Hacking Whales of the Retail World Can Start With Just One Little Phish
Make no mistake about it, retailers are at war on the cyber battlefield, and far too many are losing their battles every day, according to cyber security experts who live on the cyber front like Joe Caruso. With Home Depot recently confirming another retailer mega-breach, GDF’s founder sheds some light on how one of the most simple and common threats, phishing, can often be the culprit leading to the kinds of mega-breaches which can put the finances of tens of millions of customers at risk in one fell swoop, and why regular penetration testing with a focus on social engineering is so important in today’s digitally dominated marketplace.
Adding up to big trouble
The number of retail customers estimated to have been affected by massive retailer breaches over the last year is staggering, just look at some of the big names in this article published on September 8th in The New York Times, with Target and Home Dept alone tallying an estimated 100 million cardholders compromised. “If the current pace of these huge retailer data breaches continues to surge like it has over the last year, how long can it really be before every consumer in America finds themselves under the “credit protection” umbrella of a major retailer trying to hide a black eye because their customers’ private payment information was stolen by hackers,” says Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier provider of cyber security solutions and 24/7 emergency incident response, “but the real stomach turner is that the attacks that have been so very successful over the last year are not even on the high end of advanced or complex, just hackers using basic techniques and malware. They only need to find a way to get one foot in the door to make it all work.”
Hackers make themselves at home
“Any time an intrusion occurs, it’s definitely not a good thing,” says Caruso. “But if you can identify the attack and stop it quickly, the long term damage to an organization is likely going to be negligible, like the annoyance of an unwanted houseguest. But when the intruder gets to set up camp right in the bedroom closet, takes control of the TV remote and the car keys, empties out the fridge, steals money from your wallet and ogles your significant other every chance they get, for months on end, the annoyance factor eventually bubbles up into a full-blown family crisis. That’s what these major data breaches are like, not a one night inconvenience, but a methodical disintegration of everything you worked so hard to achieve and maintain. And true to form, the breaches Home Depot, Target and even financial institutions like JPMorgan Chase suffered didn’t happen overnight, they lingered on for months before their “guests” were finally confronted and kicked out of the house, but the car and cash were already gone, the snapshots from the bedroom closet were already taken and a packet of ketchup was all that was left in the fridge. That’s why regular professional vulnerability assessments and penetration testing are so important, we’ll check all the closets, look under every bed, find your keys, make sure your fridge stays well stocked, and you’ll finally be able to change the channel to something enjoyable again.”
“Hackers do enjoy the path of least resistance, and the weakest link in any security chain is almost always the human element. So it shouldn’t come as a surprise that the top tool in their arsenal is often social engineering,” warns Caruso, “and phishing and spear phishing emails are generally the weapons of choice, especially when they are hunting whales. National retail chains, financial institutions, the healthcare industry, they all spend enormous resources on cyber security, yet every time you look up another massive data breach is making headlines. So how do hackers keep on having such great success, seemingly at will? It’s simple, they focus on that crucial first step, getting that first foot in the door, and that’s where social engineering comes in. When we do penetration testing for clients, which is us putting on the black hat of a hacker to test an organization’s cyber security posture, we’ll run phishing and/or spear phishing campaigns just like real world hackers would. We’ll research the company online, we’ll craft an email that maximizes any publically available information to make it look legitimate, sometimes even with a signature of someone high up in the organization if we can find documents, memos or marketing materials which display it online, and we’ll even create a dummy website that looks like the real thing using links and images from their own real sites, eventually calling for the target to take action, like clicking on a link, or divulging their access credentials. We’ve done it many times, and to date we have never failed to get at least a small percentage of users in the targeted organization to take the bait. And since it only takes one set of credentials to get that initial toehold into a client’s network, which would basically give us free reign to introduce malware, exfiltrate sensitive ESI (Electronically Stored Information), or set up a stealth presence to observe everything happening and continue to escalate privileges by moving sideways across the network once inside, it becomes easy to see how even the best laid security plans are rendered moot when every single user is not fully up to speed when it comes to social engineering awareness. But they will be when we get done with our assessment and testing, we’ll have the proof in hand. Believe me, nothing has a more long lasting and powerful impact than being caught and called out, and nobody is nodding off when we present our findings and remediation suggestions. Phishing can basically turn anyone in an organization into an insider threat, even if they never meant to be, and we help clients arm their employees with the knowledge they need to avoid being caught in that position, and by extension, significantly improve their cyber security posture.”
Trusting luck is not a sound security policy, so don’t wait until it’s too late
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.