New Dark Web forums are rapidly redefining the nature of targeted attacks by offering organised criminal groups (OCGs) ease of access to highly specialised services tailored to spear phishing attacks.
Because of the escalating nature of this threat, KCS is advising clients to urgently overhaul their security procedures.
The forums increasingly provide a fertile recruiting ground for skilled internet fraudsters and the social engineering experts needed to bait the hook for carefully planned and executed spear phishing attacks. These services are generally paid for in the hard-to-trace virtual currency Bitcoin.
'Enigma", a now defunct website, provides a concert example of the type of forum. Described as "a kind of eBay for data breach targets", Enigma brought together far-flung opportunistic hackers, hired guns and those wishing to harness those resources. The forum was reportedly taken down when, ironically, it's administrators discovered it to have been infiltrated by spies.
The fact that the OCGs are prepared to pay surprisingly large sums to hire this type specialist is evidence of the increasing sophistication of targeted attacks. The practice also significantly lowers the barrier of entry for would-be cyber criminals as much of the expertise, and much of the malware, is now available off the shelf. The cyber criminals involved may themselves actually poses few if any IT skills, preferring to hire the necessary expertise where required.
Organisations must, therefore, start to be far more stringent in guarding against targeted attacks. All staff should be made full aware of the dangers of opening email attachments from unknown sources as these can unleash malware into the organisation's IT systems, compromising the entire network.
But employees must also be wary even of emails from apparently trusted sources, as email addresses are notoriously easy to fake; changing a single letter or punctuation mark is enough to confuse even the most vigilant member of staff. The OCGs' ability to hire social engineering experts on Dark Web forums can make this type of attack particularly dangerous a message sent via email might have all the personal hallmarks of a expedition senior executive within the organisation.
For this reason, companies must now start also to educate staff how to use social networking sites such as LinkedIn and Facebook safely. Essentially, employees must not post work details of any kind on these networks. For example, should an OCG glean that a certain key executive is on holiday in Barbados for two weeks, it would be relatively simple to create a fake email either requesting a funds transfer or to be reminded of the log-in details needed to access critical parts of the corporate database. The more personal information the executive has released on social networking sites, the easier it is for the OCG to create a highly plausible message packed with personal details and references.
Staff should also be aware that OCGs do not confine their attacks to the Internet and be taught to treat incoming phone calls from people whose voices they do not recognise with caution. A variation on the standard e-mail phishing attack is a "Friday afternoon" phone call. A small investment bank was recently caught out in this way with a socially engineered call falsely purporting to come from the company's bank, Coutts requesting significant cash transfer. The company finance officer (CFO) took the convincing-sounding call and, anxious to leave for the weekend, complied with calling Coutts to verify the caller. As a result, the CFO lost his job.
These type of orchestrated attacks are proving to be particularly effective where organisations such as law firms are concerned.
Any organisation with a relatively hierarchical structure urgently needs to put safeguard into place to avoid staff complying with, for instance, urgent requests for cash transfers appearing to come from senior partners.
Stuart Poole-Robb is the chief executive of business intelligence and cyber security adviser, the KCS Group
Image source: Shutterstock/lolloj