Hackers: Social Engineering & Shadow Operations

Social Engineering by Hackers

Information Gathering

You are likely familiar with phone and email scams designed to manipulate you into providing personal information. From "You've won an all-inclusive vacation..." to "I'm calling from Visa to report suspicious activity on your credit card...", the methods of manipulation have become increasingly creative. While these scams annoy us in our personal lives, they pose a significant risk to businesses small and large.

For example; A CFO with access to sensitive financial data, or has approval powers for purchasing, receives an email from the Executive Director. The CFO reads the email, but notices something off about the message. The email signature that doesn't quite look right, and the language used doesn't quite match the Directors. Luckily, the CFO has the intuition to flag the message as suspicious. They ask their IT department to investigate and find that they could have become the victim of a social engineering plot.

In this situation a hacker with no involvement within the organization was been able to identify a number of key pieces of information. Specifics regarding the policies and procedures of the organization and more importantly, the names, titles, and email addresses of the individuals whom hold the power and access required to hatch their wicked scheme. These attacks can affect large well known organizations and small mom-and-pop shops alike.

Protecting Your Organization

While identifying and apprehending the culprit is highly unlikely in this situation, proper education is a must. An understanding of these methods will ensure employees of the organization don't unknowingly provide sensitive information to any party requesting, and allow staff members to identify suspicious phone calls or emails.

Unfortunately, relevant case studies of what can go wrong are numerous. It is highly important for all organizations, large and small to discuss these risks with a highly trained IT professional who is familiar with business operations and procedures.

Shadow Operations

The Chinese Hackers in the Back Office

Nicole Perlroth of the New York Times published a relevant article on June 11th titled "The Chinese Hackers in the Back Office" (Link)

To summarize the article Nicole touches on a common practice utilized by hackers, where unknowing businesses have their systems hijacked and used as a planning and staging point for more elaborate attacks elsewhere. The companies own files, information and financials are not the target in these cases, however it highlights the importance of network security, whether you're running a small, family business, or a successful enterprise.

"Hackers don’t just press a big red “attack” button one day. They do reconnaissance, scout out employees on LinkedIn, draft carefully worded emails to trick unsuspecting employees to open them and click on links or email attachments that will try to launch malicious attacks.
Once they persuade a target to click — and 91 percent of attacks start this way, according to Trend Micro, the security firm — it takes time to crawl through a victim’s network to find something worth taking. Then they have to pull that data off the network. The process can take weeks, months, even years and leaves a digital trail."

All in all, the message is clear - hackers will not stop until they get what they want. As such, security monitoring, management and alerting are absolutely essential to protect organizations of any size.

LAN Solutions provides IT Networking and Security Assessments free of charge and with no obligation. The information provided is invaluable whether or not your organization has a set of security policies in place. Click here to contact LAN Solutions and discuss your organizations corporate security.