Law firms are more alert than ever to the dangers of cybercrime and are increasingly protecting their IT systems. But even firms that have done their utmost to secure their IT systems against cyber-attack are vulnerable to a new threat.
Organised criminal groups (OCGs) habitually use social engineering – the process of carrying out detailed research on key staff members via social networks such as LinkedIn, Facebook and Twitter – in order to commit frauds and scams. Typically, this takes the form of a ‘spear phishing attack’, where a spoof email purporting to come from a boss, or some other trusted senior individual, is sent to a staff member, requesting passwords, or even large cash transfers for operational purposes.
But as far-fetched as it may seem, there is now also a disturbing new trend in which online social engineering is combined with more traditional ‘spying’ methods. One way of bypassing even the most secure IT defences is to infiltrate building contractors, such as cleaners, or simply bribe the individuals working for them. Once physically inside an office, it is relatively easy for the OCGs to look over employees’ shoulders to see passwords, or to go through bins to search for other privileged information. In the case of contractors working in the evenings, hacking into the system can be even easier as many staff routinely leave their computers logged in when they leave at the end of the day. For this reason, it is important that contractors and suppliers are vetted regularly and their identifications habitually checked. When was the last time, for example, that you checked the badge of the photocopier engineer?
Even when they leave the office, unwary staff can be vulnerable. In order to augment their online research and anything they have managed to glean from infiltrating corporate offices, some OCGs are now approaching staff directly. Sometimes this takes the form of the direct approach of offering staff a bribe. More commonly, the OCG prefers to avoid announcing its presence and uses a confederate to strike up an acquaintance with a targeted staff member in their favourite coffee shop or pub. This ruse works by gradually gaining the confidence of the subject over a period of weeks, before subtly trying to draw out privileged information from the unsuspecting employee.
On other occasions, criminals use the age-old practice of ‘honey traps’ – attractive members of either sex – to befriend a staff member. Often, the initial approach is made through an innocent-looking message via LinkedIn or Facebook suggesting a coffee or a lunch to discuss mutual professional interests. Sometimes, a lucrative job offer is dangled in front of the employee as a carrot to encourage them to make the meeting in person.
Once hooked, there are a number of possible outcomes from such a meeting – none of them good news for the organisation that is being targeted. One result could be that the honey trap succeeds in gaining the unsuspecting staff member’s confidence to a point where he or she unwittingly reveals confidential information.
In some cases, however, the honey trap may decide to develop a closer relationship with the target employee to a point where, in the case of married staff, the subject can be blackmailed into revealing sensitive information. Disgruntled or former employees, can also be approached in this way with a view to bribing them into assisting the OCG to break into the target organisation’s IT defences.
Social engineering can be used to lay the foundation for this type of approach by building up a detailed profile of the target employee over a period of time before contact is initiated. People routinely reveal far more about themselves than they realise when using social networking services. Even an innocent photograph posted on LinkedIn, together with a straightforward CV and list of interests and hobbies, is pure gold to someone wishing to make a casual approach to a targeted staff member. The photograph enables the criminals to recognise the targeted employee in public, and the personal information can be used to initiate a casual conversation which quickly appears to reveal mutual interests.
Similarly, Facebook entries, which are typically used to relate social events and keep up with acquaintances, can easily be used for criminal purposes. For example, knowledge of where someone likes to eat or a planned visit to a pub or concert with friends can provide the OCG with an opportunity to use a gang member or one of their confederates to strike up an acquaintance.
The level of success of this kind of online targeted research coupled with physical intrusion being achieved by OCGs can be gauged from the fact that KCS’ own research reveals that 80 per cent of successful cyber intrusions can be traced to a member of staff. This is sometimes the result of a disgruntled employee seeking profit or revenge; but frequently, the OCG has used a combination of social engineering and physical intrusion methodologies to manipulate the employee or simply gain access to their log-in details.
It is vital to stress that these are not issues confined to large firms alone. Information is currency on the dark web and anything that can be used as leverage, will be. Even if a small or medium-sized firm itself is not the end-target, it is almost always a conduit to bigger firms, via email communication, information transfer, or formalised relationships. It is short-sighted for a smaller firm to claim no involvement, or no need to take precautions, as they are often the weakest links in the chain. If firms do not act on this threat, they’re essentially giving hackers carte blanche.
Firms should, therefore, warn staff of the potential dangers of revealing too much information about themselves on social networking sites and also the correct way to adjust their LinkedIn,Twitter and Facebook accounts to restrict who can view them. They must also be warned of the dangers of divulging any type of company information to strangers and casual acquaintances. All employees should fully understand that a security leak can potentially cost their company huge sums of money, immense reputational damage and, in the case of a serious attack, can even result in the company going bust.
Stuart Poole-Robb is the chief executive of the KCS Group Europe. Stuart began his career intelligence and security when he served in the Royal Air Force, mainly in Middle East locations, before moving to the Special Investigation Branch. He is the author of many papers and books on security, intelligence operations and worldwide threats, including Risky Business.