Image from repoindustry.com

Are You Working for a Hacker?

Why professional services companies are the primary target of cyber criminals.

I first wrote this in 2013. In light of the Deloitte hack I thought I should republish

Cyber criminals love advisors, but not because they guide them through legal issues or help them hide their ill-gotten gains. Rather, of all the cyber criminal’s potential targets, advisors present the best value for money.

Jon Smith, a financial advisor to some high net worth individuals recently awoke to a hundred email messages denoting “failed delivery.” The messages indicated Jon had sent out over 1000 emails and these 100+ had failed to be delivered because the email accounts were no longer active. A limited investigation showed that Jon’s had sent a series of emails to everyone in his contact list suggesting they all visit a particular website. The title of the email was “Have you seen this?” Odd, because Jon did not remember sending the email and he himself had not “seen” the website contained in the email.

Jon’s email account had been compromised and used to send out “spam” email to each of Jon’s contacts. Moreover, since the emails came from Jon, a trusted adviser, many of his contacts clicked the link and installed the “video player” the site required to view Jon’s message. The message was a cat playing a piano. The “video player” downloaded was malware used to collect and steal online banking credentials.

The psychology of a cyber criminal

Cyber-based crime has different motivators, different methodologies, and different targets. Whilst the media likes to use the word cybercrime for every computer-based attack, the term is really about profit-motivated attacks. Cyber criminals are financially motivated fraudsters who use the Internet to access data and facilitate their main objective: to make a profit.

Although cyber criminals may view themselves as smart business people who “work smarter, not harder,” the reality is that the techniques cyber criminals typically employ are lazy.

As personal cyber security systems have become more robust and user-friendly, it has become harder for financially-motivated hackers (FMHs) to collect the data they need. Targeting only one individual at a time, breaking through each unique security system, and then committing a fraud on that one target with no guarantee of success is not a good return on investment or time.

Therefore, FMHs like volumes of data from which they can attempt mass fraud schemes, tweaking each attempt to ensure the highest level of success. As well as holding large volumes of data, the ideal target will usually have three main attributes: (1) limited cyber security; (2) full access to the system or network on which they are based; and (3) IT support staff who are just that, “support” rather than security focused.

Professional services firms such as lawyers, accountants, consultants and wealth managers are an attractive target as they typically hold volumes of valuable data which are often stored in an organised manner with little protection.

Professional services: the perfect target

By gaining access to a lawyer’s email accounts, not only can hackers read about upcoming transactions or litigation, but they can also impersonate a victim’s lawyer or gain enough personal data to effect wire transfers, property sell-offs, or any other manipulation available to them. The same can be said about the accounts of wealth managers or accountants.

Such attacks are not sophisticated hacks. Most involve a simple password collection made when the adviser clicks on a link in a phishing email that requires or automates a software download before viewing a file or a video that has gone viral.

Or, if the attacker has the email address of the target, they will attempt to brute force (try multiple passwords) against the account until either they get in or the account is locked.

Spear-phishing, a more directed version of phishing, emails are tailor-made for a specific person or professional group with the focus on getting that person or group to click a link and install hidden malware. Professional services advisors are profiled by the attackers utilizing social media, standard media, client inquiries and public records to determine their likelihood of having access to the data required by the cyber criminals.

The attackers use the profiles to focus the attack in order to achieve the maximum number of clicks by the email recipients. Ever wonder why you get so much spam or why you have so many new Facebook, LinkedIn, or Twitter followers? Even friendly emails with sugar-coated offers to win a new iPhone6 pose a risk if you click a link and provide any information.

Complacent thinking

Cyber criminals rely on complacent thinking. Many professionals believe that if their email was compromised, they would notice unusual traffic. Unfortunately, once a hacker has access to a victim’s email account, he or she can set up filters to forward certain mail messages away from the hacked inbox to folders or even to reply and then delete before the target sees them.

Even in rare cases where the fraud is discovered and halted in time, cyber criminals will have already stolen information and can use it against victims in a future attack or to make a profit. The financial value of confidential data cannot be underestimated. If it is sensitive, there will likely be someone willing to pay for it.

Protecting yourself from working for a hacker

The severity of the risk is brought home when two key questions are considered:

1. If you discover a compromise on your system, do you have any way of knowing what was viewed, modified, or taken?

2. What would be the impact to your business if it became public that client data was stolen and potentially misused?

In the past year, Kroll has been engaged on more than 25 such matters for large professional services firms. The message behind this trend is clear: why attack on a one-on-one basis when a single targeted attack can get you 1,000 victims or more?

The damage to firms in the professional services sector is equally multiplied. In a sector that relies on trust and belief that client information will be protected, the effects can reverberate for years.

The assumption is often made that there is nothing of value that cyber criminals could want, therefore it is not a concern. But the truth is that cyber criminals do not discriminate; they want a lot of data, some of which may seem irrelevant to others. A personal credit card number is just a small piece.

Businesses need to understand what data they hold, why it is important or attractive to cyber criminals, how it is protected, and who has access to it. A proactive understanding of the threats leads to proactive mitigation.

The next time you are “inconveniently” forced to change your password due to some internal policy understand that this, as well as other requirements, could be the difference between money in your hands and money in the cyber criminals’ hands. It could be the difference between working for your client and working for a hacker.