In recent years networks have become more secure through server hardening and deployment of security devices such as firewalls and intrusion prevention systems. This has made it harder for hackers and cyber criminals to launch successful direct attacks from outside of the network perimeter. As a result, hackers and cyber criminals are increasingly resorting to indirect attacks through social engineering and phishing emails.
What are social engineering and phishing attacks?
Social engineering is the art of tricking people into performing actions or revealing information with the aim of gaining access to information systems or confidential information. There are several social engineering attacks and techniques such as phishing emails, pretexting and tailgating.
Phishing is one of the easiest and most widely used social engineering attacks, where the attackers send spoofed emails that appear to be from a trusted individual or company such as a colleague or a supplier. The emails will often look identical to legitimate emails and will include company logos and email signatures. Once attackers successfully trick the victim into clicking on a malicious link or opening a booby-trapped document, they can bypass the company’s external defence mechanisms and gain a foothold in the internal network. This could allow them to gain access to sensitive and confidential information which might have financial or reputational consequences. This can be seen in the case of the successful cyber-attack against Coca-Cola back in 2009.
During the time of the attack Coca-Cola was attempting a $2.4 billion acquisition of the Chinese company China Huiyuan Juice Group. Cyber criminals managed to gain access to confidential files related to the attempted acquisition, which could have either resulted or contributed to the collapse of the deal soon after the successful attack.
Investigations traced the attack back to an email sent to Paul Etchells, then the deputy president of Coca-Cola’s Pacific Group and one of the executives overlooking the acquisition deal. The phishing email appeared to be from one of Coca-Cola’s legal executives and contained the subject line “Save power is save money! (from CEO)”. It appears that the attackers had done their research and customised their email to look very authentic, since during that time the company was aiming to reduce their energy consumption and become more efficient. The email contained a link supposedly to a file containing a message from the company’s CEO. Once Etchells clicked on the malicious link a backdoor was installed on his machine which gave the attackers full access to his computer. After that the attackers installed various hacking tools which allowed them to launch further attacks against Coca-Cola’s internal servers.
Afterwards the attackers targeted other Coca-Cola executives who were involved in the Huiyuan deal. A phishing email was sent to Brenda Lee, a public affairs executive in China. The email appeared to be an advisory from the Beijing office of the World Bank. The email contained a malicious PDF document. The malicious PDF allowed the attackers to install a backdoor on Lee’s computer. In both instances the attackers installed key loggers and various other tools to retrieve emails and other documents related to the Huiyuan acquisition deal.
Hackers and cyber criminals are increasingly targeting sensitive information about trade secrets and business deals such as acquisitions and supply agreements, which they could use to blackmail the victim or sell to their competitors. These attacks could have devastating financial and reputational impact and in some instances have led to the collapse of business deals and companies.
What can you do to protect yourself?
These attacks rely on and exploit weaknesses in human nature. Companies can take several steps to protect themselves and reduce the likelihood of such attacks being successful. The first step is to build a good security training and awareness program in which staff members are taught the dangers of phishing emails and how to identify such emails. The second step is to conduct regular client-side and social engineering tests which include sending targeted phishing emails. This would help the company evaluate the effectiveness of the security training and awareness program and how to improve it to try and eliminate the risk of such attacks.