This is a continuation of last week’s article that looked at stealth malware infection from a malicious phishing email.
Phishing Emails
I spend a lot of my time writing and talking about malicious phishing emails. It is the easiest attack vector into your organisation that a threat actor has access to, so it is not surprising that it absorbs a lot of my time. Making sure you and your people understand what a phishing email can look like and the social engineering techniques threat actors use to exploit your trust to get past your defences is an essential cyber security step for any organisation, large or small.
In the majority of cases, your technical defences work and email filtering and anti-virus products work perfectly and stop the threat – as in this screenshot of an email notification I got this morning, minus the infected attachment:
Now this was not a particularly sophisticated social engineering message and was not likely to deceive me into opening the infected attachment if my anti-virus had failed. But what happens when the threat actor does a bit of research on the target before sending the email?
We all put a lot of information out there, which is invaluable to a threat actor when they are crafting an attack. We cannot help it. As businesses we want to sell our things – this means web pages, sales pitches, contact email addresses, free ebooks, profiles on LinkedIn etc., all made publicly available. All available to the threat actor to build a model of you. Have a look at this piece I wrote looking at this practice – it is called OSINT, open-source intelligence:
OSINT – Do you know what it is?
By the way all the information sources I listed above are ones that I use…
But what happens when the AV fails and the message is so good you click?
I outlined this article as I was writing last week’s, “Infected and you didn’t even know it…” article, and had planned at this point to describe clicking on an infected attachment and some of the business consequences of doing so, however…
Phishing emails and the real-world consequences of clicking
Linus Tech Tips is a very popular tech channel on YouTube and the channel has millions of subscribers and more importantly active viewers – our support team members are all regular viewers, as am I. You know where this is going, don’t you – Linus Tech Tips got hacked through a phishing email to their sales team. Watch the video and see how easy it was for the hackers to get in, how hard it was for people with a lot of technical knowledge to cope with the attack and the real-world consequences to their business:
My Channel Was Deleted Last Night – Linus Tech Tips on YouTube
Lessons you should learn from their video
No one was blamed. The person who opened the offending pdf file has their leg pulled in this video and other follow up videos and probably in the office, but they were not blamed.
“… but then on the flip side, I can hardly blame a sales rep or a video editor, or someone in accounting for not being up on the latest in cyber crime. And I also believe that in a healthy organisation, **** actually rolls up the hill rather than down. So there’s not going to be any disciplinary actions because the simple truth is that if we had more rigorous training for our newcomers and better processes for following up… …this could have been easily avoided.
Linus Sebastian – Linus Tech Tips
Everyone should be aware that if a file is opened and it does not respond as expected, it should not be ignored. See my previous article on stealth malware. Have you got a notification process for this situation?
Staff training in cyber security awareness and incident response is essential to contain any problems, to check what you do not know, so you can be ready for the real thing.
In Conclusion
It was a coincidence that Linus Tech Tips got breached using the very techniques I had planned to write about today. Thanks to them for this very useful video and you really need to watch it. If you want a protective cover for any of your tech have a look at their sponsor. (Pushed for time? Then just watch the few minutes starting at 4:58 – however cyber security is important so you really should spare 15 minutes to watch the whole thing.)
Are you ready if the coincidence happens to you? Get in touch if you need help!
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
The Basics of Cyber Security – A quick look at OSINT and Redacting
Why I do not like “Meet the Team” web pages
Infected and you didn’t even know it…
Photo by Gül Işık