A Charlotte law firm received a ransom demand. But the ransom wasn’t for the release of a kidnapping victim. The law firm would have to pay for the release of its file server. You see, hackers scrambled the server and encrypted the data. The hackers then demanded the law firm pay for the encryption key.
A different Charlotte law firm transferred $38,000 to a Virginia Beach bank. Cybercriminals intercepted the transfer and eventually routed the funds to a bank in Moscow.
In both cases, you might think, the hackers worked their way through the Internet and kept testing the firms’ security, probing for weaknesses. They then surreptitiously worked to take over the server or intercept the funds.
Nope. The thieves walked right through the virtual front door and into the firms’ networks and servers. using spam email. And the employees let them in without a second thought, simply by opening it up.
” Give a man a fish and he’ll eat for a day. Teach a man to phish and he’ll take over your servers and empty your accounts. “
The cyber criminals used a technique called “spear-phishing”, a variation of “phishing”. A regular phishing attack uses email that appears as if they come from well known, legitimate companies. When opened, they either launch a virus or Trojan horse, or ask for account information to “verify” or unlock an account.
The second type of phishing commonly shows up as an email from a bank, such as Wells Fargo or Bank of America. The email typically says that an account is locked and the recipient needs to click through to a webpage and enter his or her account information, including Social Security number, password, and so on. The web page looks genuine: the logos are correct, there’s an appropriate copyright notice, so the user goes ahead and enters the requested information. Once he hits the “Submit” button, the hacker has everything needed to empty the account.
A “spear-phishing” attack is similar, but is more directly targeted at a firm or person. Typically, the email looks like it was sent from within the company or from a known vendor, and might be followed up by a phone call where the hacker says something like “Hey, this is Bob from Accounting. I really need you to look at that spreadsheet I just sent. The boss is questioning some of your numbers.”
The first law firm received an email from “att.com” which included an attached file. When the recipient opened the attachment, a piece of “ransomware” called Cryptolocker launched, encrypted the file server, and sent the ransom demand.
Now, you might think that phishing couldn’t possibly work. No one would fall for that. But according to Wired.com, 91% of hackers access the target company or system via a phishing attack. Yeah, it does work well!
So how can you protect your company? First, educate your employees. Make sure they know phishing and, more importantly, what they should do if they suspect they’ve received a phishing email.
Second, use a spam filter. Even though filters are not 100% effective, they do give you a fighting chance. Tell your staff not to open any emails or attachments that land in the spam folder.
Third, you should encrypt any emails you send that may contain sensitive information, such as financial account numbers, Social Security numbers, client lists, etc. Even if cybercriminals intercept the email, they won’t be able to access the data.
Finally, and this is a recurring theme in this series, back up your data on a regular basis! Ideally, you back it up daily. If the first law firm had a daily backup, they could have just restored their server. But since the backup was over a week old, they were out of luck.
The IT experts at Waypoint would love to review your email setup and security, as well as your other IT needs and cyber security vulnerabilities, for free. Please click here to sign up for a free, no risk IT assessment.
Posted on: 06.09.15