Think of the damage a cyber-criminal could do if he or she gained access to your law firm. There’s the mergers and acquisition data that partners hold, as well as the payment details of high net worth individuals and corporate clients either one of which would be bad enough. Then there’s the reputational damage and possible fines if the personal details of your clients become known. But consider too the damage that could result if fraudsters obtained the logon details for your corporate email account.
Over the last year, Kroll has increasingly seen where legal advisors’ work emails have been compromised, especially those belonging to trusted and senior figures within the firm because those are the ones that fraudsters know will be most useful to them.
Armed with the genuine email account of an advisor, fraudsters pose questions and give instructions to make transfers or pay invoices of several hundreds of thousands of dollars. Would your accounts department double-check that it really was you before following your instructions? Not many would and even if they did, you might never see the emails. Cleverly, the fraudsters also set up rules on the compromised account so that any emails from defined individuals are sent straight to the deleted items folder.
Think too of the damage someone posing as you could do to your colleagues. A fraudster could ask questions about sensitive issues that colleagues would trustingly reply to, all the while assuming that the information was staying within the firm.
Sometimes staff members are profiled and sent a spoofed email that looks like it’s from a person they know and trust (a technique known as spear phishing). Once the attackers have tricked that person and have his or her genuine credentials, they typically then stay inside the network for months, slowly gathering information about the network and what is valuable within it, before they take what they want.
Kroll is also seeing greater sophistication in cyber criminals. They are smart and they take their time. The world of the cyber criminal has long been a global underground market of people selling different skills, different parts to the puzzle. There are, for example, some who design and sell malware, others who adapt it for a particular job, money launderers and the ones who send the emails. In this world, the crooks are learning to look for weak links in the chain.
Going back to the recent cases of compromised email accounts, these are a mild form of intrusion compared to the full-scale hack. But how did the bad guys guess the password? In most cases it’s really not that difficult. For a start they will have looked on social networking sites, where they will probably find the names of spouses, pets and children. These form the main part of most people’s passwords or their questions for password resets, and that’s before even considering a well-known published list of the world’s most common passwords by a man who calls himself John the Ripper. You can even download his password-cracking tool for free. If criminals can’t guess your password, they can always just send you an email with a link, which if you click on it, launches malware that allows them to take control of your machine. That malware is also available for free on the Internet.
Extortion for sensitive data is also a growing trend. Kroll acted for one law firm that was in the difficult position of deciding whether to tell a client that the details of his discussions with them about which of his children were getting what from his estate, were now at risk of being revealed to them.
So how big a threat is this? A fascinating insight into the size and scale of cybercrime was provided in May 2013 by the indictment of Liberty Reserve, a Costa Rican bank, by the U.S. government. The indictment alleged that the online digital currency service and money transfer system of the website had been designed to attract and maintain a customer base of criminals—unlike other banks or legitimate online payment processors, they did not require users to validate their identity information.
The conversion into and out of cash was done by “pre-approved exchangers” concentrated in Malaysia, Russia, Nigeria and Vietnam. These merchants were said to be “overwhelmingly criminal” in nature. They included, for example, traffickers of stolen credit card data, personal identity information and computer hackers for hire.
Some accounts were self-named with evidently criminal names, such as Russia Hackers. The U.S. district attorney wrote “because virtually all of Liberty Reserve’s business derived from suspected criminal activity, the scope of the defendants’ unlawful conduct is staggering. Estimated to have had more than one million users worldwide, Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $1.4 billion.” In the lifetime of its operation, from 2006 to May 2013, Liberty Reserve is believed to have laundered more than $6 billion.
The moral of the story? Law firms, which have a trusted advisor status with their clients and routinely hold highly confidential information, need to radically rethink and re-engineer cyber security firm-wide. At the very least, however, change your password to over 12 characters, and make it the first line of a song, not the full name of your spouse.
A version of this article appeared in The Law Gazette on Nov. 22, 2013.