Tue, Oct 8, 2013

Are You Working for a Hacker?

Cyber criminals love advisors, but not because they guide them through legal issues or help them hide their ill-gotten gains. Rather, of all a cyber criminal’s potential targets, advisors present the best value for money.

The Psychology of a Cyber Criminal

Cyber-based crime has different motivators, different methodologies, and different targets. While the media likes to use the word cybercrime for every computer-based attack, the term is really about profit-motivated attacks. Cyber criminals are financially motivated fraudsters who use the Internet to access data and facilitate their main objective: to make a profit.

Although cyber criminals may view themselves as smart business people who “work smarter, not harder,” the reality is that the techniques cyber criminals typically employ are lazy.

As personal cyber security systems have become more robust and user-friendly, it has become harder for financially motivated hackers (FMHs) to collect the data they need. Targeting only one individual at a time, breaking through each unique security system, and then committing a fraud on that one target with no guarantee of success is not a good return on investment or time.

Therefore, FMHs like volumes of data from which they can attempt mass fraud schemes, tweaking each attempt to ensure the highest level of success.

As well as holding large volumes of data, the ideal target will usually have three main attributes:

  • Limited cyber security
  • Full access to the system or network on which they are based
  • IT support staff who are just that, “support” rather than security focused

Professional services firms such as lawyers, accountants, consultants and wealth managers are an attractive target as they typically hold volumes of valuable data which are often stored in an organized manner with little protection.

Professional Services: The Perfect Target

By gaining access to a lawyer’s email accounts, not only can hackers read about upcoming transactions or litigation, they can also impersonate a victim’s lawyer or gain enough personal data to effect wire transfers, property sell-offs, or any other manipulation available to them. The same can be said about the accounts of wealth managers or accountants.

Such attacks are not sophisticated hacks. Most involve a simple password collection made when the adviser logs on at a free Wi-Fi spot or clicks on a link in a spear-phishing email that requires or automates a software download before viewing a file or a video that has gone viral.

Spear-phishing emails are tailor-made for a specific person or professional group with the focus on getting that person or group to click a link and install hidden malware. Professional services advisors are profiled by the attackers utilizing social media, standard media, client inquiries and public records to determine their likelihood of having access to the data required by the cyber criminals.

That profile is used to tweak the attack and then launch it. Ever wonder why you get so much spam or why you have so many new Facebook, LinkedIn, or Twitter followers? Even friendly emails with sugar-coated offers to win an iPad if you click a link and fill in your details could pose a risk.

Complacent Thinking

Cyber criminals rely on complacent thinking. Many professionals believe that if their email was compromised, they would notice unusual traffic. Unfortunately, once a hacker has access to a victim’s email account, he or she can set up filters to forward certain mail messages away from the hacked inbox to folders or even to reply and then delete before the target sees them.

Even in rare cases where the fraud is discovered and halted in time, cyber criminals will have already stolen information and can use it against victims in a future attack or to make a profit. The financial value of confidential data cannot be underestimated. If it is sensitive, there will likely be someone willing to pay for it.

Protecting Yourself from Working for a Hacker

The severity of the risk is brought home when two key questions are considered:

  • If you discover a compromise on your system, do you have any way of knowing what was viewed, modified, or taken?
  • What would be the impact to your business if it became public that client data was stolen and potentially misused?

In the past year, Kroll has been engaged on more than 25 such matters for large professional services firms. The message behind this trend is clear: why attack on a one-on-one basis when a single targeted attack can get you 1,000 victims or more?

The damage to firms in the professional services sector is equally multiplied. In a sector that relies on trust and belief that client information will be protected, the effects can reverberate for years.
The assumption is often made that there is nothing of value that cyber criminals could want, therefore it is not a concern. But the truth is that cyber criminals do not discriminate; they want a lot of data, some of which may seem irrelevant to others. A personal credit card number is just a small piece.

Businesses need to understand what data they hold, why it is important or attractive to cyber criminals, how it is protected, and who has access to it. A proactive understanding of the threats leads to proactive mitigation.

The next time you are “inconveniently” forced to change your password due to some internal policy understand that this, as well as other requirements, could be the difference between money in your hands and money in the cyber criminals’ hands. It could be the difference between working for your client and working for a hacker.

Learn more about fraud statistics and trends in Kroll’s annual Global Fraud Report.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.