comparing files to a known database. His infection was so new that the signature had not yet been listed in these virus databases. If the recipients had been using sandbox-based endpoint protection (antivirus), the file would have been opened in the cloud away from the physical computer and checked for behavioral characteristics before releasing the file for download.
What can clients do to protect themselves from sneakier and trickier cyber threats?
- Endpoint Protection – Install an Antivirus and Antimalware software and make sure that you run updates as they become available and run scans on a regular schedule.
- Firewall – This Intrusion Prevention device can close-off your network to uninvited internet traffic.
- Train employees on how to spot and deal with phishing emails
- Password Safety: use strong, unique passwords, use multi-factor authentication when possible, and use biometrics (facial or fingerprint scan) as an authentication tool.
- Use productivity tools with built-in security, like Microsoft 365 Business
I have also attached a PDF that discusses several of these tools and policies in greater detail.
Leslie is Marketing Manager at ITS, with a background in K-6 Education. Leslie’s daughter recently attended a STEM career/experience day, and came home announcing that she was the “fastest hacker” – a sure sign that she does listen to her parents at home!