Cyber attacks are real and do hurt, attendees have heard at a seminar on preventing and recovering from cyber attacks at law firm Kemp Little in London.
“The potential business impacts [of cyber attacks] combined with increasing levels of awareness among consumers mean that no sensible business is still ignoring this threat,” said Nicola Fulford, head of data protection and member of the cross-departmental cyber security team at Kemp Little.
Outlining how attacks can happen and the harm that can be caused, Benedict Hamilton, managing director, investigations and disputes at consulting firm Kroll, said there is an exponential growth in the UK of what he called “street level” cyber crime.
“There are crime groups that are operating at similar levels of sophistication as state-sponsored cyber attacks, but a lot of the cyber crime we see requires very little skill to carry out.
“Today there are a growing number of automated cyber crime tools available for free or very little cost and there are YouTube videos demonstrating how to use them,” he said.
As a result, Hamilton said there are small cyber crime groups operational in just about every UK city, using these techniques against individuals and organisations on a daily basis.
Cyber crime, he said, is much more attractive than traditional crime because it can be done easily, it can be done remote, it does not require much skill and the rewards are great while the risks are low.
Popular cyber crime tools enable criminals to do things such as embed malware in documents, spoof email addresses and carry out man-in-the-middle (MitM) attacks on public Wi-Fi connections.
“Most of the incidents we investigate involve one of these three techniques, which are enabling a very large number of crimes,” said Hamilton.
Simply clicking on a document with embedded malware can enable an attacker to take control of a victim’s computer, while spoofed emails or hijacked email accounts can help trick recipients into unwittingly helping cyber attackers believing an email has come from a trusted party, and MitM attacks can be used to harvest credentials for private and corporate accounts.
In one case, said Hamilton, a wealth manager’s email credentials were stolen when he connected to an unsecured Wi-Fi service at a hotel.
The wealth manager’s email account was then hijacked by attackers who sent emails that appeared to come from him, instructing his clients’ banks to transfer funds into accounts held by the attackers.
The attackers set up filters on his account so that all emails from the targeted clients and their banks were routed to the draft folder of his email account, where the wealth manager did not see them and the attackers could access them and reply if necessary.
“Just by using an MitM attack, this particular cyber security gang was able to get away with $2.5m before the targeted clients raised the alarm,” said Hamilton.
Similarly, he said, Kroll has investigated cases where finance department employees at subsidiaries of global firms have been tricked into transferring funds into accounts held by attackers in response to email instructions that appear to come from executives at the parent company and company lawyers.
“We have seen 20 of these worldwide in the past two years, with half of them being in London and overall losses exceeding $40m,” said Hamilton. “It is all social engineering that exploits people’s digital footprint and exploits the fact that people trust emails based on the sender’s address.”
In another case that he said drove home the scale of cyber crime in the UK, an online lending company had £2m of bad debt from 5,000 loans of £400 each.
The online lending firm discovered there were only five passwords shared between the 5,000 accounts and one of those passwords was linked to 4,000 customers who all appeared to bank at the same branch.
“We quickly found that all of the customer names belonged to real people, but their details had fallen into the hands of the cyber attackers as the result of a data breaches at a large retailer, a recruitment company and a direct mailing company,” said Hamilton.
It is important to note, he said, that the even the most destructive hacks do not necessarily have to involve very sophisticated techniques.
“Simply by having weak or easy to guess passwords makes individuals and the organisations they work for vulnerable to attacks that are easy and simple to execute,” said Hamilton.
“There are ways to stop cyber crime, these can be as simple as ensuring passwords are secure, looking out for phishing emails or, as Kroll is doing, working with industry and law enforcement partners to catch cyber criminals and seize their assets,” he said.