CLEARWATER, Fla.-It took Stu Sjouwerman, the founder and chief executive of security firm KnowBe4, of Clearwater, Fla., about two minutes to launch a successful social engineering attack against me.
Social engineering, also known as phishing and spear-phishing, is what hackers do when they want to trick someone into taking a particular action or divulging critical information online. These attacks are on the rise against banks and credit unions and their corporate/small business customers/members, where more money is on the line than in consumer retail banking.
Sjouwerman and I had never met before. As we talked on the phone about his research, I received an e-mail from American Banker's editor-in-chief asking me what was wrong with a story I had just published on Bitcoin. The e-mail contained a link to the story, to which I had appended a minor correction about 20 minutes before. (Like most reporters, I dread getting e-mails like this from my editor, and like most reporters, I also multi-task.) American Banker is a sister publication to Credit Union Journal.
"By the way," Sjouwerman said. "Did you just get an e-mail from your editor about a correction to a story you'd just written?"
Hesitantly, I said yes.
"That was from me, and I've just social engineered you," Sjouwerman said.
Sjouwerman, who creates so-called white hacks for a living, had run a sender policy framework (SPF) check on my e-mail address, which told him it did not have an SPF record, and therefore my work e-mail network was not configured under sender policy framework (SPF). He was therefore able to use a utility he created himself to construct the dummy e-mail from my editor.
Real Time, Highly Targeted
Phishing attacks are no longer mass e-mails that land in your inbox like silent booby traps, hoping you will click on a link that will direct you to a website laden with malware that then infects your computer. As Sjouwerman's attack proved, such attacks can happen in real time, and they often reflect just a few minutes of highly targeted research about the victim, based on what's readily available from the Web.
Often cyber criminals will use knowledge of both the bank and the bank customer to corrupt both sides in a transaction, Sjouwerman says.
Recent, high-profile break-ins against companies like e-mail marketing company Epsilon and shoe company Zappos have enabled cyber thieves to walk off with millions of active e-mail addresses and passwords. That information is like gold to cyber-thieves, who bide their time and use it to construct customer profiles to launch new attacks, experts say.
"The weak link is the people, both internal and external to the bank," says Julie Conroy McNelley, a research director for Aite Group, of Boston.
Last year's attack against one of the largest security firms in the world, RSA Security, in which hackers successfully spear-phished an employee, leading to theft of code RSA uses to create its security tokens, underscores how vulnerable employees are and how sophisticated the attacks have become, McNelley says.
More than 12% of small business owners have had funds stolen from their bank accounts, according to a September survey of 210 small business owners from Gartner. Of that number, 63% report the theft occurred through electronic funds transfer. The average amount stolen was $3,400.
The Most Powerful Weapon
Security awareness education is the most powerful weapon, says Sjouwerman, who estimates 20% of people at organizations across the board are most susceptible to phishing attacks. Education campaigns can be targeted at this least-knowledgeable group, experts said.
But there are other critical areas both banks and their customers must stay on top of, including making sure that computer networks are configured properly, that application software is up-to-date, and that computers are running the proper anti-malware and anti-virus programs, Sjouwerman says.
Many banks, realizing that human fallibility is eternal, are protecting themselves by assuming the end users of their corporate accounts are infected with viruses and malware, McNelley says. By employing a multi-layered security approach, which is now mandated by the Federal Financial Institutions Examination Council, banks can use powerful anomaly detection tools that detect suspicious behavior and fend it off before it turns into a major incident.
Pulling Emotional Strings
Among the top spear-phishing scams that Sjouwerman highlights are ones that pull at the emotional strings of business owners or bank employees, such as layoff notices, notices from watch dog organizations like the Better Business Bureau, or notices of fake lawsuits with infected attachments. Sweeter deals, like offers of free dinners from organizations an entrepreneur or employee might have listed on LinkedIn as an affiliation, are also on the rise. And mobile attacks are growing in frequency too. Criminals will also use account passwords and log-ins they've stolen online to encourage users to download more malware to their smartphones, for example malware that poses as out-of-band authentication from a bank. They thereby control both ends of the transaction.
"[Cybercriminals] look at everyone who works at a bank, and they find out who is in charge of systems, and who is responsible for ACH or large money transfers, and they social engineer those people, usually through e-mail," Sjouwerman says.