Hackers Target the Weakest Link: The End User

Print
Email
Reprints
Comment (1)
Twitter
LinkedIn
Facebook
Google+

It took Stu Sjouwerman, the founder and chief executive of security firm KnowBe4, of Clearwater, Fla., about two minutes to launch a successful social engineering attack against me.

Social engineering, also known as phishing and spear-phishing, is what hackers do when they want to trick someone into taking a particular action or divulging critical information online. These attacks are on the rise against banks and their corporate customers, where more money is on the line than in consumer retail banking.

Sjouwerman and I had never met before. As we talked on the phone about his research, I received an email from American Banker's editor-in-chief asking me what was wrong with a story I had just published on Bitcoin. The email contained a link to the story, to which I had appended a minor correction about 20 minutes before. (Like most reporters, I dread getting emails like this from my editor, and like most reporters, I also multi-task.)

"By the way," Sjouwerman said. "Did you just get an email from your editor about a correction to a story you'd just written?

Hesitantly, I said yes.

"That was from me, and I've just social engineered you," Sjouwerman said.

Sjouwerman, who creates so-called white hacks for a living, had run a sender policy framework (SPF) check on my email address, which told him it did not have an SPF record, and therefore my work email network was not configured under sender policy framework (SPF). He was therefore able to use a utility he created himself to construct the dummy email from my editor.

Phishing attacks are no longer mass emails that land in your inbox like silent booby traps, hoping you will click on a link that will direct you to a website laden with malware that then infects your computer. As Sjouwerman's attack proved, such attacks can happen in real time, and they often reflect just a few minutes of highly targeted research about the victim, based on what's readily available from the Web.

Often cyber criminals will use knowledge of both the bank and the bank customer to corrupt both sides in a transaction, Sjouwerman says.

Recent, high-profile break-ins against companies like email marketing company Epsilon and shoe company Zappos have enabled cyber thieves to walk off with millions of active email addresses and passwords. That information is like gold to cyber-thieves, who bide their time and use it to construct customer profiles to launch new attacks, experts say.

"The weak link is the people, both internal and external to the bank," says Julie Conroy McNelley, a research director for Aite Group, of Boston.

Last year's attack against one of the largest security firms in the world, RSA Security, in which hackers successfully spear-phished an employee, leading to theft of code RSA uses to create its security tokens, underscores how vulnerable employees are and how sophisticated the attacks have become, McNelley says.

More than 12% of small business owners have had funds stolen from their bank accounts, according to a September survey of 210 small business owners from Gartner. Of that number, 63% report the theft occurred through electronic funds transfer. The average amount stolen was $3,400.

Security awareness education is the most powerful weapon, says Sjouwerman, who estimates 20% of people at organizations across the board are most susceptible to phishing attacks. Education campaigns can be targeted at this least-knowledgeable group, experts said.

But there are other critical areas both banks and their customers must stay on top of, including making sure that computer networks are configured properly, that application software is up-to-date, and that computers are running the proper anti-malware and anti-virus programs, Sjouwerman says.

Many banks, realizing that human fallibility is eternal, are protecting themselves by assuming the end users of their corporate accounts are infected with viruses and malware, McNelley says. By employing a multi-layered security approach, which is now mandated by the Federal Financial Institutions Examination Council, banks can use powerful anomaly detection tools that detect suspicious behavior and fend it off before it turns into a major incident.

Among the top spear-phishing scams that Sjouwerman highlights are ones that pull at the emotional strings of business owners or bank employees, such as layoff notices, notices from watch dog organizations like the Better Business Bureau, or notices of fake lawsuits with infected attachments. Sweeter deals, like offers of free dinners from organizations an entrepreneur or employee might have listed on LinkedIn as an affiliation, are also on the rise. And mobile attacks are growing in frequency too. Criminals will also use account passwords and log-ins they've stolen online to encourage users to download more malware to their smartphones, for example malware that poses as out-of-band authentication from a bank. They thereby control both ends of the transaction.

"[Cybercriminals] look at everyone who works at a bank, and they find out who is in charge of systems, and who is responsible for ACH or large money transfers, and they social engineer those people, usually through email," Sjouwerman says.

JOIN THE DISCUSSION

(1) Comment

SEE MORE IN

RELATED TAGS

'The Law Penalizes the Consumers It Set Out to Protect': Comments of the Week

American Banker readers share their views on the most pressing banking topics of the week. As excerpted from the Comments sections of AmericanBanker.com articles.

(Image: Fotolia)

Comments (1)
Here's a question - as long as technology operates invisibly to the end user,and the end user relies on the tech, will not the end user ALWAYS be the weakest link? (Remember "relying party" from the era of certificate authorities and pki?)

You rely on your email tool to correctly display the origin of an email. What if your email was configured to display the correct origin? If Sjouwerman was the actual source of the communication would you click on it? Were you relying on a network admin to set your account up properly? (Was it you?)

Think about it for a moment. The recent epidemic of ATM skimming. Is it the end user failing to notice a mini camera and stripe reader affixed to the ATM machine that results in this exploit? Or is it the fact that once the ATM card is compromised, the criminals are able to use it and the end user has no idea the account is being used?

Giving the end user visibility into what the technology they are weilding is actually going to do for them when they hit "Enter" in a way that is protected is as critical as education to beating cyberthreats. At the end of the day - it's an arms race.

The out-of-band authentication you mention in the article is a perfect example. Let the user review and approve transactions on their smart phone. That process works - so the cybercriminals attack the smart phone - via the end user. The OOB vendors escalate with smarter apps featuring application level and communication level encryption. The arms race continues, but it's an arms race that the vendors, their customers and end users - should all participate.
Posted by JohnZurawski8745 | Thursday, May 24 2012 at 1:45PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

The FinTech 100

FIS and Tata once again top the annual FinTech 100 list of vendors, ranked by revenue; IBM and Hewlett-Packard lead the pack of tech companies serving multiple industries; and Bionym and Silver Tail are among the 10 Tech Companies to Watch.
DAILY ENEWSLETTER UPDATE

A Newsletter featuring Bank Technology News' top stories plus special reports and data

This feature displays payments industry news and analysis from American Banker sibling brand PaymentsSource. Registration is required; for more information contact customer service.

TWITTER
FACEBOOK
LINKEDIN
Already a subscriber? Log in here
Please note you must now log in with your email address and password.