Yahoo! cyber-attack: the threat of the hacker
Four individuals, including two Russian spies, were recently indicted by the US Department of Justice over the theft of an enormous number of Yahoo! e-mail user account details. The acquisition of this information – corresponding to around 500 million accounts – had been achieved in 2014 using a targeted ‘spear phishing’ e-mail attack against a key Yahoo! employee. The attack followed an even larger one against the same company a year earlier, in which around a billion accounts were compromised, and forms the latest in a line of news stories involving companies revealing compromises of user data, with other reports relating to FriendFinder (412 million affected accounts), Myspace (359 million accounts) and LinkedIn (164 million accounts), plus other high-profile cases involving Ashley Madison and J.P. Morgan.
Why e-mail addresses are at risk
Stolen e-mail addresses – particularly if present in combination with other security credentials such as passwords – are extremely valuable as they can be traded online in their own right, within forums, private groups, or dedicated websites on the open or Dark Web. They can be used for a range of purposes, from identity theft through to the distribution of spam e-mails (e.g. for the purposes of advertising websites or distributing undesirable or malicious software). Following the Yahoo! story, reports emerged that data relating to one billion of the company’s e-mail customer accounts remained for sale on hacker forums, with the criminals offering the full dataset at a price of $200,000.
How to reduce the threat
Mediation of the risk of such attacks generally requires a multi-faceted approach by corporations. Of crucial importance is the implementation of a comprehensive digital security programme, comprising the use of a suite of suitable anti-virus and firewall products, ensuring that software and operating systems are kept regularly updated, and carrying out regular checks of computer systems for vulnerabilities. Part of the solution should also always be an initiative to educate employees on ways to avoid being targeted, such as careful checking of the validity of incoming e-mails and other communications, and avoiding opening attachments in unsolicited mails. The probability of being targeted in a social-engineering attack can also be reduced by encouraging employees to avoid using their company e-mail addresses when posting online, and from identifying themselves as being associated with the company in all but official communications.
Protecting your brand or company
The Yahoo! attack is just one example of a case where a fraudulent targeted e-mail was sent to a known employee; the use of e-mails to employees which purport to originate from key company executives is a rapidly-growing method for perpetrating fraud. A recent estimate by the FBI stated that these scams have cost organizations more than $2.3 billion in losses over the past three years, with numerous reports of multi-million dollar losses by individual companies ($3 million from Mattel, $17 million from The Scoular Co., and over $46 million from Ubiquiti in 2015). Frequently, the e-mails used in this kind of scam include instructions for employees to carry out money transfers (e.g. as in a series of cases in Seattle in December 2013, where companies were led to believe that they were sending money to supply partners in China, whereas actually the beneficiary accounts were owned by fraudsters).
In many cases, this type of fraud is achieved via the registration of domain names which appear similar to that used for the company’s official website and/or e-mail host domain, using the e-mail functionality of these fake domains to construct convincing ‘from’ addresses for the targeted e-mails. A proactive programme for monitoring new domain registrations, as offered by a number of brand-protection service providers, can be one way of gaining an early warning against such risks. In addition to these preventative measures, it can also be very beneficial to carry out Internet monitoring for the appearance of stolen credentials being posted online or offered for sale, so that actions to limit the damage can be taken in as short a timeframe as possible.