If you've ever seen the blockbuster movie "Ocean's Eleven," then you'd know that planning a heist takes many steps. The band of lovable celebrity thieves in the film always have to do one thing, though, and that's find an inside man. If you aren't careful, that could be you.
With sites like LinkedIn, hackers don't have bribe or threaten a
company employee, they just need to find one they can trick. If the
employee has high-level access, hackers can make off with anything they
want.
Fortunately, you can stay safe if you know how hackers attack. I'm
going to teach you some need-to-know ways to lock down your LinkedIn
profile, and keep your company safe.
How hackers attack
Keep in mind that most corporate hacker attacks rely on basic social engineering, which means tricking information out of people instead of stealing it out of machines. And let me tell you, hackers have been getting smarter about their social engineering tactics.You might have missed the story behind FIN4, the super-coordinated hacker team that invaded hundreds of companies. They weren't after customer records, however, but inside information that let them trade right in the stock market.
To invade the companies, FIN4 targeted those company's employees on LinkedIn to get one crucial piece of information: their company email address.
Search for your company on LinkedIn. Do any of your employees have their corporate email address publicly viewable on the site? That's all a hacker needs to figure out how to email anyone in your company.
Pattern recognition
Most companies follow similar naming patterns for the in-house email systems. Whether your email address is asmith@shopwell.com or adamsmith@shopwell.com, any hacker worth his salt can get the picture.Say a hacker finds an employee's email address through LinkedIn and figures out that your corporate email addresses are formatted the same way. Their next stop will be your company's website, social site or other employee LinkedIn profiles to find as many employee names as possible, the more senior the better.
With a big list of names, hackers can start researching. The amount of research that hackers are willing to do before they start their attack is shocking.
They'll look up social accounts, forum posts and any publicly available information. Their goal is to make an email that will trick you into giving up crucial information. It might claim to be from another employee at the company, a company client or even the company boss.
If you've ever received those obvious phishing emails with subject lines like YOUR PAYMT CARD HAS BEEN CONPROMISED from PAYPALSECURITY@PayBuddy.net, know that this kind of phishing is nothing like that.
Act casual
A report published by cybersecurity firm FireEye revealed some of the emails the FIN4 group sent to executives. Here's one of the scariest ones.
From: [name]@[compromised company’s domain]
I noticed that a user named FinanceBull82
(claiming to be an employee) in an investment discussion forum posted
some negative comments about the company in general (executive
compensation mainly) and you in specific (overpaid and incompetent). He
gave detailed instances of his disagreements, and in doing so, may have
unwittingly divulged confidential company information regarding pending
transactions. I am a longtime client and I do not think that this will
bode well for future business. The post generated quite a few replies,
most of them agreeing with the negative statements. While I understand
that the employee has the right to his opinion, perhaps he should have
vented his frustrations through the appropriate channels before making
his post. The link to the post is located here (it is the second one in
the thread):
http://forum./redirect. php?url=http://%2fforum%2fequities%2f375823902%2farticle.php\par
Could you please talk to him?
Thank you for the assistance,
[name]
Beside the wacky FinanceBull82 username, everything else in that
email is believable. The message is designed to put its recipient on the
defensive and click the link without thinking.[name]
The site linked in the above email was a fake forum built to further drive home the criminal's story. The malware was hidden in a document linked on the forum.
At that point, the hacker can slip a virus on to the employee's computer and start stealing information. If they get the employee's username and password they can attack other parts of the company network.
It isn't just email. Hackers might find an internal phone number for an employee and call up pretending to be with I.T. They'll claim there's a problem with your computer and need remote access or your username and password.
They might use a manager's name to email you a virus-laden spreadsheet showing "a major financial error that could cost you your job." You're probably not going to think twice about opening it.
There are lots of variations hackers have perfected. In a successful attack, hackers can get everything the company has to offer. So how can you stay safe?
Securing your vault
Keeping your company safe starts with recognizing who can see you or your employees online, and what they can see. Ask employees to use their personal emails on LinkedIn, and make sure that LinkedIn pages that criminals might find won't reveal too much about how your company works.If your contact information has to be readily available because of your business, then you're always going to be vulnerable to these attacks on some level.
On the plus side, LinkedIn does hide your contact information from the public. So hackers will try to become a contact on LinkedIn by pretending to be in your business field, or even pretending to be someone they're not.
Recently, I've received LinkedIn invitations to network with some really big name national talk show hosts. Now, I know these people by name, but we've never done business together - the whole purpose of LinkedIn.
It smelled scammy and after research I found that they didn't really send little ol' me a LinkedIn request. Hackers had set up accounts with their name to try and trick me. So, you can't just accept everyone who wants to connect with you without research.
If you haven't seen these three scams that can fool anybody, then check them out and share them with your employees. Letting your employees know the danger is a good way to keep them from giving away information they shouldn't.
Updating your anti-virus software can only do so much when a hacker manages to trick a manager into installing spyware.
Keep your employees up to date on phishing scams and the fact that hackers aren't just casting wide nets anymore. They've found spear phishing, an aggressive tactic for targeting businesses, to be much more profitable.
