In a world where billions of username/password combinations have been compromised by hackers, it is increasingly difficult to be certain that the sender of an email is the person that they claim to be. Masquerading and fictitious social accounts, copycat domains, online user groups, and rogue websites are becoming more common. These fraudulent online personalities and properties are often the launching pad for socially engineered attacks such as BEC schemes.
BEC attacks grew in sophistication and effectiveness in 2016, compromising businesses in every market -- leading healthcare organizations, an NBA team, financial institutions, the World Anti-Doping Association, to John Podesta and the Democratic National Committee. The cost of these attacks? Tens of millions of dollars, incalculable reputational damage and possibly an election....
Exploits driven by stolen or invented identities are a menace, and BrandProtect analysts believe that trend will continue in 2017. CISOs and Digital Governance teams need to prepare their company, and protect other companies from BEC and socially engineered attacks that are made using their identity or corporate personality.
Most often, they appear as inbound attacks that target finance, HR, or other individuals with access to funds or valuable IP. But fraudulent identities are also used to legitimize attacks against many external targets, too. Business partners, suppliers, competitors, customers, and members of the general public can be victims of these attacks.
In order to protect their company's reputation from the potentially devastating headlines that follow successful BEC attacks, CISOs and Digital Governance leaders are rapidly implementing defensive strategies, including end-user education, and anti-phishing protections. But to truly limit financial and reputational exposure, corporations must expand their strategies to limit the possibility of becoming an unintended accomplice in an externally targeted BEC or socially engineered attack.
How? It starts with understanding how others might be appropriating your corporate identities or personalities online. All duplicate or unauthorized social accounts, social domains or domains represent serious risks to an enterprise. Left unchecked, they can become launching pads for internally or externally targeted attacks.
Most of us are familiar with the attempted hacking of a Facebook, LinkedIn or other profile – without any warning, we get a friend request from someone who we think we already know (the tip-off is that we think we are already connected to them). This is a social engineer at work, trying to populate a fake profile with legitimate connections.
Another common ploy on professional networking sites is to create a fictitious profile, but to populate it with a professional biography stolen from a legitimate profile. Suddenly there is a new Vice President of Human Resources from your company on LinkedIn, reaching out to others and building relationships. The work history on the profile looks convincing because it is a real work profile, stolen from a real profile. The people who connect and network with this imposter don’t know that.
Suddenly, anything is possible from the fake account. The imposter might try to introduce malware or ransomware to a corporate network: “I have a new job description I’m working on, would you review it and send me comments? And of course, forward it to anyone you think might be interested…” This email will be sent using private email for example, via InMail on LinkedIn. The sender will seem trusted (even though they are an imposter) and the attachment will contain a job description PLUS the malware and ransomware. Another possible exploit involves fake news: the fraudulent account might leak a “company announcement” about a merger or a new business deal, or a plant closing or opening. The news will look legitimate, and people will react.
It is not hard for social engineers to find profiles on Facebook or on other social or professional networking sites and create these duplicate or fictitious accounts. BrandProtect’s own research found numerous duplicate Twitter and LinkedIn accounts among Fortune 500 CEOs, for example. Every week BrandProtect analysts are busy identifying and removing imposter accounts, social domains, and web properties that potentially threaten our clients.
What should a CISO or Digital Governance team do? Initially, the best first step a company can take to reduce these risks is a complete in-depth internet risk or social risk audit. The best audits are performed by threat detection experts with extensive technology tools to scour the surface, deep and dark web for authorized and unauthorized activities. The audit results will include social profiles, user groups, blog sites, web domains, mobile app stores, and other online locations and properties where the company’s brand, executive identities, or other digital content is used.
To reduce the risk that the company identity is attached to rogue email attacks, companies should implement comprehensive security-centric or threat-oriented domain monitoring, usually obtained through an expert services provider. Unlike simple legal/trademark domain monitoring services, threat-centric services include active MX-record monitoring, proactively looking for new copycat websites that are enabled (or old websites that are newly enabled) to transmit emails. These are the places where the most sophisticated and effective socially engineered attacks originate.
A successful BEC or socially engineered attack usually achieves spectacular, headline-grabbing results. In an instant, the victimized company will lose cash, trade secrets, IP, or other valuable content. They will also endure reputational damage – the individuals who are compromised, and the teams that should have protected them will be professionally tarnished -- and often their career trajectories are altered. Just ask the people at Snapchat, who last February were duped into releasing years of payroll information to a cybercriminal posing as the Snapchat CEO.
The stakes could not be higher for CISOs and Digital Governance teams. If you would like to learn more about how a simple internet risk audit could change your threat readiness, click here.