CyberCrime: How Businesses Are Under Threat, And From Who?
From Ransomware and Virus infection to the theft of your banking or customer data, who is trying to hack you and why? And if you know the who and why, you’ll be better prepared to stop them.
There are millions of pieces of malware at work at this very moment across the Internet. Millions of computers are infected with nefarious pieces of software that are designed to be, simply annoying. There are also more serious and sophisticated ransomware attacks underway right now, where a computer’s data is frozen and encrypted with the owner held to ransom for hundreds or thousands of Euro. It’s not just scare-mongering, Ireland is no different to other digital-societies; if we are online, we are at risk.
Hacking is a term often used too broadly in the world of CyberCrime. Hacking groups have been around for a long time. In the 1960s a practice known as phone-phreaking became popular amongst young engineers who figured out a way to make free long distance telephone calls, using an infamous hacking tool, the Blue Box. These early days of free phone calls are often recalled fondly at conferences, as the good old, harmless days of hacking.
Who Are The Hackers?
The large-scale data breaches we now see reported in the news, or the massive denial-of-service attacks on corporate websites that disable them for days are most often carried out by groups of Hacktivists. Politics or religion are their most likely motivation, and the groups tend to be large but geographically diverse. These groups can be so diverse that one arm of the group doesn’t know what the other is doing, and may even disagree with method and motivation.
Nation-states have become active hackers also, and they can have a few motivations. They may be interested in surveillance of citizens in another country, they may be interested in accessing the websites and data of foreign governments or they may be interested in commercial-spying against companies who compete with their home grown businesses. The legendary Stuxnet hack, where a malicious piece of software was deliberately placed inside the computers of Iran’s nuclear program, was most likely not carried out by a group of anti-nuclear hacktivists, but by a government with ample resources, and patience.
Who’s Hacking Small Businesses?
The business owner has to be most wary of a different type of criminal, the CyberCriminal. These can be lone wolves, but they are increasingly groups of criminals who have moved away from conventional crime, to online. The rewards can be greater, the risk of getting caught is smaller and they can work in a way that lets them run a crime operation, twenty-four hours a day.
The single biggest risk to Irish businesses from these types of criminals is the Phishing attack. Recently I’ve seen fake emails created by cyber-criminals purporting to be from a number of Irish banks and one state body. They looked so convincing, I wasn’t surprised to learn that dozens of computer users had been taken in by them on a single morning.
Phishing attacks take a number of forms. One method involves the Cyber Criminal trying to fool you into thinking some of your online details need updating. They’ll design their emails to look like legitimate emails from banks or well-known online brands and if they convince you to click on a link in their spoof mail, they’ll present you with a convincing, but fake website where they try to capture your username and password so they can use your account, to pay for goods or services, or even transfer money directly to a non-traceable destination.
A similar scheme is where an email seems to promise an insurance or tax rebate, with the email detailing how the organisation will put the credit straight on to your debit or credit card. Of course, the fake email asks you to enter the details of your card into a very convincing looking website. Within the hour, if you fall for the scam, you will likely see small charges for things like food deliveries on your card which will help establish to the criminal that they’ve got a valid, working card. Over the next few hours, as they or someone they’ve sold your details to, use it, you might see charges appearing for thousands of Euros of high-value purchases for things like mobile-phones or even small amounts of cryptocurrency that they will convert back to cash later.
One of the most devious scams I’ve seen this year, aimed specifically at SMEs, was a cleverly designed email that looked like a final demand from a shipping company, with an almost identical name to a well known logistics company. The addressee details on the attached statement were word perfect, right down to Eircode, and the mail was highlighted for the attention of the MD of the business, who was on holiday. This appeared much more than a coincidence to me, indicating the sender of the email was probably based in Ireland or had at least done clever research on their target companies. The statement detailed that payment for shipping was overdue; if the bill for seven thousand Euros wasn’t paid, immediately, that all shipping would be suspended and any goods in transit would be retained at the shippers warehouse. It was remarkably convincing, with an ominous sense of urgency, and ended up in the SMEs small finance department.
A conscientious employee came close to paying the fake statement, only at the last moment deciding to telephone their legitimate shipper to check if there was any subsequent invoices not included on the fake bill.
This type of CyberCrime is by far the most likely threat to small businesses. Yes, customer data is valuable to a third party, as are commercially sensitive terms and contractual documents, but the common CyberCriminals who threaten small business every day are after one thing, cold-hard cash. They’ll phish for your bank or PayPal details, they’ll send you fake invoices for directories you never signed up for, and even bill you for your own website domain name, at a hugely inflated price.
Strong passwords, anti-malware and anti-virus software and software updates can help keep you safe, but you need to be vigilant; remember, if you can do business online twenty-four hours a day, there’s also a threat to you twenty-four hours a day.
Magnet are hosting the National Cybercrime Awareness Day on October 24 in the Royal College of Physicians, Dublin 2. You can register your interest here.