Written By: Michael McCartney, President of DIGITS, LLC – A Division of Avalon
I think we can all agree that the FBI is badass. So when they say something is threatening us, it’s for real. In November 2009, the FBI issued their first official warnings concerning spear phishing attacks targeting U.S. firms.
A spear phishing attack is when an e-mail is sent to a high-level executive of a firm that appears to originate from another high-level executive within the firm. The e-mail from the attacker has the same e-mail convention that the firm uses (e.g., email@example.com) and the content of the e-mail can be as simple as, “After our conversation last week, I found this interesting article that I thought was very much on point for your matter.” The e-mail has an embedded link that, if clicked, takes the recipient to a website that downloads the referenced article as well as a payload allowing remote access to that computer system. This is an entry point into the corporate network and, depending upon the level of access the victim has, the hacker can laterally access other resources and data as well.
In their initial warning, the FBI stated that they had “assessed with high confidence that hackers are using spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms.” Since then, we have seen a dramatic increase in successful compromises of these law firms, public relations firms, CPA firms, and other professional service organizations. The common denominator among each of these industries is sensitive client information.
Hackers take the time to scan an organization’s network and analyze public facing website and social media sites to gather information that can be used to launch a successful spear phishing attack. Secured corporate networks—Sony PlayStation, Northrop Gruman, and Lockheed, and others—annually invest millions of dollars in their corporate IT structure, but still fall prey to these attacks.
Recent reports show that hackers target companies that have network security infrastructures not much more sophisticated than a basic home network. In many cases, law firms and CPA firms (especially those that have healthcare, tax, matrimonial, personal injury, and large corporate litigation practices) are prime targets for these hackers.
When a company suffers a data breach, customer lists, confidential client information, medical data, and other valuable information is potentially accessed or stolen. Forty-six states have enacted Data Breach Notification Laws, which obligate each company that suffers a data breach to notify certain government agencies, as well as all of the potentially affected individuals. Some states require that the company offers a credit for the fees that each of the individuals has accrued due to the breach, as well as identity theft recovery services and credit monitoring services.
The theft of Personally Identifiable Information (PII), personal credit (PCI) information, or Protected Health Information (PHI) can haunt an individual for many years. So it’s important to be proactive when protecting your systems—as hardcore as they are, no one wants to actually bring in the FBI.
If you liked this blog you might also be interested in reading: Life’s a Breach
Learn how Avalon helped catch the nerdiest thief ever. Download our free case study.