David Barnett's Brand Protection Articles: The threat of the hacker

In mid-March 2017, four individuals, including two Russian spies, were indicted by the US Department of Justice over the theft of an enormous number of Yahoo! e-mail user account details^[1]. The acquisition of this information – corresponding to around 500 million accounts – had been achieved in 2014 using a targeted 'spear phishing' e-mail attack against a key Yahoo! employee^[2,3,4]. The attack followed an even larger one against the same company a year earlier, in which around a billion accounts were compromised, and forms the latest in a line of news stories involving companies revealing compromises of user data, with other recent reports relating to FriendFinder (412 million affected accounts), Myspace (359 million accounts) and LinkedIn (164 million accounts)^[5], in addition to other high-profile cases involving Ashley Madison^[6] and J.P. Morgan^[7].

The threat presented by hackers is nothing new, and there are a number of other potential avenues open to third parties determined to gain access to sensitive corporate systems or information. These methods might include: (i) exploitations of known vulnerabilities in software systems used by the organisation in question; (ii) distribution of malicious software ('malware'), which can be used to record the keypresses of corporate employees (e.g. to collect password information) or create 'backdoors' into company systems; or (iii) direct communication with employees (e.g. in the guise of a helpdesk operator) with a view to convincing them to hand over sensitive information such as log-in credentials (so-called 'social engineering').

Stolen e-mail addresses – particularly if present in combination with other security credentials such as passwords – are an extremely valuable commodity which can be traded online in their own right, within forums, private groups, or dedicated websites on the open- or Dark Web. From a criminal's point of view, e-mail addresses can be used for a range of purposes, from identity theft through to the distribution of spam e-mails (e.g. for the purposes of advertising websites or distributing undesirable or malicious software). Following the Yahoo! story, reports emerged that data relating to one billion of the company’s e-mail customer accounts remained for sale on hacker forums, with the criminals offering the full dataset at a price of $200,000^[8].

Mediation of the risk of such attacks generally requires a multi-faceted approach by corporations. Of crucial importance is the implementation of a comprehensive digital security programme, comprising the use of a suite of suitable anti-virus and firewall products, ensuring that software and operating systems are kept regularly updated, and carrying out regular checks of computer systems for vulnerabilities. Additionally, part of the solution should always be an initiative to educate employees on ways to avoid being targeted, such as careful checking of the validity of incoming e-mails and other communications and avoidance of opening attachments in unsolicited mails. The probability of being targeted in a social-engineering attack can also be reduced by encouraging employees to avoid using their company e-mail addresses when posting online, and from identifying themselves as being associated with the company in all but official communications.

The Yahoo! attack is just one example of a case in which a fraudulent targeted e-mail was sent to a known employee; the use of e-mails to employees which purport to originate from key company executives is a rapidly-growing method for perpetrating fraud. A recent estimate by the FBI stated that these scams have cost organisations more than $2.3 billion in losses over the past three years, with numerous reports of multi-million dollar losses by individual companies ($3 million from Mattel, $17 million from The Scoular Co., and over $46 million from Ubiquiti, all in 2015)^[9]. Frequently, the e-mails used in this kind of scam may include instructions for employees to carry out money transfers (e.g. as in a series of cases in Seattle in December 2013, where companies were led to believe that they were sending money to supply partners in China, whereas actually the beneficiary accounts were owned by fraudsters^[10]). In many cases, this type of fraud is achieved via the registration of domain names which appear similar to that used for the company's official website and/or e-mail host domain, and using the e-mail functionality of these fake domains to construct convincing 'from' addresses for the targeted e-mails^[11,12]. A proactive programme for monitoring new domain registrations, as offered by a number of brand-protection service providers, can be one way of gaining an early warning against such risks.

In addition to the preventative measures described above, it can also be extremely beneficial to carry out Internet monitoring for the appearance of stolen credentials being posted online or offered for sale, so that actions to limit the damage can be taken in as short a timeframe as possible.