91% of Cyber Attacks start with a Phishy Email.
Everybody has heard of hacking. Movies and tv shows like “The Girl with the Dragon Tattoo” and “Scorpion” have glamorized it, organisations such as the National Cyber Security Centre have warned of the terrors of it and many businesses like ours, offer cybersecurity services to combat it.
But, despite all of the media attention it receives, hacking, how it is carried out, and its implications are largely unknown. With the age-old saying, “prevention is better than cure” in mind, we seek to inform you of how cyber attacks occur so that you and your business can take measures against them.
So, what exactly is hacking? Well, simply put and as defined by The Economic Times,
“Hacking is an attempt to exploit a computer system or a private network inside a computer…it is unauthorised access to or control over computer network security systems for some illicit purpose.”
Despite its frightening definition, and even more frightening impacts, hacking does not normally receive the attention it deserves. This is surprising when we consider how of the 15 largest data breaches in history, 10 took place in the last decade, according to The Business Insider.
But when we think of data breaches, it is not always hacking that comes to mind. Perhaps one of the most extensively publicized breaches in history was the Cambridge Analytica Scandal. Once a reputable and now scandal-ridden data analytics company, Cambridge Analytica harvested millions of voters data and used it to influence elections and political events across the world.
Although the devastating impacts of this scandal are indisputable, it is not a stand-alone incident.
There have been many other data breaches of a relatively similar scale that seemed to have slipped under the radar.
Even if we turn to moz.com and look at the data behind this. The phrase “Cambridge Analytica’ receives between 11,500 and 30,300 searches every month.
The word “hacking”, on the other hand, only receives between 2,900 and 4,300 searches per month.
This is shocking when we consider that hacking and cyberattacks unless specifically combated against, have the potential to target everybody from a multinational corporation to a small privately held business. This blog post aims to bring to light the hacking incidents that many companies hoped you would forget.
The Yahoo data breach of 2014 (reported in 2016), did, admittedly, garner some attention. Most people know that Yahoo’s system was compromised, that data was stolen and that if you met very specific criteria you may have even received some compensation because of it. However, very few know what exactly happened.
According to CSO Online, the FBI claim that this multi-billion dollar data breach originated from a single spear-phishing email sent to a Yahoo employee. Although it is unclear how many targeted emails were sent and to whom, it only takes one wrong click to propel a hack into motion. The detailed analysis by CSO Online revealed that the hacker required only two key tools; Yahoo’s user database and the Account Management Tool used to edit it.
Following this, the hacker installed a backdoor so that they could re-access Yahoo’s system. A couple of months later, in December of 2014, the hacker copied Yahoo’s database onto their own computer and generated cookies to target victims that were of particular interest to their deep-pocketed buyer. Source: CSO Online
But what were the impacts of this?
Well, the hacker gained access to roughly 500 million accounts, according to CSO Online, and generated cookies for approximately 6,500 accounts. Nat Law Review claims that the next day Yahoo’s stock price dropped by 3% and the company subsequently lost $1.3 billion in market capitalisation. Perhaps most pivotally, the company had to pay $35 million to the US Securities and Exchange Commission for failing to disclose the security breach in 2014, according to The Irish Times.
Although the argument can be made that the Yahoo data breach occurred in 2014, before technology was so advanced and before people really understood the value of data, such large scale data breaches are not a thing of the past. It wasn’t until 2018 that Marriott disclosed the data breach that it endured. In a detailed report by The Washington Post, it was revealed that hackers gained access to the Starwood Guest Reservation System (which merged with Marriott in 2016) in 2014. CSO Online confirmed that Marriott has not released the exact details pertaining to how the attack was carried out, however, the testimony of Marriott CEO Arne Sorenson did confirm that the attack was detected after “a query [was made] from an administrator’s account…we [then] learned that the individual whose credentials were used had not actually made the query”.
