“It can’t happen to me”
Hunters and gatherers. Most people think of cybercrime against business to be the work of hunters such as cybercriminals who target then infiltrate a company to steal from it. Reading the newspaper, it’s easy to convince yourself that these hunters are after big game and a small business does not have to worry about these targeted attacks. Maybe; however, we’ll talk more about that later. The majority of cybercriminals can best be described as gatherers. They throw wide nets and take advantage of whatever victims land in those nets. Small businesses really must watch out for the gatherers.
Because the barrier of entry is low, there are many gatherers. A gatherer doesn’t have to be a criminal genius. They don’t even need advanced computer skills. They really don’t need to know much at all—except where to buy a toolkit. Toolkits allow criminals with limited skills to get into the game of gathering then selling information.
Figure 1. Almost 3/4 of all malware contains more than one type of attack.
The chart above demonstrates the effects that toolkits have had on users. In 2009, Symantec reported that almost 75 percent of malware was capable of performing five different attacks on an infected machine. A typical toolkit today is built to allow the criminal to monetize infected machines in every way possible. Not only can it record everything a user types on a system (keystroke loggers, a simple way to capture any password a user types in), but it can also steal email addresses found on the machine (to sell to spammers or to attack other users) and add additional malware to the machine at any time (remote access allows the criminal to download and execute any file they want). This would allow the criminal to introduce new malware on to the machine. Typically, this malware is a fake AV product and/or a spam bot.
These types of attacks are a concern for everyone. But, there are three particular types of attacks that can have a devastating effect on a small business. Here are some of the ways our so-called gatherers will try and steal from your small business.
#1 Steal all the money in your bank account
One of the most prevalent toolkits creates a threat that small businesses should be very concerned about. The name of the toolkit is Zeus.
While a user of the Zeus toolkit can do all the things we just discussed, their first objective is to steal bank account credentials. This is the most lucrative crime and unfortunately the most lucrative victim is a small business.
Why? A small business generally has more money in its accounts than a consumer. However, unlike a consumer, the small business has fewer safeguards in place to guard its financial transactions.
No single gang is responsible for using Zeus. The toolkit is widely available and can be purchased for as little as $700 in the underground economy. It can be bartered for or even stolen. It appears that cybercriminals are not above software piracy and illicit software vendors suffer the same piracy issues as legitimate software vendors.
According to the Symantec Internet Security Threat Report XV, 90,000 unique Zeus binaries were observed in 2009. This does not mean there are 90,000 different gangs behind Zeus attacks; however, it does indicate that the gangs using Zeus have created thousands of unique versions of the threat. And it gives an indication on how hard it is to prevent.
There are many ways that Zeus attempts to separate you from your money. Collecting login and password information from your machine is the simplest. It first attempts to find all passwords stored on your machine. Email passwords or any password saved in Internet Explorer are collected and sent back to the criminal. But, Zeus doesn’t have to find your banking information stored on your machine. It can actually ask you for it.
Let’s say that I have criminal friends that are very good at robbing ATMs. If I can get bank account information and a PIN number, they can create phony ATM cards and walk up to an ATM and remove all of your money. The problem is getting the ATM number. It’s not something that is likely to be stored on a computer. So, how does the criminal get it? Well, they just ask. The Zeus toolkit comes with a feature that can insert things into a Web page. So, Zeus will silently wait on your machine until you browse to your bank’s Web page. Then, at the login and password part of the page it simply adds, or injects, a request for your PIN number.
Most cybercriminals using Zeus just want your bank’s login and password. If you have not stored them on your computer (good for you!), the malware will just wait until you go to the website and type them in. This is called keystroke logging—as in, every keystroke you type is sent to the bad guy. Now, that would be a lot of information, so the bad guys are likely just watching till they see yourbank.com typed into a browser and then they start logging your keystrokes. Once the cybercriminals have your login and password they can simply log in as you and transfer your money anywhere they want.
#2 Steal your intellectual property and customer information
Maybe you can legitimately argue that no one would target your organization for a cyberattack. You have no competitors that would be interested in your intellectual property, you don’t store customer information, there is nothing of value on any of your company’s computers, and your bank account is empty. Then you are one of the few.
There is so much valuable information kept on computers today. It’s how we work. So, it is normal for any small business to be nervous about keeping its proprietary information safe. In fact, according to the recent Symantec 2010 SMB Information Protection survey, almost three quarters of small and medium businesses (SMBs) are somewhat/extremely concerned about the loss of crucial business information. This does not come as a surprise, considering 42 percent have actually lost confidential or proprietary electronic information in the past.
When your valuable data has been lost or stolen, the security industry calls this a breach. And, while hackers are responsible for the most credit card information being stolen, SMBs must be very careful with how they handle and process customers’ as well as their own financial data. According to the same survey, with SMBs who did lose customer information, 100 percent saw losses such as lost revenue or direct financial costs.
#3 Drive your customers away
Small businesses are finding that social networking and other “Web 2.0” solutions are an ideal way to find and keep customers. If you think about it like a big company does, you are building a brand through your networking efforts online. Unfortunately, that brand building can go terribly wrong very quickly if a criminal hijacks your Web 2.0 accounts.
I’ve already talked about how threats like Zeus can pick up login and password credentials, and Facebook and Twitter accounts are some of the most commonly stolen in these attacks. This is most likely due to the large number of people who have these accounts. It’s a great example of one of the ways criminals gain access to accounts; however, it’s not the simplest way. The simplest way is through a phishing attack.
Since the creation of Facebook, users have been receiving emails that look like this:
But Facebook has not sent a single one of them. In fact, Facebook will never send you email asking you to change your password. This is a phishing attack. The email takes you to a website that looks like Facebook but is run by a criminal for the sole purpose of stealing your Facebook login credentials.
Another popular trick is to infect your machine with malware that rides piggyback on your account. The malware will sit on your machine and post whatever it wants to your social networking account or Twitter feed.
Why? The criminals want to use your account to run scams, send spam, or infect other users with malware. Your small business account may soon be promoting wacky diet plans or your customers will find unwanted software being installed after viewing a video you told them was “haha funny.”
As a small business owner, you likely know the importance of location. Customers won’t go to a storefront in a bad part of town. Well, following that same rule of thumb, online customers are not likely to go to (or follow) a company that sends them spam or infects them with malware. Some will understand that you are not responsible for the spam or malware. But that’s not going to stop them from un-friending you, or stop being a follower of yours. That online brand you’ve been building has just been destroyed by the hands of a phisher.
Symantec’s Recommendations for Protecting Your Small Business
• Educate employees. Develop Internet security guidelines and educate employees about Internet safety, security, and the latest threats. Part of the training should focus on the importance of regularly changing passwords and protecting mobile devices.
• Safeguard important business information. Safeguarding information is critical to businesses of all sizes and SMBs are facing increased risks to their confidential information. One data breach could mean financial ruin for an SMB. Implement a complete security solution beyond just traditional antivirus to ensure proprietary information—whether it’s credit card information, customer data, or employee records—is safe.
• Implement an effective backup and recovery plan. Protecting information is more than implementing an antivirus solution. Backup and recovery is a critical component of complete information protection to keep SMBs’ desktops, servers, and applications running smoothly in case of disruption—whether it’s a flood, an earthquake, a virus, or a system failure. One outage could mean customer dissatisfaction and costly downtime, which could be catastrophic to the business.
• Secure email and Web assets. Select a mail and Web security solution that can help mitigate spam and email threats so that SMBs can protect sensitive information and spend more time on day-to-day activities. Spammers and phishers will use current events and social engineering tactics to get users to give up personal information such as credit card and bank information.