Anatomy of a Social Engineering Cyber Attack on a Law Firm

A law firm is a potential goldmine for cyber attackers to exploit.  Everything they covet is within their grasp if they manage to compromise the firm’s network, or even an individual lawyer’s computer system or mobile device.  Money, confidential personal and/or professional secrets, intellectual property, client PII (Personally Identifiable Information), account information, payment histories and procedures, privileged communications, or anything else entrusted to their care with the expectation of privacy is up for grabs.

The uncomfortable truth is that while the payoff of a successful breach of a law firm could be phenomenal and worthy of efforts to launch a complicated and sophisticated attack, the vast majority of the most successful and costliest attacks on law firms don’t rely on exploiting technology, they rely on exploiting the human element, which is by far the weakest link in any cybersecurity chain.

By the very nature of the legal profession, it’s the attacker who holds most of the best cards. All they have to do is figure out a way to deliver a malicious payload, and the easiest way to do that is to let someone in the law firm walk it right through the front door for them, bypassing any technology in place designed to thwart cyber attacks and network breaches. And since the legal profession is completely client oriented, what better way to do that than to simply pose as a potential client.

Here at Global Digital Forensics (GDF), in our capacity as cyber incident emergency responders for over two decades, we’ve unfortunately seen too many times the devastating consequences a successful social engineering attack can have on a law firm. The following scenario is not a work of fiction, it’s based on real-world attacks we’ve responded to. Our goal here is to raise awareness during these perilous times, as COVID chaos, remote workforces and emboldened hackers converge to form the perfect storm. Any of the following steps can be extremely problematic on their own, but together, they can spell disaster.

Step 1 - The Con

Social engineering can take many forms, it can be done in person, over the phone, online, or any combination of these. But the objective is always the same - deception. The phone/online combo is usually the most effective, as it tends to instantly raise the level of trust due to using a form of personal contact (a real voice on the phone), yet keeps the attacker physically unidentifiable.

All it would take is a short call for a consultation. For instance, the attacker uses an untraceable burner phone to call the law firm and says they have a legal problem and are looking for representation. They say they have a document pivotal to making their case, whatever that case may be, and want to have an attorney take a look at it to see if they agree a case can be made.

At this point, the attacker has already done a couple of important things for a successful social engineering attack. They have introduced a reasonable premise to send the attorney a document, and introduced a valid reason for the attorney to actually open it. The ploy and document are irrelevant, but the actions of simply opening it or clicking on a link it contains are not. A malicious payload was just delivered.

Step 2 – The Payload

A malicious payload can be anything. Ransomware, the fastest growing type of costly attacks against organizations, could now be busily encrypting files so the attacker can hold the firm or attorney hostage for a substantial payment if they want the decryption key.

But when it comes to a law firm, attackers know there may be even bigger prizes for the taking. For this scenario, we’ll say the payload was a RAT (Remote Access Tool), which an attacker can quietly maintain on a system or network to look for the perfect bounty, or maintain longer-term surveillance to design bigger and more profitable attacks against the firm or their clients in the future.

Step 3 – Leveraging a Successful Compromise for Bigger Payoffs

Once a malicious payload like a RAT has been successfully introduced, the attacker’s choices are wide open for as long as they can maintain an undetected presence. They can look for confidential, privileged information and decide to leverage it for straight up blackmail. They can steal client information like credit card numbers, Social Security Numbers or other PII and sell it on the Dark Web or use it themselves. They can review the firm’s email communications and see exactly how and when to trick them into transferring large sums of money to fraudulent accounts by using “spoofing” techniques to make them look like a client involved in an expected and legitimate transfer.  The options are almost endless.

But worst of all, they can also turn the compromise of the law firm’s network, systems and/or devices into a springboard for attacks against their client base, adding insult to injury and introducing ethical dilemmas and legal liability.

Step 4 - Attack Those Who Trust You

An attacker who is intimately familiar with the inner workings of a law firm thanks to a long-term presence, who had/has access to all of their most sensitive data and client information, and whose sole purpose is to turn the biggest financial profit possible, will more often than not eventually turn their attention and attacks to those with a relationship of trust with the firm or attorney. Spear phishing becomes an incredibly effective tool for this purpose.

While phishing is more prevalent because it relies on the mass-blast concept and statistical chances for success, the personalization of a spear phishing attack makes it a perfect instrument to use against a firm’s clients with whom they have built a relationship with a degree of familiarity and trust (no need to even risk a phone call). It’s not hard for an attacker to duplicate a firm’s website and host it on a new domain with a name close to the original. They’ll use simple misspellings, like “Goldstien” instead of “Goldstein,” or visual tricks like using the letter combination of “rn” in place of “m.” They could “spoof” email headers the same way, with the soon-to-be-victims getting emails requesting a transfer of funds or sensitive information which they are relying on attorney-client privilege to keep confidential, after all, they’ve been monitoring all the firm’s email correspondences and know exactly how to frame a fake.

At this point, the attacker’s imagination is the only limitation to the damage they could cause to the firm, and the firm’s clients, and then their clients’ clients, and so on. Payload by payload, the foundation and reputation of even the most successful law firm or attorney will disintegrate.

So, What Can You Do?

Remember, social engineering attacks are not about technology, they are about human interaction and trust. So the best defenses against social engineering attacks are knowledge and vigilance. Knowledge comes from knowing what you are facing, what your vulnerabilities are, and what to do if you suspect a compromise has occurred. Vigilance is testing, monitoring and responding to threats immediately.

To beat social engineering attacks, it’s crucial everyone in the firm knows what to look for, and how to respond should they receive a phishing/spear phishing email, or any other kind of social engineering attack.

GDF can help you get everyone on the same page and raise awareness substantially firm-wide with safe, realistic spear phishing attacks that will put your staff to the test. We’ve found there is no greater training tool for this kind of awareness than actually catching some hands in the cookie jar. You’ll get an instant idea of how susceptible your workforce is to these types of social engineering attacks. And they are so realistic, to date we have never failed to get at least one user to bite (and that’s all it can take).

We’ll craft an email that looks legitimate, create a dummy website to look like it is one of your own, and we’ll ask your users for their credentials or other PII, whatever best fits your situation. We’ll send it out to your user email list and in just a few days, we’ll have your results. Armed with this valuable information, your management team can decide on the best approach to shore up the weak links (policy changes, regular training, prominent reminders like posters, PowerPoint presentations, regular testing, etc.) and GDF can help you on those fronts to.

*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, legal, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to call 1-800-868-8189 for immediate help. For more information, visit GDF's cyber security page, or fill out the form below for a quote.