Sorenson confirmed that Remote Access Trojan (RAT) and Minikatz, a tool for “sniffing out username/password combos in system memory” (source: CSO Online) were the two key tools used. Owing to the nature of these tools, it is likely that the hack originated from a phishing email and one wrong click.
The epidemic of phishing attacks may come as a surprise to most, however, it is far more common than you may think. According to our partner VadeSecure, 71% of all emails sent in 2017 included malware, phishing, CEO fraud, and spam. Moreover, 91% of cyberattacks start with an email.
But what were the impacts of the attack?
The greatest impact that emerges from this data breach is the amount of customer data that has been stolen. The Washington Post report that everything from “familiar information — such as names, addresses, credit card numbers, and phone numbers — and also rarer prizes for hackers, such as passport numbers, travel locations, and arrival and departure dates” was accessed. This is particularly valuable for those wishing to track the movements of diplomats or business executives (source: The Washington Post). Sorenson claims that 383 million guest records were involved in the attack and that roughly 18.5 million encrypted passport numbers had been downloaded. He admits it is likely that some of the guest records are duplicates, however, because of the nature of the data, it is challenging to de-duplicate them.
This hack has not only exposed guest’s personal data, but it has also exposed Marriott to several class-action lawsuits (source: CSO Online) and a £99 million fine by The UK’s Information Commissioner’s Office, according to RTE.
However, it is not just large multinationals that fall victim to cyberattacks and data breaches. In fact, the latest report by the European Union Agency for Network and Information Security (ENISA) Threat Landscape Report found that 61% of breaches in 2018 affected organisations with fewer than 1,000 employees. (Source: IT Governance).
While attacks on small businesses may not receive as much publicity as those on larger corporations, they are still extremely prevalent. According to Small Business Trends and Symantec’s 2016 Internet Security Threat Report, 43% of cyber attacks target small businesses.
This is unsurprising when we consider that “only 28 percent of the companies represented in this study rate their ability to mitigate threats, vulnerabilities, and attacks as highly effective.” Source: 2018 State of Cybersecurity in Small & Medium Size Businesses
However, perhaps what is most shocking about attacks on small and medium-sized businesses is the devastating impacts they can have. The aforementioned 2018 report detailed how companies spent an average of $1.43 million in 2018 in the aftermath of an attack.
As well as this, U.S National Cyber Security Alliance found that 60 percent of small companies go out of business within just 6 months of sustaining a cyberattack.
How vCloud.ie Helps Protect Your Business.
Our CEO, Andrew Tobin, recently discussed the details of a cyberattack that targeted the CFO of a small business he knows. Andrew outlined how the company’s CFO received an email which “included all the original thread of dealing with a supplier” and simply requested that the company noted the updated IBAN on the invoice. He notes how the email had a previous trail that was legitimate and that simply, “it was intercepted…but it looked one hundred percent correct in relation to the invoice…everything was perfect”.This example illustrates how easy it is to fall victim to an attempted phishing attack.
Even private individuals are not immune to attack. Andrew also noted an attack he learned of shortly after making a presentation at an IT Security Conference. He received a call from quite a distressed woman who explained to him how she had just fallen victim to a spear-phishing attack (an email sent by cybercriminals that specifically targeted her). Andrew explained that she had been renovating her home, “she got an invoice from the builder for 22,000 euros…everything looked 100% legitimate”. She transferred the money, unaware that she had been targeted and, upon realising she had been defrauded, contacted the police. “The police say that the money [had been] transferred to a bank in Cork…it was transferred to London and then it was taken out over ATMs” Andrew explained, “There is no recourse…the money is gone”.
The impacts that hacking can have are truly devastating. They can cost everyone from wealthy multinationals to ordinary private citizens great deals of money and hardship. Unfortunately, the statistics speak for themselves and with 91% of cyberattacks starting with just an email (source: VadeSecure), it is absolutely essential to mitigate against attacks.
Find out more about how you can protect yourself and your business with improved email security or have your company’s Cyber Security Vulnerabilities Assessed.