The Anatomy of a Cyber-Attack Explained
A Cyber-Attack Dissected: How they get in, what they do, and what you can do!
by James Harper, Solutions Architect, Maxsum Consulting.
Fraud is nothing new – people have been tricking other people into parting with their money since money was invented. But while the internet has made many things easier and faster – connecting with friends and family, paying bills, and otherwise moving money around – so too has the internet made it easier for fraudsters to get at things that don’t belong to them, and on a much larger scale.
But what does a cyber-attack actually look like in real life? Here we dissect the anatomy of a cyber-attack, stage by stage, in an example similar to real cases we see all the time.
Stage 1 – The duping of the unsuspecting user
The attack starts with an email appearing in your work inbox.
This email is from someone you know, and is asking you to review a document. It may also stress that there is some urgency in you doing this.
The email contains a link to the document.
You click the link and are taken to Dropbox – a popular file storage and sharing site where you can upload documents to store and for others to download. The Dropbox website asks you to log in. You are given a few options for logging in – one of which matches the Office 365 application that you use for your corporate email.
You click the Office365 option and are taken to the Office365 login page.
You type in your username and password, but get a message saying that something is wrong, and to try again later.
Stage 2 – The attackers get busy
Your part in this is now pretty much over. The Dropbox page wasn’t Dropbox, it was something that looked like Dropbox. The Office365 page wasn’t Office365, it was something that looked like Office365.
The attacker now has your username and password, and they get busy.
First, all your contacts are sent the same email that you received, starting the next cycle of attacks. This is how the email came to you in the first place – probably from someone you know and trust who was tricked into handing over their username and password.
The attacker also makes a change to your email so that a copy of every email you receive is forwarded to them. This allows them to get copies of “I forgot my password” emails that are sent to you.
Stage 3 – The attackers select their targets
If you hold an accounts receivable position in your company, anyone in your contacts list that looks like a customer is sent new bank account details. These bank details belong to the attacker so that your customers pay them instead of you.
If you hold a senior position in your company, your finance staff will likely be sent a request to do a bank transfer, or to pay an invoice.
If you use the same password for your banking, the attacker could gain access to your bank account. If you don’t, the attacker now has control of your inbox, so they can request password resets to your banking, and pretty much any online service you use.
Stage 4 – What can you do?
You’ll need help, and fast! Don’t waste time trying to clean up this mess yourself. Contact your IT Department or Managed Services Provider as soon as possible and give them as much information as possible and answer any questions they ask honestly. This is no time for playing the blame game, but it is time to leverage your business technology support channels and partnerships to get the fastest action and outcomes.
Stage 5 – What we will do!
The first thing we will do is to help you change your email password, and remove anything in your email account that would forward email to the attacker.
Next, we will try to understand how the attacker got your email password. If you remember receiving an email that you now think was suspicious then we can move on with cleaning things up. If not, then we would want to investigate a little further just in case there is some other method that was used to get your email password. There might even be something on your computer that is sending everything you type to your attacker, in which case they probably have more than just your email password!
Then, we would want to find out what email the attacker sent while they had access to your email. The attacker will have gone to some lengths to delete any trace of this – they want to keep access to your email for as long as possible without you noticing.
Finally, we would then encourage you to send an email to these recipients explaining that someone has been sending email pretending to be you, and to not click any links in any email that came from you recently.
Stage 6 – Respond, review, refine, repeat!
This time you’re lucky, no lasting damage was done!
The attackers are getting very good at this though. A few years ago you’d get an email from an attacker that was full of spelling and grammar errors, and used non-Australian terms like “wire transfer”, and it was fairly easy to know that the email was a scam.
In some cases the emails are still obviously very poorly prepared, but attackers are spending more time on their attacks. They monitor your email for a while without sending anything or doing anything to make the attack obvious. They time their attacks to busy periods or when key staff are away. Busy staff are less likely to question requests for money transfers, and could skip internal business processes like requiring manager’s authorisation for large money transfers.
And it’s always changing and evolving. To protect your business, users and their data, the way you detect, address and respond to cyber-attacks will need to be constantly changing and evolving as well. This will involve you building respond, review, refine, repeat mechanisms into your business processes to identify and resolve vulnerabilities in your front line.
Top Tip: Your most important asset is also your best weapon!
When all is said and done, your people are actually the most important part of effective cyber security. People are often the first line of defence and building understanding within your organisation about cyber risks and attack routes, and training your users to be on-guard is not only beneficial, it’s a must! Why? We’re sure you’ve heard about the recent introduction of the GDPR and the Notifiable Data Breaches Scheme rolled out in Australia in February which have newly mandated the reporting of eligible data breaches. In the first quarterly report released by the OAIC so far it was reported that “just over half the eligible data breach notifications (…) received in the first quarter indicated that the cause of the breach was human error.”
At Maxsum, we talk about security being a layered thing. We design layers of security on the network in the expectation that if an attack does compromise one layer, it will be caught by the next. There are a myriad of technologies that contribute to this – firewalls, antivirus software, antimalware software, spam filters, multifactor authentication, and lots of other technical sounding words – and then there is you.
Remember that you are a very important layer in the world of cyber security. Think before you click.
More great Maxsum content on this topic including tips, tricks and FREE downloadable resources for your team!