Six months ago a Milwaukee Bucks employee fell victim to a spearphishing scam. The employee who gave the team’s financial documents to an email scammer shouldn’t have to feel that bad.
The same thing almost happened recently to the president and founder of Applied Tech, Kurt Sippel. Sippel was a target of a similar so-called “spearphishing” target.
His company’s controller thought nothing of the internal email from Sippel, saying she should pay an invoice worth hundreds of dollars. The email addressed her by her first name and was written in Sippel’s usual short message style, plus it had his personal and familiar signature lines and the company’s logo and confidentiality statement at the bottom.
In other words, it looked legitimate in every way – but it wasn’t.
His controller was suspicious that his full name was at the bottom of the message. So using an internal discovery and checking process she had been trained on, the controller discovered the bogus invoice.
“If it can happen to us, it can happen to anyone,” said Sippel.
Most people who work daily on computers know about phishing attempts – those fraudulent email messages from random hackers, but seem like they came come from a large or well-known company or Web site with a broad membership base, such as eBay or PayPal. Most people have learned to be suspicious of those type of unexpected request for personal information or data. Most avoid responding or clicking on links unless they are positive about the source.
In the case of spearphishing, however, the apparent source of the e-mail is an individual within the recipient’s own company and generally someone in a position of authority like the chief financial officer, a director — or like Sippel, the president. That’s what happened to the Buck’s employee.
“These campaigns are amazing,” said Sippel. “The emails are customized to each target by name, job title, telephone number, company name, and subject. Often the information is picked up off public websites such as LinkedIn or the company’s own website. And that lure isn’t the end. The company can even be targeted by region and its business specialty.”
Sippel’s company has seen a spike in the number of businesses looking to install the latest security tools and learn the protocols for using them to protect confidential data.
“Three things are driving this,” he said. “First you have human error. People just lose devices. They also make mistakes about what to trust or how to follow routines set in place. That includes maintaining patches and updating firewalls and licenses.
“Second, you have the rise in mobile computing. People are using all types of devices in the workplace. While you might have protection inside the corporate firewall, what happens when that worker is outside? In these days of working wherever, whenever with whatever, security for mobile devices is often forgotten or even turned off.
“Finally, it’s becoming easier and cheaper to get into the hacking business,” he said, citing a recent study by Dell SecureWorks that all types of malware is becoming much cheaper and continues to offer a low barrier to entry for cybercriminals looking to steal information.
Among the findings, Sippel said: Hackers are offering to steal personal emails from Gmail or Yahoo accounts for $129. Offers to hack into corporate email accounts cost more: $500 per mailbox. Tutorials for new hackers, such as how to send phishing emails, can be purchased online for $20 to $40. Remote access “trojans,” which allow cybercriminals to secretly control other people’s computers from a distance, can go for as little as $5 to $10.
“You have to try to be a step ahead, or you lose,” Sippel said. “Analysts found hackers hawking their goods like a typical startup company. One ad offered ‘free-trial attacks.’”
One of the more disturbing trends for businesses, he said, is ransomware. A company’s computers are penetrated through some type of security breach and all of the information is locked until a ransom is paid, relatively small in the hundreds to a few thousand dollars. If you don’t pay the criminals, you will lose the files forever.
“Imagine you arrive at your office one day to find all your computers padlocked, and a man in a mask demanding $5,000 to give you the key. That’s what ransomware is like,” he said.
He said two of his Madison clients have been attacked and, with adequate backup, their information was recovered without payment. He said ransomware attacks are growing more frequent thanks in part to two technology trends: the increasing processing powers of computers (which are now so powerful that they can encrypt their own files in a matter of hours) and the rise of anonymous payment systems such as Bitcoin (which make it easy for criminals to accept payment without fear of being traced).
“If your company gets infected, you face two very hard choices,” Sippel said. “Either spend multiple days recovering the locked files from backups—during which time you’ll endure user downtime, lost sales and angry customers—or pay ransom to an organized crime syndicate.”
Sippel noted a recent incident at a California hospital, the Hollywood Presbyterian Medical Center. In February, they were forced to take their PCs offline so their techs could contain a ransomware outbreak and restore their files. They spent 10 days relying on fax machines and paper charts. In the end, they ended up paying $17,000 in ransom, just to avoid even more protracted downtime.
In 2014, the FBI received over 1,800 complaints about ransomware, an estimated loss of more than $23 million. In 2015, the bureau received over 2,400 complaints, and victims lost over $24 million.
“Everyone should be concerned. It’s the number one problem facing the computer security industry and it’s very, very difficult to solve,” Sippel said. “They prey on people’s willingness to click on the latest viral videos; they prey on people’s willingness to click on Facebook links.”
But companies can fight back, he said.
“Good user habits, common sense, backups and patching. With those basic things in place, I think you can minimize your exposure. That’s what we’re here to do.”