Psst, we’re watching you. That’s the message that struck home at a seminar on the anatomy of a cyber attack, during a recent IT conference at Century City.
Speaking at the IT Leaders Africa Summit, Paul Stafford, the coastal region general manager of Mimecast, an international firm specialising in cloud-based email management, security and archiving, said cyber attacks cost hacked businesses and individuals a whopping $445 billion annually. That’s more than R5.6 trillion.
Most hackers use email to exploit your or your company’s computer’s system. Mr Stafford said 91 percent of cyber attacks around the world started that way.
Mimecast did its own email security risk assessment of 23 744 email users over 153 days recently and found that of the 26.124 million emails inspected, 3.45 million were suspect with 1.4 million rejected and 2.01 million quarantined. There were 6 681 dangerous file types caught, he said, and 1 697 malware attachments.
Jenny Radcliffe, the director of Jenny RadcliffeTraining, gave her presentation through a recorded video presentation from London where her consultancy company is based.
Referring to hacking as social engineering and the perpetrators as social engineers, she said the easiest and best way to get into a system was through a human being.
“There are various motivations: financial, disruption, malice, strategic or a link in the chain. Sometimes it’s a dissatisfied former employee; other times it is for financial gain.”
By allowing anyone to quickly access anything, the internet, she said, was a goldmine of information for the malicious social engineer.
“One can research and map names; job titles; technical and personal changes to employees in a company; changes in the work team and the mood shown on emails all provide highly useful information for that eventual attack stage.
“It’s usually the smallest thing that lets the cyber attacker in and when they are ready they pounce. They look for gaps – is the person talkative, careless? What do they share? Where do they socialise? Perhaps it’s at a bar on a Friday night where the ostensibly unassuming social engineer can strike.”
Social media had made hackers’ jobs that much easier, said Ms Radcliffe. It was no longer simply about phishing: attacks now were more like a “hustle”, she warned.
“It’s all about contact and trust. Sometimes you build up the relationship with a vulnerable person or employee for six months. We call this the trust trigger and the most important thing that is required is patience. The main thing is if you can break down suspicion you’re in.”
Ms Radcliffe said the way companies presented themselves was key in preventing hacking.
Companieswith watertightprofiles, where employees were loyal and satisfied were less likely to be infiltrated.
She called this “I have an invite” – any small,exploitable breaches were the social engineer’s passport to entry.
“Once someone is in, then they’re in. It doesn’t matter how many millions you throw at social defence if you have a way in.”
But you don’t need to be a skilled social engineer to hack into someone’s bank account.
This was demonstrated in a quick 10-minute set-up by Mark Dotan, a sales engineer at Mimecast when he did a live hack. Pulling a volunteer out of the audience, he set him up at his own computer desk while he went about conducting an attack.
One of the easiest ways, he said, was to create a malicious website by copying it or “site cloning”.
“One exploits the vulnerability within software. That’s why software updates are so important as they patch vulnerability. But the hardest thing to penetrate is through a firewall so what you do is flip it around and build a website,” he said.
Using a popular mail order company’s website that offers discounts and vouchers, Mr Dotan managed to get into the “victim’s” emails and sent him a spoof email with the website’s logo on the email.
There was a subtle difference in that the name of the sender had a number 1 after it but he said most people would not notice that.
“While some of us would be suspicious if you are offered a R1 000 birthday voucher, for example, you would take it and hit the button and that’s their way in,” he said.
Using his own computer and showing the audience how it was done, he demonstrated how he had taken over the victim’s computer and how he had swiftly redirected the real website of the mail order company once he had gotten in.
“Sometimes you can control a user’s computer for in excess of six months in order to understand the user and create malware remotely. The message is be very careful and also don’t join public wifi networks.”
* Visit www.mimecast.com; Cybercrime.org.za for more information.